AWS CloudFormation Linter

Unencrypted storage bucket foundTF-GCP002 Legacy `ABAC` permissions are enabledTF-GCP005 Potentially sensitive data stored in block attributeTF-GEN003 Invalid AWS S3 bucket regionTF-L0052 Invalid AWS DB instance typeTF-L0006 Ensure all Cloud SQL database instance requires all incoming connections to use SSLTF-S2006 Ensure that Cloud SQL database instances are not open to the worldTF-S2011 Azure instance is using basic authenticationTF-S1001 Azure AKS is not using RBACTF-S1005 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suitesTF-S2004 Kubernetes Engine Cluster authentication missing client certificateTF-S2013 Kubernetes Engine Cluster missing Network PolicyTF-S2012 Ensure Google compute firewall ingress does not allow unrestricted ssh accessTF-S2002 Ensure Google compute firewall ingress does not allow unrestricted RDP accessTF-S2003 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine ClustersTF-S2007 Exposed BigQuery datasetsTF-S2015 Found usage of RSASHA1 for the zone-signing and key-signing keys in Cloud DNS DNSSECTF-S2017 Detected password authentication instead of `SSH` keysTF-AZU005 Unencrypted data lake store foundTF-AZU004 Potentially sensitive data stored in `default` value of variableTF-GEN001 Potentially sensitive data stored in local valueTF-GEN002 Deprecated interpolationTF-L0037 Use of default AWS DB parameter groupTF-L0034 Use of an old generation AWS elasticache cluster node typeTF-L0035 Use of default AWS elasticache parameter groupTF-L0036 Legacy dot index syntaxTF-L0038 Unused declarationTF-L0039 Missing routing target in `aws_route` resourceTF-L0030 Use of previous generation AWS instance typeTF-L0032 Cloud DNS has DNSSEC disabledTF-S2016 Ensure 'Automatic node repair' is enabled for Kubernetes ClustersTF-S2009 AKS API server does not define authorized IP rangesTF-S1006 Unencrypted Azure managed disk foundTF-S1002 `supportsHttpsTrafficOnly` is not set to `true`TF-S1003 AKS logging is not configured with Azure MonitoringTF-S1004 Cloud SQL database found with backup configuration disabledTF-S2014 An inbound firewall rule allows traffic from `/0`TF-GCP003 Invalid AWS MQ broker engine typeTF-L0050 Load balancer is exposed to the internetTF-AWS005 An outdated SSL policy is in use by a load balancerTF-AWS010 A resource is marked as publicly accessibleTF-AWS011 Unencrypted SQS queueTF-AWS015 Use of plain `HTTP`TF-AWS004 Unencrypted managed disk detectedTF-AZU003 AWS instance with invalid AMI IDTF-L0015 AWS launch configuration with invalid AMI IDTF-L0021 Invalid `excess_capacity_termination_policy`TF-L0053 Unrestricted RDP accessTF-S1009 Invalid AWS Load Banancer subnet IDTF-L0002 Invalid AWS DB subnet group nameTF-L0003 Invalid ACL value for AWS S3 bucketTF-L0051 Module doesn't comply with Terraform Standard Module StructureTF-L0048 Invalid AWS Application Load Balancer security groupTF-L0001 Invalid `ParameterGroupName` for AWS DB instanceTF-L0005 Route definition has multiple routing targetsTF-L0031 Unrestricted access to Kubernetes dashboardTF-S1008 Unrestricted SSH accessTF-S1010 SQL Databases allows ingress from `0.0.0.0/0`TF-S1011 Unprotected AKS cluster detectedTF-S1007 Standard pricing tier is not selectedTF-S1019 App Service Authentication is not enabled on Azure App ServiceTF-S1013 Register with Azure Active Directory is not enabled on Azure App ServiceTF-S1016 Security contact phone number not setTF-S1020 Send email notification for high severity alerts is disabledTF-S1021 Incoming client certificates are disabledTF-S1017 HTTP version being used is outdatedTF-S1018 Web application does not redirect all HTTP traffic to HTTPS in Azure App ServiceTF-S1014 Web application is not using TLS 1.2 on Azure App ServiceTF-S1015 Send email notification for high severity alerts to administrator is disabledTF-S1022 'Auditing' is not 'Enabled' for SQL serversTF-S1023 An ingress security group rule allows traffic from `/0`TF-AWS006 An egress security group rule allows traffic to `/0`TF-AWS007 An inline ingress security group rule allows traffic from `/0`TF-AWS008 An inline egress security group rule allows traffic to `/0`TF-AWS009 Task definition defines sensitive environment variable(s)TF-AWS013 Launch configuration with unencrypted block deviceTF-AWS014 Unencrypted SNS topicTF-AWS016 Unencrypted S3 bucketTF-AWS017 Missing description for security group/security group ruleTF-AWS018 An inbound network security rule allows traffic from `/0`TF-AZU001 S3 Bucket does not have logging enabledTF-AWS002 AWS Classic resource usageTF-AWS003 Unencrypted compute disk foundTF-GCP001 An outbound firewall rule allows traffic to `/0`TF-GCP004 An outbound network security rule allows traffic from /0TF-AZU002 S3 Bucket has an ACL defined which allows public accessTF-AWS001 Elasticsearch domain endpoint is using outdated TLS policyTF-AWS034 EKS should have the encryption of secrets enabledTF-AWS066 S3 Access block should block public ACLTF-AWS074 AWS IAM policy document has wildcard action statementTF-AWS046 A resource has a public IP addressTF-AWS012 A KMS key is not configured to auto-rotateTF-AWS019 ECR repository has image scans disabledTF-AWS023 API Gateway domain name uses outdated SSL/TLS protocolsTF-AWS025 