Sttor Documentation

Appearance

Terraform Rules

IaC rules for Terraform that identify insecure configurations in infrastructure and cloud resources.

Terraform Rule Catalog

IDTitleSeverity
IAC-0115AWS IAM policies that allow full "-" administrative privileges are createdCRITICAL
IAC-0001Alibaba Cloud OSS bucket accessible to publicHIGH
IAC-0067AWS IAM password policy does allow password reuseHIGH
IAC-0151AWS SageMaker endpoint data encryption at rest not configuredHIGH
IAC-0155Neptune cluster instance is publicly availableHIGH
IAC-0179Elastic load balancers do not use SSL Certificates provided by AWS Certificate ManagerHIGH
IAC-0217SQS queue policy is public and access is not restricted to specific services or principalsHIGH
IAC-0315Comprehend Entity Recognizer's model is not encrypted by KMS using a customer managed Key (CMK)HIGH
IAC-0316Comprehend Entity Recognizer's volume is not encrypted by KMS using a customer managed Key (CMK)HIGH
IAC-0318The Connect Instance S3 Storage Configuration utilizes Customer Managed Key.HIGH
IAC-0319DynamoDB table replica does not use CMK KMS encryptionHIGH
IAC-0320AWS Lambda function is not configured to validate code-signingHIGH
IAC-0322AWS AdministratorAccess policy is used by IAM roles, users, or groupsHIGH
IAC-0323IAM policy uses the AWS AdministratorAccess policyHIGH
IAC-0326MemoryDB snapshot is not encrypted by KMS using a customer managed Key (CMK)HIGH
IAC-0327Neptune snapshot is not securely encryptedHIGH
IAC-0328Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)HIGH
IAC-0329RedShift snapshot copy is not encrypted by KMS using a customer managed Key (CMK).HIGH
IAC-0330Redshift Serverless namespace is not encrypted by KMS using a customer managed key (CMK)HIGH
IAC-0331IAM Policy Document Allows All or Any AWS Principal Permissions to ResourcesHIGH
IAC-0335IAM policies allow exposure of credentialsHIGH
IAC-0336IAM policies allow data exfiltrationHIGH
IAC-0337IAM policies allow permissions management or resource exposure without constraintsHIGH
IAC-0338IAM policies allow write access without constraintsHIGH
IAC-0340DocDB Global Cluster is not encrypted at restHIGH
IAC-0343DataSync Location Object Storage exposes secretsHIGH
IAC-0344DMS endpoint is not using a Customer Managed Key (CMK)HIGH
IAC-0345EventBridge Scheduler Schedule is not using a Customer Managed Key (CMK)HIGH
IAC-0346The DMS S3 does not use a Customer Managed Key (CMK)HIGH
IAC-0351Secrets Manager secrets are not rotated within 90 daysHIGH
IAC-0355API Gateway method setting is not set to encrypted cachingHIGH
IAC-0358CodeBuild S3 logs are not encryptedHIGH
IAC-0359Elastic Beanstalk environments do not have enhanced health reporting enabledHIGH
IAC-0375ALB is not configured with the defensive or strictest desync mitigation modeHIGH
IAC-0376EFS Access Points are not enforcing a root directoryHIGH
IAC-0384SSM parameters are not utilizing KMS CMK.HIGH
IAC-0386EKS clusters are not running on a supported Kubernetes versionHIGH
IAC-0390Amazon Redshift clusters do not have automatic snapshots enabledHIGH
IAC-0391Network firewalls do not have deletion protection enabledHIGH
IAC-0392Network firewall encryption does not use a CMKHIGH
IAC-0393Network Firewall Policy does not define an encryption configuration that uses a CMKHIGH
IAC-0394Neptune is not encrypted with KMS using a customer managed Key (CMK)HIGH
IAC-0395AWS Access key enabled on root accountHIGH
IAC-0397Security configuration of the EMR Cluster does not ensure the encryption of EBS disksHIGH
IAC-0399NACL ingress allows all portsHIGH
IAC-0401RDS Performance Insights are not encrypted using KMS CMKsHIGH
IAC-0402IAM policy document allows all resources with restricted actionsHIGH
IAC-0403Data source IAM policy document allows all resources with restricted actionsHIGH
