IAM Password policy should prevent password reuse (TF-AWS037) ・ Terraform

Unencrypted storage bucket foundTF-GCP002

Legacy `ABAC` permissions are enabledTF-GCP005

Potentially sensitive data stored in block attributeTF-GEN003

Invalid AWS S3 bucket regionTF-L0052

Invalid AWS DB instance typeTF-L0006

Ensure all Cloud SQL database instance requires all incoming connections to use SSLTF-S2006

Ensure that Cloud SQL database instances are not open to the worldTF-S2011

Azure instance is using basic authenticationTF-S1001

Azure AKS is not using RBACTF-S1005

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suitesTF-S2004

Kubernetes Engine Cluster authentication missing client certificateTF-S2013

Kubernetes Engine Cluster missing Network PolicyTF-S2012

Ensure Google compute firewall ingress does not allow unrestricted ssh accessTF-S2002

Ensure Google compute firewall ingress does not allow unrestricted RDP accessTF-S2003

Ensure Legacy Authorization is set to Disabled on Kubernetes Engine ClustersTF-S2007

Exposed BigQuery datasetsTF-S2015

Found usage of RSASHA1 for the zone-signing and key-signing keys in Cloud DNS DNSSECTF-S2017

Detected password authentication instead of `SSH` keysTF-AZU005

Unencrypted data lake store foundTF-AZU004

Potentially sensitive data stored in `default` value of variableTF-GEN001

Potentially sensitive data stored in local valueTF-GEN002

Deprecated interpolationTF-L0037

Use of default AWS DB parameter groupTF-L0034

Use of an old generation AWS elasticache cluster node typeTF-L0035

Use of default AWS elasticache parameter groupTF-L0036

Legacy dot index syntaxTF-L0038

Unused declarationTF-L0039

Missing routing target in `aws_route` resourceTF-L0030

Use of previous generation AWS instance typeTF-L0032

Cloud DNS has DNSSEC disabledTF-S2016

Ensure 'Automatic node repair' is enabled for Kubernetes ClustersTF-S2009

AKS API server does not define authorized IP rangesTF-S1006

Unencrypted Azure managed disk foundTF-S1002

`supportsHttpsTrafficOnly` is not set to `true`TF-S1003

AKS logging is not configured with Azure MonitoringTF-S1004

Cloud SQL database found with backup configuration disabledTF-S2014

An inbound firewall rule allows traffic from `/0`TF-GCP003

Invalid AWS MQ broker engine typeTF-L0050

Load balancer is exposed to the internetTF-AWS005

An outdated SSL policy is in use by a load balancerTF-AWS010

A resource is marked as publicly accessibleTF-AWS011

Unencrypted SQS queueTF-AWS015

Use of plain `HTTP`TF-AWS004

Unencrypted managed disk detectedTF-AZU003

AWS instance with invalid AMI IDTF-L0015

AWS launch configuration with invalid AMI IDTF-L0021

Invalid `excess_capacity_termination_policy`TF-L0053

Unrestricted RDP accessTF-S1009

Invalid AWS Load Banancer subnet IDTF-L0002

Invalid AWS DB subnet group nameTF-L0003

Invalid ACL value for AWS S3 bucketTF-L0051

Module doesn't comply with Terraform Standard Module StructureTF-L0048

Invalid AWS Application Load Balancer security groupTF-L0001

Invalid `ParameterGroupName` for AWS DB instanceTF-L0005

Route definition has multiple routing targetsTF-L0031

Unrestricted access to Kubernetes dashboardTF-S1008

Unrestricted SSH accessTF-S1010

SQL Databases allows ingress from `0.0.0.0/0`TF-S1011

Unprotected AKS cluster detectedTF-S1007

Standard pricing tier is not selectedTF-S1019

App Service Authentication is not enabled on Azure App ServiceTF-S1013

Register with Azure Active Directory is not enabled on Azure App ServiceTF-S1016

Security contact phone number not setTF-S1020

Send email notification for high severity alerts is disabledTF-S1021

Incoming client certificates are disabledTF-S1017

HTTP version being used is outdatedTF-S1018

Web application does not redirect all HTTP traffic to HTTPS in Azure App ServiceTF-S1014

Web application is not using TLS 1.2 on Azure App ServiceTF-S1015

Send email notification for high severity alerts to administrator is disabledTF-S1022