Elasticsearch domain isn't encrypted at restTF-AWS031 Elasticsearch doesn't enforce HTTPS trafficTF-AWS033 Unencrypted Elasticache Replication GroupTF-AWS035 IAM Password policy should have requirement for at least one lowercase characterTF-AWS042 AWS SQS policy document has wildcard action statementTF-AWS047 RDS encryption has not been enabled at a database Instance levelTF-AWS052 Encryption for RDS Performance Insights should be enabledTF-AWS053 ElasticSearch nodes should communicate with node to node encryption enabledTF-AWS055 Ensure that lambda function permission has a source arn specifiedTF-AWS058 API Gateway stages for V1 and V2 should have access logging enabledTF-AWS061 User data for EC2 instances must not contain sensitive AWS keysTF-AWS062 CloudTrail should be encrypted at rest to secure access to sensitive trail dataTF-AWS065 `aws_instance` resource should activate session tokens for Instance Metadata ServiceTF-AWS079 EKS Clusters should have cluster control plane logging turned onTF-AWS067 Viewer Protocol Policy in CloudFront Distribution Cache should always be set to HTTPSTF-AWS072 S3 Access block should block public policyTF-AWS076 CodeBuild Project artifacts encryption should not be disabledTF-AWS080 Amazon DynamoDB Accelerator Cluster should always encrypt data at restTF-AWS081 Use of previous generation AWS database instanceTF-L0033 Detected a git or mercurial repository as a module source without pinning to a versionTF-L0044 Audit: `terraform.workspace` used with a `remote` backend with remote executionTF-L0049 There is no encryption specified or encryption is disabled on the RDS ClusterTF-AWS051 Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encryptedTF-AWS059 IAM Password policy should prevent password reuseTF-AWS037 IAM Password policy should have expiry less than or equal to 90 daysTF-AWS038 IAM Password policy should have requirement for at least one symbol in the passwordTF-AWS040 IAM Password policy should have requirement for at least one number in the passwordTF-AWS041 An ingress Network ACL rule allows specific ports from `/0`TF-AWS049 ElasticSearch domains should enforce HTTPSTF-AWS054 Domain logging should be enabled for ElasticSearch domainsTF-AWS057 Athena workgroups should enforce configuration to prevent client disabling encryptionTF-AWS060 CloudTrail should be enabled in all regions, regardless of where your AWS resources are generally locatedTF-AWS063 EKS Clusters should have the public access disabledTF-AWS069 AWS ElasticSearch Domain should have logging enabledTF-AWS070 CloudFront distribution should have Access Logging configuredTF-AWS071 S3 Access Block should Ignore Public ACLTF-AWS073 S3 Access block should restrict public bucket to limit accessTF-AWS075 S3 Data should be versionedTF-AWS077 ECR images tags shouldn't be mutableTF-AWS078 Invalid AWS DB `OptionGroupName`TF-L0004 Invalid AWS VPC Security GroupTF-L0007 `terraform` declarations without `require_version`TF-L0046 Provider doesn't have version constraintTF-L0047 CloudFront distribution allows unencrypted (HTTP) communicationsTF-AWS020 CloudFront distribution uses outdated SSL/TLS protocolsTF-AWS021 A MSK cluster allows unencrypted data in transitTF-AWS022 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine ClustersTF-S2001 Ensure 'Automatic node upgrade' is enabled for Kubernetes ClustersTF-S2010 Kinesis stream is unencryptedTF-AWS024 CloudFront distribution does not have a WAF in frontTF-AWS045 EFS Encryption has not been enabledTF-AWS048 CloudTrail log validation should be enabled to prevent tampering of log dataTF-AWS064 EKS cluster should not have open CIDR range for public accessTF-AWS068 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine ClustersTF-S2008 Elasticsearch domain uses plaintext traffic for node to node communicationTF-AWS032 AWS provider has access credentials specifiedTF-AWS044 Elasticache Replication Group uses unencrypted trafficTF-AWS036 IAM Password policy should have minimum password length of 14 or more charactersTF-AWS039 IAM Password policy should have requirement for at least one uppercase characterTF-AWS043 An ingress Network ACL rule allows ALL ports from `/0`TF-AWS050 Master authorized networks are not enabled in GKE clustersTF-S2019 GCP Kubernetes engine clusters have basic authentication enabledTF-S2018 Consider using `#` for commentsTF-L0040 Output declaration without descriptionTF-L0041 `variable` declaration without descriptionTF-L0042 `variable` declaration without typeTF-L0043

TF-S1011

SQL Databases allows ingress from `0.0.0.0/0`TF-S1011

Critical

Security

Allowing ingress from 0.0.0.0/0 means that the SQL database can accept connection requests from all the IP addresses. This can lead to allowing unauthorized connections too.

SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default, for a SQL server, a Firewall exists with StartIP of 0.0.0.0 and EndIP of 0.0.0.0, allowing access to all the Azure services. Additionally, a custom rule can be set up with StartIP of 0.0.0.0 and EndIP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific datacenters. By default, setting "Allow" access to Azure Services is set to ON, allowing access to all Windows Azure IP ranges.