IAC-0404Transfer server does not force secure protocols.HIGH
IAC-0405AWS GitHub Actions OIDC authorization policies allow for unsafe claims or claim orderHIGH
IAC-0411Permissions delegated to AWS services for AWS Lambda functions are not limited by SourceArn or SourceAccountHIGH
IAC-0431Ensure no hard-coded secrets exist in Parameter Store valuesHIGH
IAC-0434Ensure SQS policy does not allow public access through wildcardsHIGH
IAC-0435Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerabilityHIGH
IAC-0438Avoid AWS Redshift cluster with commonly used master username and public access setting enabledHIGH
IAC-0439Ensure AWS S3 access point block public access setting is enabledHIGH
IAC-0472Domain Name System Security Extensions (DNSSEC) signing is not enabled for Amazon Route 53 public hosted zonesHIGH
IAC-0490The AWS Managed IAMFullAccess IAM policy should not be usedHIGH
IAC-0500MWAA environment is publicly accessibleHIGH
IAC-0507Ensure AWS Load Balancers use strong ciphersHIGH
IAC-0509Ensure AWS ALB attached WAFv2 WebACL is configured with AMR for Log4j VulnerabilityHIGH
IAC-0510Ensure AWS API Gateway Rest API attached WAFv2 WebACL is configured with AMR for Log4j VulnerabilityHIGH
IAC-0511Ensure AWS AppSync attached WAFv2 WebACL is configured with AMR for Log4j VulnerabilityHIGH
IAC-0551Azure Key Vault Keys does not have expiration dateHIGH
IAC-0556Secrets are exposed in Azure VM customDataHIGH
IAC-0558MariaDB servers do not have public network access enabled set to FalseHIGH
IAC-0593Azure Security Center Defender set to Off for KubernetesHIGH
IAC-0594Azure Microsoft Defender for Cloud is set to Off for Container RegistriesHIGH
IAC-0641Azure Cognitive Services account configured with public network accessHIGH
IAC-0685Linux VM Without SSH KeyHIGH
IAC-0692App Configuration Public Access EnabledHIGH
IAC-0696Azure Key Vault Public Network Access ControlHIGH
IAC-0697Azure storage account has a blob container with public accessHIGH
IAC-0722Backend of the API management system does not utilize HTTPSHIGH
IAC-0723DenyIntelMode for Azure Firewalls is not set to DenyHIGH
IAC-0727Firewall policy does not have IDPS mode set to denyHIGH
IAC-0730Event Hub Namespace not using TLS 1.2 or greaterHIGH
IAC-0734AKS cluster not encrypting temp disks, caches, and data flowsHIGH
IAC-0736Azure SQL Database Namespace is not zone redundantHIGH
IAC-0737Standard Replication is not enabledHIGH
IAC-0739Non-Critical System Pods Run on System NodesHIGH
IAC-0756Azure GitHub Actions OIDC trust policy is insecurely configuredHIGH
IAC-0759Storage for critical data are not encrypted with Customer Managed KeyHIGH
IAC-0807Azure Storage Account storing Machine Learning workspace high business impact data is publicly accessibleHIGH
IAC-0819Ensure no hard coded API token exist in the providerHIGH
IAC-0826Suspicious use of netcat with IP addressHIGH
IAC-0827Ensure run commands are not vulnerable to shell injectionHIGH
IAC-0833Ensure the firewall ingress is not wide openHIGH
IAC-0866GCP SQL Instances do not have SSL configured for incoming connectionsHIGH
IAC-0871GCP SQL database is publicly accessibleHIGH
IAC-0874GCP SQL database instance does not have backup configuration enabledHIGH
IAC-0875GCP BigQuery dataset is publicly accessibleHIGH
IAC-0887GCP Storage bucket is anonymously or publicly accessibleHIGH
IAC-0891GCP VM instances do have block project-wide SSH keys feature disabledHIGH
IAC-0892GCP Projects do have OS Login disabledHIGH
IAC-0897Boot disks for instances do not use CSEKsHIGH
IAC-0900GCP IAM user are assigned Service Account User or Service Account Token creator roles at project levelHIGH
IAC-0901GCP IAM Service account does have admin privilegesHIGH