'Auditing' is not 'Enabled' for SQL serversTF-S1023

An ingress security group rule allows traffic from `/0`TF-AWS006

An egress security group rule allows traffic to `/0`TF-AWS007

An inline ingress security group rule allows traffic from `/0`TF-AWS008

An inline egress security group rule allows traffic to `/0`TF-AWS009

Task definition defines sensitive environment variable(s)TF-AWS013

Launch configuration with unencrypted block deviceTF-AWS014

Unencrypted SNS topicTF-AWS016

Unencrypted S3 bucketTF-AWS017

Missing description for security group/security group ruleTF-AWS018

An inbound network security rule allows traffic from `/0`TF-AZU001

S3 Bucket does not have logging enabledTF-AWS002

AWS Classic resource usageTF-AWS003

Unencrypted compute disk foundTF-GCP001

An outbound firewall rule allows traffic to `/0`TF-GCP004

An outbound network security rule allows traffic from /0TF-AZU002

S3 Bucket has an ACL defined which allows public accessTF-AWS001

Elasticsearch domain endpoint is using outdated TLS policyTF-AWS034

EKS should have the encryption of secrets enabledTF-AWS066

S3 Access block should block public ACLTF-AWS074

AWS IAM policy document has wildcard action statementTF-AWS046

A resource has a public IP addressTF-AWS012

A KMS key is not configured to auto-rotateTF-AWS019

ECR repository has image scans disabledTF-AWS023

API Gateway domain name uses outdated SSL/TLS protocolsTF-AWS025

Elasticsearch domain isn't encrypted at restTF-AWS031

Elasticsearch doesn't enforce HTTPS trafficTF-AWS033

Unencrypted Elasticache Replication GroupTF-AWS035

IAM Password policy should have requirement for at least one lowercase characterTF-AWS042

AWS SQS policy document has wildcard action statementTF-AWS047

RDS encryption has not been enabled at a database Instance levelTF-AWS052

Encryption for RDS Performance Insights should be enabledTF-AWS053

ElasticSearch nodes should communicate with node to node encryption enabledTF-AWS055

Ensure that lambda function permission has a source arn specifiedTF-AWS058

API Gateway stages for V1 and V2 should have access logging enabledTF-AWS061

User data for EC2 instances must not contain sensitive AWS keysTF-AWS062

CloudTrail should be encrypted at rest to secure access to sensitive trail dataTF-AWS065

`aws_instance` resource should activate session tokens for Instance Metadata ServiceTF-AWS079

EKS Clusters should have cluster control plane logging turned onTF-AWS067

Viewer Protocol Policy in CloudFront Distribution Cache should always be set to HTTPSTF-AWS072

S3 Access block should block public policyTF-AWS076

CodeBuild Project artifacts encryption should not be disabledTF-AWS080

Amazon DynamoDB Accelerator Cluster should always encrypt data at restTF-AWS081

Use of previous generation AWS database instanceTF-L0033

Detected a git or mercurial repository as a module source without pinning to a versionTF-L0044

Audit: `terraform.workspace` used with a `remote` backend with remote executionTF-L0049

There is no encryption specified or encryption is disabled on the RDS ClusterTF-AWS051

Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encryptedTF-AWS059

IAM Password policy should have expiry less than or equal to 90 daysTF-AWS038

IAM Password policy should have requirement for at least one symbol in the passwordTF-AWS040

IAM Password policy should have requirement for at least one number in the passwordTF-AWS041

An ingress Network ACL rule allows specific ports from `/0`TF-AWS049

ElasticSearch domains should enforce HTTPSTF-AWS054

Domain logging should be enabled for ElasticSearch domainsTF-AWS057

Athena workgroups should enforce configuration to prevent client disabling encryptionTF-AWS060

CloudTrail should be enabled in all regions, regardless of where your AWS resources are generally locatedTF-AWS063

EKS Clusters should have the public access disabledTF-AWS069

AWS ElasticSearch Domain should have logging enabledTF-AWS070

CloudFront distribution should have Access Logging configuredTF-AWS071

S3 Access Block should Ignore Public ACLTF-AWS073

S3 Access block should restrict public bucket to limit accessTF-AWS075

S3 Data should be versionedTF-AWS077

ECR images tags shouldn't be mutableTF-AWS078

Invalid AWS DB `OptionGroupName`TF-L0004

Invalid AWS VPC Security GroupTF-L0007

`terraform` declarations without `require_version`TF-L0046

Provider doesn't have version constraintTF-L0047

CloudFront distribution allows unencrypted (HTTP) communicationsTF-AWS020

CloudFront distribution uses outdated SSL/TLS protocolsTF-AWS021

A MSK cluster allows unencrypted data in transitTF-AWS022

Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine ClustersTF-S2001

Ensure 'Automatic node upgrade' is enabled for Kubernetes ClustersTF-S2010

Kinesis stream is unencryptedTF-AWS024

CloudFront distribution does not have a WAF in frontTF-AWS045

EFS Encryption has not been enabledTF-AWS048

CloudTrail log validation should be enabled to prevent tampering of log dataTF-AWS064

EKS cluster should not have open CIDR range for public accessTF-AWS068

Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine ClustersTF-S2008

Elasticsearch domain uses plaintext traffic for node to node communicationTF-AWS032

AWS provider has access credentials specifiedTF-AWS044

Elasticache Replication Group uses unencrypted trafficTF-AWS036

IAM Password policy should have minimum password length of 14 or more charactersTF-AWS039

IAM Password policy should have requirement for at least one uppercase characterTF-AWS043

An ingress Network ACL rule allows ALL ports from `/0`TF-AWS050

Master authorized networks are not enabled in GKE clustersTF-S2019

GCP Kubernetes engine clusters have basic authentication enabledTF-S2018

Consider using `#` for commentsTF-L0040

Output declaration without descriptionTF-L0041

`variable` declaration without descriptionTF-L0042

`variable` declaration without typeTF-L0043

IAM Password policy should prevent password reuseTF-AWS037

Examples

Bad practice

Recommended

References

Open Source