Unencrypted storage bucket foundTF-GCP002Legacy `ABAC` permissions are enabledTF-GCP005Potentially sensitive data stored in block attributeTF-GEN003Invalid AWS S3 bucket regionTF-L0052Invalid AWS DB instance typeTF-L0006Ensure all Cloud SQL database instance requires all incoming connections to use SSLTF-S2006Ensure that Cloud SQL database instances are not open to the worldTF-S2011Azure instance is using basic authenticationTF-S1001Azure AKS is not using RBACTF-S1005Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suitesTF-S2004Kubernetes Engine Cluster authentication missing client certificateTF-S2013Kubernetes Engine Cluster missing Network PolicyTF-S2012Ensure Google compute firewall ingress does not allow unrestricted ssh accessTF-S2002Ensure Google compute firewall ingress does not allow unrestricted RDP accessTF-S2003Ensure Legacy Authorization is set to Disabled on Kubernetes Engine ClustersTF-S2007Exposed BigQuery datasetsTF-S2015Found usage of RSASHA1 for the zone-signing and key-signing keys in Cloud DNS DNSSECTF-S2017Detected password authentication instead of `SSH` keysTF-AZU005Unencrypted data lake store foundTF-AZU004Potentially sensitive data stored in `default` value of variableTF-GEN001Potentially sensitive data stored in local valueTF-GEN002Deprecated interpolationTF-L0037Use of default AWS DB parameter groupTF-L0034Use of an old generation AWS elasticache cluster node typeTF-L0035Use of default AWS elasticache parameter groupTF-L0036Legacy dot index syntaxTF-L0038Unused declarationTF-L0039Missing routing target in `aws_route` resourceTF-L0030Use of previous generation AWS instance typeTF-L0032Cloud DNS has DNSSEC disabledTF-S2016Ensure 'Automatic node repair' is enabled for Kubernetes ClustersTF-S2009AKS API server does not define authorized IP rangesTF-S1006Unencrypted Azure managed disk foundTF-S1002`supportsHttpsTrafficOnly` is not set to `true`TF-S1003AKS logging is not configured with Azure MonitoringTF-S1004Cloud SQL database found with backup configuration disabledTF-S2014An inbound firewall rule allows traffic from `/0`TF-GCP003Invalid AWS MQ broker engine typeTF-L0050Load balancer is exposed to the internetTF-AWS005An outdated SSL policy is in use by a load balancerTF-AWS010A resource is marked as publicly accessibleTF-AWS011Unencrypted SQS queueTF-AWS015Use of plain `HTTP`TF-AWS004Unencrypted managed disk detectedTF-AZU003AWS instance with invalid AMI IDTF-L0015AWS launch configuration with invalid AMI IDTF-L0021Invalid `excess_capacity_termination_policy`TF-L0053Unrestricted RDP accessTF-S1009Invalid AWS Load Banancer subnet IDTF-L0002Invalid AWS DB subnet group nameTF-L0003Invalid ACL value for AWS S3 bucketTF-L0051Module doesn't comply with Terraform Standard Module StructureTF-L0048Invalid AWS Application Load Balancer security groupTF-L0001Invalid `ParameterGroupName` for AWS DB instanceTF-L0005Route definition has multiple routing targetsTF-L0031Unrestricted access to Kubernetes dashboardTF-S1008Unrestricted SSH accessTF-S1010SQL Databases allows ingress from `0.0.0.0/0`TF-S1011Unprotected AKS cluster detectedTF-S1007Standard pricing tier is not selectedTF-S1019App Service Authentication is not enabled on Azure App ServiceTF-S1013Register with Azure Active Directory is not enabled on Azure App ServiceTF-S1016Security contact phone number not setTF-S1020Send email notification for high severity alerts is disabledTF-S1021Incoming client certificates are disabledTF-S1017HTTP version being used is outdatedTF-S1018Web application does not redirect all HTTP traffic to HTTPS in Azure App ServiceTF-S1014Web application is not using TLS 1.2 on Azure App ServiceTF-S1015Send email notification for high severity alerts to administrator is disabledTF-S1022'Auditing' is not 'Enabled' for SQL serversTF-S1023An ingress security group rule allows traffic from `/0`TF-AWS006An egress security group rule allows traffic to `/0`TF-AWS007An inline ingress security group rule allows traffic from `/0`TF-AWS008An inline egress security group rule allows traffic to `/0`TF-AWS009Task definition defines sensitive environment variable(s)TF-AWS013Launch configuration with unencrypted block deviceTF-AWS014Unencrypted SNS topicTF-AWS016Unencrypted S3 bucketTF-AWS017Missing description for security group/security group ruleTF-AWS018An inbound network security rule allows traffic from `/0`TF-AZU001S3 Bucket does not have logging enabledTF-AWS002AWS Classic resource usageTF-AWS003Unencrypted compute disk foundTF-GCP001An outbound firewall rule allows traffic to `/0`TF-GCP004An outbound network security rule allows traffic from /0TF-AZU002S3 Bucket has an ACL defined which allows public accessTF-AWS001Elasticsearch domain endpoint is using outdated TLS policyTF-AWS034EKS should have the encryption of secrets enabledTF-AWS066S3 Access block should block public ACLTF-AWS074AWS IAM policy document has wildcard action statementTF-AWS046A resource has a public IP addressTF-AWS012A KMS key is not configured to auto-rotateTF-AWS019ECR repository has image scans disabledTF-AWS023API Gateway domain name uses outdated SSL/TLS protocolsTF-AWS025Elasticsearch domain isn't encrypted at restTF-AWS031Elasticsearch doesn't enforce HTTPS trafficTF-AWS033Unencrypted Elasticache Replication GroupTF-AWS035IAM Password policy should have requirement for at least one lowercase characterTF-AWS042AWS SQS policy document has wildcard action statementTF-AWS047RDS encryption has not been enabled at a database Instance levelTF-AWS052Encryption for RDS Performance Insights should be enabledTF-AWS053ElasticSearch nodes should communicate with node to node encryption enabledTF-AWS055Ensure that lambda function permission has a source arn specifiedTF-AWS058API Gateway stages for V1 and V2 should have access logging enabledTF-AWS061User data for EC2 instances must not contain sensitive AWS keysTF-AWS062CloudTrail should be encrypted at rest to secure access to sensitive trail dataTF-AWS065`aws_instance` resource should activate session tokens for Instance Metadata ServiceTF-AWS079EKS Clusters should have cluster control plane logging turned onTF-AWS067Viewer Protocol Policy in CloudFront Distribution Cache should always be set to HTTPSTF-AWS072S3 Access block should block public policyTF-AWS076CodeBuild Project artifacts encryption should not be disabledTF-AWS080Amazon DynamoDB Accelerator Cluster should always encrypt data at restTF-AWS081Use of previous generation AWS database instanceTF-L0033Detected a git or mercurial repository as a module source without pinning to a versionTF-L0044Audit: `terraform.workspace` used with a `remote` backend with remote executionTF-L0049There is no encryption specified or encryption is disabled on the RDS ClusterTF-AWS051Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encryptedTF-AWS059IAM Password policy should prevent password reuseTF-AWS037IAM Password policy should have expiry less than or equal to 90 daysTF-AWS038IAM Password policy should have requirement for at least one symbol in the passwordTF-AWS040IAM Password policy should have requirement for at least one number in the passwordTF-AWS041An ingress Network ACL rule allows specific ports from `/0`TF-AWS049ElasticSearch domains should enforce HTTPSTF-AWS054Domain logging should be enabled for ElasticSearch domainsTF-AWS057Athena workgroups should enforce configuration to prevent client disabling encryptionTF-AWS060CloudTrail should be enabled in all regions, regardless of where your AWS resources are generally locatedTF-AWS063EKS Clusters should have the public access disabledTF-AWS069AWS ElasticSearch Domain should have logging enabledTF-AWS070CloudFront distribution should have Access Logging configuredTF-AWS071S3 Access Block should Ignore Public ACLTF-AWS073S3 Access block should restrict public bucket to limit accessTF-AWS075S3 Data should be versionedTF-AWS077ECR images tags shouldn't be mutableTF-AWS078Invalid AWS DB `OptionGroupName`TF-L0004Invalid AWS VPC Security GroupTF-L0007`terraform` declarations without `require_version`TF-L0046Provider doesn't have version constraintTF-L0047CloudFront distribution allows unencrypted (HTTP) communicationsTF-AWS020CloudFront distribution uses outdated SSL/TLS protocolsTF-AWS021A MSK cluster allows unencrypted data in transitTF-AWS022Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine ClustersTF-S2001Ensure 'Automatic node upgrade' is enabled for Kubernetes ClustersTF-S2010Kinesis stream is unencryptedTF-AWS024CloudFront distribution does not have a WAF in frontTF-AWS045EFS Encryption has not been enabledTF-AWS048CloudTrail log validation should be enabled to prevent tampering of log dataTF-AWS064EKS cluster should not have open CIDR range for public accessTF-AWS068Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine ClustersTF-S2008Elasticsearch domain uses plaintext traffic for node to node communicationTF-AWS032AWS provider has access credentials specifiedTF-AWS044Elasticache Replication Group uses unencrypted trafficTF-AWS036IAM Password policy should have minimum password length of 14 or more charactersTF-AWS039IAM Password policy should have requirement for at least one uppercase characterTF-AWS043An ingress Network ACL rule allows ALL ports from `/0`TF-AWS050Master authorized networks are not enabled in GKE clustersTF-S2019GCP Kubernetes engine clusters have basic authentication enabledTF-S2018Consider using `#` for commentsTF-L0040Output declaration without descriptionTF-L0041`variable` declaration without descriptionTF-L0042`variable` declaration without typeTF-L0043
Terraform logoTerraform/
TF-S2004

Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suitesTF-S2004

Critical severityCritical
Security categorySecurity

GCP HTTPS load balancer is configured with SSL policy having TLS version 1.1 or lower or it could be using weak cipher suites.

Secure Sockets Layer (SSL) policies determine what Transport Layer Security (TLS) features clients can use when connecting to load balancers. SSL policies control SSL features in Google Cloud SSL proxy load balancer and external HTTP(S) load balancers. By default, HTTP(S) Load Balancing and SSL Proxy Load Balancing use a set of SSL features that provides good security and broad compatibility.

We recommend using of the following options to prevent usage of insecure features:

  1. TLS should be set to 1.2 with the MODERN profile
  2. Use RESTRICTED profile as it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version
  3. If using a CUSTOM profile that does not support any of the following cipher suites:

TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA

Examples

Bad practice

resource "google_compute_ssl_policy" "modern-profile" {
  name            = "test-ssl-policy"
  profile         = "MODERN"
  min_tls_version = "TLS_1_2"
}

resource "google_compute_ssl_policy" "custom-profile" {
  name            = "test-ssl-policy"
  profile         = "CUSTOM"
  min_tls_version = "TLS_1_2"
  custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
}

resource "google_compute_ssl_policy" "custom-profile" {
  name            = "test-ssl-policy"
  profile         = "RESTRICTED"
}

References