IAC-0903Roles impersonate or manage Service Accounts used at folder levelHIGH
IAC-0904Roles impersonate or manage Service Accounts used at organizational levelHIGH
IAC-0905Default Service Account is used at project levelHIGH
IAC-0906Default Service Account is used at organization levelHIGH
IAC-0907Default Service Account is used at folder levelHIGH
IAC-0947GCP Vertex AI instances are not privateHIGH
IAC-0952GCP Dataflow jobs are not privateHIGH
IAC-0956GCP Dataproc clusters are anonymously or publicly accessibleHIGH
IAC-0958GCP BigQuery Tables are anonymously or publicly accessibleHIGH
IAC-0959GCP Artifact Registry repositories are anonymously or publicly accessibleHIGH
IAC-0961GCP Dataproc Clusters have public IPsHIGH
IAC-0970KMS policy allows public accessHIGH
IAC-0971IAM policy defines public accessHIGH
IAC-0972GCP Storage buckets are publicly accessible to all usersHIGH
IAC-0973Basic roles utilized at the organization levelHIGH
IAC-0975Project level utilization of basic rolesHIGH
IAC-0976IAM workload identity pool provider is not restrictedHIGH
IAC-0978Spanner Database does not have drop protection enabledHIGH
IAC-0983GCP GitHub Actions OIDC trust policy is insecurely configuredHIGH
IAC-0991GCP KMS crypto key is anonymously accessibleHIGH
IAC-0993GCP Cloud KMS Key Rings are anonymously or publicly accessibleHIGH
IAC-0994GCP Container Registry repositories are anonymously or publicly accessibleHIGH
IAC-1025Ensure run commands are not vulnerable to shell injectionHIGH
IAC-1027Suspicious use of netcat with IP addressHIGH
IAC-1035GitHub Actions Environment Secrets defined in Terraform are not encryptedHIGH
IAC-1039Ensure GitHub organization security settings require 2FAHIGH
IAC-1044Ensure GitHub organization webhooks are using HTTPSHIGH
IAC-1045Ensure GitHub repository webhooks are using HTTPSHIGH
IAC-1070Gitlab branch protection rules defined in Terraform allow force pushHIGH
IAC-1074IBM Cloud Virtual Private Cloud (VPC) classic access is enabled in TerraformHIGH
IAC-1191Limit the use of git-sync to prevent code injectionHIGH
IAC-1198Ensure no hard coded Linode tokens exist in providerHIGH
IAC-1202Ensure Inbound Firewall Policy is not set to ACCEPTHIGH
IAC-1203Ensure Outbound Firewall Policy is not set to ACCEPTHIGH
IAC-1207Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22HIGH
IAC-1208Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389HIGH
IAC-1209Ensure Server instance is encrypted.HIGH
IAC-1210Ensure Basic Block storage is encrypted.HIGH
IAC-1213Ensure no NACL allow inbound from 0.0.0.0:0 to port 22HIGH
IAC-1214Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389HIGH
IAC-1217Ensure NAS is securely encryptedHIGH
IAC-1237OCI Object Storage bucket is publicly accessibleHIGH
IAC-1257OpenAPI Security Definitions Object should be set and not emptyHIGH
IAC-1258OpenAPI If the security scheme is not of type 'oauth2', the array value must be emptyHIGH
IAC-1259Cleartext credentials over unencrypted channel should not be accepted for the operationHIGH
IAC-1260OpenAPI Security object needs to have defined rules in its array and rules should be defined in the securitySchemeHIGH
IAC-1261OpenAPI Security object for operations, if defined, must define a security scheme, otherwise it should be considered an errorHIGH
IAC-1262OpenAPI Security requirement not defined in the security definitionsHIGH
IAC-1263The path scheme is supports unencrypted HTTP connectionsHIGH
IAC-1264API spec includes a 'password' flow in OAuth2 authenticationHIGH
IAC-1266OAuth2 security definitions includes password flow in OpenAPI 2.0 fileHIGH
IAC-1267OAuth2 password flow in security definitions for OpenAPI 2.0 fileHIGH
IAC-1269Security definitions uses basic authHIGH
IAC-1271Operation Objects Uses Basic AuthHIGH
IAC-1274Global schemes use 'http' protocol instead of 'https'HIGH
IAC-1276API keys transmitted over cleartextHIGH
IAC-1279Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)HIGH
IAC-1283Ensure no hard coded PAN-OS credentials exist in providerHIGH
IAC-1293Ensure IPsec profiles do not specify use of insecure encryption algorithmsHIGH
IAC-1301AWS Access KeysHIGH
IAC-1302Azure Storage Account Access KeysHIGH
IAC-1306IBM Cloud IAM KeyHIGH
IAC-1318Ensure Tencent Cloud CBS is encryptedHIGH
IAC-1325Ensure Tencent Cloud VPC security group rules do not accept all trafficHIGH
IAC-1330Ensure Tencent Cloud CVM user data does not contain sensitive informationHIGH
IAC-1333Terraform module sources do not use a git url with a tag or commit hash revisionHIGH
IAC-1336Ensure storage bucket is encrypted.HIGH
IAC-1343Ensure etcd database is encrypted with KMS key.HIGH
IAC-1350Ensure storage bucket does not have public access permissions.HIGH
IAC-1352Ensure security group does not contain allow-all rules.HIGH
IAC-1353Ensure security group rule is not allow-all.HIGH
IAC-0000Ensure at least two approving reviews for PRsMEDIUM
IAC-0004Alibaba Cloud Action Trail Logging is not enabled for all regionsMEDIUM
IAC-0005Alibaba Cloud Action Trail Logging is not enabled for all eventsMEDIUM
IAC-0006Alibaba Cloud OSS bucket is not encrypted with Customer Master KeyMEDIUM
IAC-0014Alibaba Cloud RAM password policy does not have a numberMEDIUM
IAC-0018Alibaba Cloud RAM password policy does not prevent password reuseMEDIUM
IAC-0019Alibaba Cloud RAM password policy does not have an uppercase characterMEDIUM
IAC-0023Alibaba Cloud RAM password policy maximal login attempts is more than 4MEDIUM
IAC-0042Disabled Ansible URI certificate validationMEDIUM
IAC-0043Certificate validation disabled with Ansible get_url moduleMEDIUM
IAC-0044SSL certificate validation disabled with Ansible YumMEDIUM
IAC-0045SSL validation is disabled with yumMEDIUM
IAC-0048HTTPS url not used with Ansible uriMEDIUM
IAC-0049HTTPS url not used with Ansible get_url moduleMEDIUM
IAC-0051DNF usage of packages with untrusted or missing GPG signatures allowedMEDIUM
IAC-0052SSL validation disabled within Ansible DNF moduleMEDIUM
IAC-0053Certificate validation disabled within Ansible DNF moduleMEDIUM
IAC-0054Ensure Workflow pods are not using the default ServiceAccountMEDIUM
IAC-0055Ensure Workflow pods are running as non-root userMEDIUM
IAC-0102Amazon MQ Broker logging is not enabledMEDIUM
IAC-0123AWS S3 bucket policy overly permissive to any principalMEDIUM
IAC-0130Athena Database is not encrypted at restMEDIUM
IAC-0133Amazon MSK cluster logging is not enabledMEDIUM
IAC-0134AWS MSK cluster encryption in transit is not enabledMEDIUM
IAC-0146S3 bucket policy allows lockout all but root userMEDIUM
IAC-0165Session Manager data is not encrypted in transitMEDIUM
IAC-0166Deletion protection disabled for load balancerMEDIUM
IAC-0174AWS config is not enabled in all regionsMEDIUM
IAC-0178AWS EC2 instance detailed monitoring disabledMEDIUM
IAC-0197CodeBuild projects are not encryptedMEDIUM
IAC-0208Athena Workgroup is not encryptedMEDIUM
IAC-0216Glacier Vault access policy is public and not restricted to specific services or principalsMEDIUM
IAC-0218SNS topic policy is public and access is not restricted to specific services or principalsMEDIUM
IAC-0298AWS RDS PostgreSQL exposed to local file read vulnerabilityMEDIUM
IAC-0317Connect Instance Kinesis Video Stream Storage Config is not using CMK for encryptionMEDIUM
IAC-0325AWS Security Group allows all traffic on all portsMEDIUM
IAC-0333Execution history logging is not enabled on the State MachineMEDIUM
IAC-0334AWS IAM Policy permission may cause privilege escalationMEDIUM
IAC-0341AWS database instances do not have deletion protection enabledMEDIUM
IAC-0347S3 lifecycle configuration does not set a period for aborting failed uploadsMEDIUM
IAC-0349AWS RDS snapshots are accessible to publicMEDIUM
IAC-0350AWS SSM documents are publicMEDIUM
IAC-0352AWS CloudFront distributions does not have a default root object configuredMEDIUM
IAC-0356Authorization type for API GatewayV2 routes is not specifiedMEDIUM
IAC-0357CloudFront distributions do not have origin failover configuredMEDIUM
IAC-0362EC2 Auto Scaling groups are not utilizing EC2 launch templatesMEDIUM
IAC-0363AWS CodeBuild project environment privileged mode is enabledMEDIUM
IAC-0364Elasticsearch Domain Audit Logging is disabledMEDIUM
IAC-0365Elasticsearch domains are not configured with a minimum of three dedicated master nodesMEDIUM
IAC-0366CloudWatch alarm actions are not enabledMEDIUM
IAC-0367Redshift clusters are not using the default database name.MEDIUM
IAC-0368Redshift clusters are not using enhanced VPC routingMEDIUM
IAC-0371RDS Cluster log capture is disabledMEDIUM
IAC-0373RDS Aurora Clusters do not have backtracking enabledMEDIUM
IAC-0377User identity should be enforced by EFS access pointsMEDIUM
IAC-0379ECS Fargate services are not ensured to run on the latest Fargate platform versionMEDIUM
IAC-0381AWS ECS task definition elevated privileges enabledMEDIUM
IAC-0382ECS task definitions have their own unique process namespace or share the host's process namespaceMEDIUM
IAC-0388AWS Auto Scaling group launch configuration configured with Instance Metadata Service hop count greater than 1MEDIUM
IAC-0410Runtime of Lambda is deprecatedMEDIUM
IAC-0412TLS not enforced in SES configuration setMEDIUM
IAC-0420Bedrock Agent not encrypted with Customer Master Key (CMK)MEDIUM
IAC-0425AWS Load Balancer uses HTTP protocolMEDIUM
IAC-0426AWS S3 bucket not configured with secure data transport policyMEDIUM
IAC-0432Ensure AWS SNS topic policies do not allow cross-account accessMEDIUM
IAC-0433Reduce potential for WhoAMI cloud image name confusion attackMEDIUM
IAC-0436Ensure AWS Auto Scaling group launch configuration doesn’t have public IP address assignment enabledMEDIUM
IAC-0437Ensure AWS EMR block public access setting is enabledMEDIUM
IAC-0459IAM User has access to the consoleMEDIUM
IAC-0460Route53 A Record does not have Attached ResourceMEDIUM
IAC-0463Public API gateway not configured with AWS Web Application Firewall v2 (AWS WAFv2)MEDIUM
IAC-0474AWS IAM policy allows full administrative privilegesMEDIUM
IAC-0477AWS S3 buckets are accessible to any authenticated userMEDIUM
IAC-0481AWS CloudFront attached WAFv2 WebACL is not configured with AMR for Log4j VulnerabilityMEDIUM
IAC-0488AWS CloudFront distribution is using insecure SSL protocols for HTTPS communicationMEDIUM
IAC-0495An S3 bucket must have a lifecycle configurationMEDIUM
IAC-0498A Policy is not Defined for KMS KeyMEDIUM
IAC-0502AWS RDS database instance not configured with encryption in transitMEDIUM
IAC-0503AWS API Gateway method lacking authorization or API keysMEDIUM
IAC-0505AWS CloudFront origin protocol policy does not enforce HTTPS-onlyMEDIUM
IAC-0508Ensure no open CORS policyMEDIUM
IAC-0560Virtual Machine extensions are installedMEDIUM
IAC-0561MSSQL is not using the latest version of TLS encryptionMEDIUM
IAC-0562'public network access enabled' is not set to 'False' for mySQL serversMEDIUM
IAC-0563MySQL is not using the latest version of TLS encryptionMEDIUM
IAC-0578Azure Function App doesn't redirect HTTP to HTTPSMEDIUM
IAC-0580Azure App Services Remote debugging is enabledMEDIUM
IAC-0585Azure Network Security Group having Inbound rule overly permissive to all traffic on UDP protocolMEDIUM
IAC-0611Azure Data Factory (V2) configured with overly permissive network accessMEDIUM
IAC-0612Unencrypted Data Lake Store accountsMEDIUM
IAC-0613Azure Event Grid domain public network access is enabledMEDIUM
IAC-0615Azure IoT Hub enables public network accessMEDIUM
IAC-0616Key vault does not allow firewall rules settingsMEDIUM
IAC-0646Azure Container registries Public access to All networks is enabledMEDIUM
IAC-0670Vulnerability Scanning not enabled for Azure Container RegistryMEDIUM
IAC-0671Azure Container Registry (ACR) Isn't Configured to Use Signed/Trusted ImagesMEDIUM
IAC-0672Geo-Replicated Not Enabled for Azure Container Registry (ACR)MEDIUM
IAC-0673Azure Container Registry (ACR) Does Not Have a Quarantine Policy EnabledMEDIUM
IAC-0679AKS Secrets Store Without Auto-RotationMEDIUM
IAC-0680API Management Without Minimum TLS 1.2MEDIUM
IAC-0681API Management with Public AccessMEDIUM
IAC-0683Web PubSub Without Managed IdentitiesMEDIUM
IAC-0684Windows VM Without Automatic UpdatesMEDIUM
IAC-0688Data Explorer Not Using Managed IdentitiesMEDIUM
IAC-0690VNET Using External DNS AddressesMEDIUM
IAC-0691Azure Event Grid Topic Managed Identity ProviderMEDIUM
IAC-0693App Configuration Encryption Block Not SetMEDIUM
IAC-0694App Configuration Without Purge Protection EnabledMEDIUM
IAC-0698Azure Event Grid Topic Managed Identity ProviderMEDIUM
IAC-0699Azure Event Grid Topic Local Authentication EnabledMEDIUM
IAC-0700Azure Event Grid Topic Public Network AccessMEDIUM
IAC-0701Azure Event Grid Domain Managed Identity Provider is DisabledMEDIUM
IAC-0702Azure Event Grid Domain Local Authentication EnabledMEDIUM
IAC-0704Azure CDN Doesn't Disable HTTP EndpointMEDIUM
IAC-0705Azure CDN Endpoint Custom domains is not configured with HTTPSMEDIUM
IAC-0706Azure Service Bus Doesn't Use Double EncryptionMEDIUM
IAC-0707Azure CDN Using Outdated TLS EncryptionMEDIUM
IAC-0708Azure Service Bus Doesn't Use Customer-Managed Key EncryptionMEDIUM
IAC-0709Azure Service Bus Without Managed Identity ProviderMEDIUM
IAC-0711Azure Service Bus with Public Network Access EnabledMEDIUM
IAC-0712Azure Service Bus Without Latest TLS EncryptionMEDIUM
IAC-0714Azure Cognitive Search Without Managed IdentitiesMEDIUM
IAC-0717Azure Cognitive Search With Global IP AllowanceMEDIUM
IAC-0724Azure Application gateways listener that allow connection requests over HTTPMEDIUM
IAC-0726Azure Firewall does not define a firewall policyMEDIUM
IAC-0728Azure Function app configured with public network accessMEDIUM
IAC-0729Azure App Service web apps with public network accessMEDIUM
IAC-0731Ledger feature is disabled on the databaseMEDIUM
IAC-0732App Service Plan is not zone redundantMEDIUM
IAC-0733Operating system disks are not ephemeral disksMEDIUM
IAC-0735Azure Event Hub Namespace is not zone redundantMEDIUM
IAC-0738App Service Environment is not zone redundantMEDIUM
IAC-0741Azure Microsoft Defender for Cloud set to Off for Resource ManagerMEDIUM
IAC-0750Ensure Azure Machine learning workspace is configured with private endpointMEDIUM
IAC-0754Ensure that Azure Cognitive Services account hosted with OpenAI is configured with data loss preventionMEDIUM
IAC-0755Ensure that if Azure Batch account public network access in case ‘enabled’ then its account access must be ‘deny’MEDIUM
IAC-0757Ensure Storage Sync Service is not configured with overly permissive network accessMEDIUM
IAC-0758Ensure Azure Virtual Machine disks are configured without public network accessMEDIUM
IAC-0780Azure Spring Cloud service is not configured with virtual networkMEDIUM
IAC-0781Azure Automation account configured with overly permissive network accessMEDIUM
IAC-0783Azure PostgreSQL database flexible server configured with overly permissive network accessMEDIUM
IAC-0785Azure ACR HTTPS not enabled for webhookMEDIUM
IAC-0790Azure Storage account is not configured with private endpoint connectionMEDIUM
IAC-0799Azure PostgreSQL servers not configured with private endpointMEDIUM
IAC-0800Azure Database for MariaDB not configured with private endpointMEDIUM
IAC-0801Azure Database for MySQL server not configured with private endpointMEDIUM
IAC-0802Azure SQL Database server not configured with private endpointMEDIUM
IAC-0803Azure Synapse Workspace vulnerability assessment is disabledMEDIUM
IAC-0804Anonymous blob access configured in Azure storage accountMEDIUM
IAC-0813Ensure Azure MySQL Flexible Server is configured with private endpointMEDIUM
IAC-0814Ensure PostgreSQL Flexible Server is configured with private endpointMEDIUM
IAC-0815Ensure container job uses a non latest version tagMEDIUM
IAC-0816Ensure container job uses a version digestMEDIUM
IAC-0817Ensure set variable is not marked as a secretMEDIUM
IAC-0818Detecting image usages in azure pipelines workflowsMEDIUM
IAC-0820Merge requests should require at least 2 approvalsMEDIUM
IAC-0821Ensure the pipeline image uses a non latest version tagMEDIUM
IAC-0822Ensure the pipeline image uses a non latest version tagMEDIUM
IAC-0823Ensure the pipeline image version is referenced via hash not arbitrary tag.MEDIUM
IAC-0824Ensure mutable development orbs are not used.MEDIUM
IAC-0825Ensure unversioned volatile orbs are not used.MEDIUM
IAC-0828Suspicious use of curl in run taskMEDIUM
IAC-0830Ensure the Spaces bucket has versioning enabledMEDIUM
IAC-0831Ensure the droplet specifies an SSH keyMEDIUM
IAC-0832Ensure the Spaces bucket is privateMEDIUM
IAC-0865GCP HTTPS Load balancer is set with SSL policy having TLS version 1.1 or lowerMEDIUM
IAC-0876GCP Cloud DNS has DNSSEC disabledMEDIUM
IAC-0877RSASHA1 is used for Zone-Signing and Key-Signing Keys in Cloud DNS DNSSECMEDIUM
IAC-0884GCP Kubernetes Engine private cluster has private endpoint disabledMEDIUM
IAC-0886GCP Kubernetes Engine Clusters using the default networkMEDIUM
IAC-0890GCP VM instance using a default service account with Cloud Platform access scopeMEDIUM
IAC-0931GCP Cloud Armor policy not configured with cve-canary ruleMEDIUM
IAC-0953GCP Memorystore for Redis has AUTH disabledMEDIUM
IAC-0957GCP Pub/Sub Topics are anonymously or publicly accessibleMEDIUM
IAC-0960GCP Cloud Run services are anonymously or publicly accessibleMEDIUM
IAC-0965GCP Cloud Function is publicly accessibleMEDIUM
IAC-0969SQL statements of GCP PostgreSQL are not loggedMEDIUM
IAC-0974Basic roles used at the folder levelMEDIUM
IAC-0977Deletion protection for Spanner Database is disabledMEDIUM
IAC-0979BigQuery tables do not have deletion protection enabledMEDIUM
IAC-0980Big Table Instances do not have deletion protection enabledMEDIUM
IAC-0984Ensure Vertex AI Notebook instances are launched with Shielded VM enabledMEDIUM
IAC-0985Ensure Integrity Monitoring for Shielded Vertex AI Notebook Instances is EnabledMEDIUM
IAC-0987GCP project is configured with legacy networkMEDIUM
IAC-0995GCP Cloud Function HTTP trigger is not securedMEDIUM
IAC-1003Google Cloud Platform network is not ensured to define a firewallMEDIUM
IAC-1006Vertex AI instance disks not encrypted with a Customer Managed Key (CMK)MEDIUM
IAC-1007Document AI Processors not encrypted with a Customer Managed Key (CMK)MEDIUM
IAC-1008Document AI Warehouse Location is not configured to use a Customer Managed Key (CMK)MEDIUM
IAC-1009Vertex AI endpoint is not using a Customer Managed Key (CMK)MEDIUM
IAC-1010Vertex AI featurestore is not configured to use a Customer Managed Key (CMK)MEDIUM
IAC-1011Vertex AI tensorboard does not use a Customer Managed Key (CMK)MEDIUM
IAC-1012Vertex AI workbench instance disks not encrypted with a Customer Managed Key (CMK)MEDIUM
IAC-1013Vertex AI workbench instances are not privateMEDIUM
IAC-1014Logging is disabled for Dialogflow agentsMEDIUM
IAC-1015Logging for Dialogflow CX agents is disabledMEDIUM
IAC-1016Logging for Dialogflow CX webhooks is disabledMEDIUM
IAC-1017TPU v2 VM is publicMEDIUM
IAC-1018Vertex AI endpoint is publicMEDIUM
IAC-1019Vertex AI index endpoint is publicMEDIUM
IAC-1020Vertex AI runtime is not encrypted with a Customer Managed Key (CMK)MEDIUM
IAC-1021Vertex AI runtime is publicMEDIUM
IAC-1022Ensure GCP compute regional forwarding rule does not use HTTP proxies with EXTERNAL load balancing schemeMEDIUM
IAC-1023Ensure GCP compute global forwarding rule does not use HTTP proxies with EXTERNAL load balancing schemeMEDIUM
IAC-1024Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn’t true on environment variablesMEDIUM
IAC-1026Suspicious use of curl with secretsMEDIUM
IAC-1028Found artifact build without evidence of cosign sign execution in pipelineMEDIUM
IAC-1029Found artifact build without evidence of cosign sbom attestation in pipelineMEDIUM
IAC-1030The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.MEDIUM
IAC-1031Ensure top-level permissions are not set to write-allMEDIUM
IAC-1033GitHub repository webhook defined in Terraform does not use a secure SSLMEDIUM
IAC-1036GitHub pull request configurations defined in Terraform have less than 2 approvalsMEDIUM
IAC-1038Ensure each Repository has branch protection associatedMEDIUM
IAC-1040Ensure GitHub organization security settings require SSOMEDIUM
IAC-1041Ensure GitHub organization security settings has IP allow list enabledMEDIUM
IAC-1042Ensure GitHub branch protection rules requires signed commitsMEDIUM
IAC-1043GitHub merge requests should require at least 2 approvalsMEDIUM
IAC-1046Ensure GitHub branch protection rules requires linear historyMEDIUM
IAC-1047Ensure 2 admins are set for each repositoryMEDIUM
IAC-1048Ensure branch protection rules are enforced on administratorsMEDIUM
IAC-1049Ensure GitHub branch protection dismisses stale review on new commitMEDIUM
IAC-1050Ensure GitHub branch protection restricts who can dismiss PR reviewsMEDIUM
IAC-1051Ensure GitHub branch protection requires CODEOWNER reviewsMEDIUM
IAC-1052Ensure all checks have passed before the merge of new codeMEDIUM
IAC-1053Ensure inactive branches are reviewed and removed periodicallyMEDIUM
IAC-1054Ensure GitHub branch protection requires conversation resolutionMEDIUM
IAC-1055Ensure GitHub branch protection requires push restrictionsMEDIUM
IAC-1056Ensure GitHub branch protection rules does not allow deletionsMEDIUM
IAC-1057Ensure any change to code receives approval of two strongly authenticated usersMEDIUM
IAC-1058Ensure open git branches are up to date before they can be merged into codebaseMEDIUM
IAC-1059Ensure public repository creation is limited to specific membersMEDIUM
IAC-1060Ensure private repository creation is limited to specific membersMEDIUM
IAC-1061Ensure internal repository creation is limited to specific membersMEDIUM
IAC-1062Ensure minimum admins are set for the organizationMEDIUM
IAC-1063Ensure strict base permissions are set for repositoriesMEDIUM
IAC-1064Ensure an organization’s identity is confirmed with a Verified badge PassedMEDIUM
IAC-1065Merge requests should require at least 2 approvalsMEDIUM
IAC-1066Suspicious use of curl with CI environment variables in scriptMEDIUM
IAC-1067Avoid creating rules that generate double pipelinesMEDIUM
IAC-1069Gitlab project defined in Terraform requires fewer than 2 approvalsMEDIUM
IAC-1071Gitlab project defined in Terraform does not prevent secretsMEDIUM
IAC-1073IBM Cloud Application Load Balancer for VPC has public access enabled in TerraformMEDIUM
IAC-1075IBM Cloud API key creation is not restricted in account settings in TerraformMEDIUM
IAC-1076IBM Cloud Multi-Factor Authentication (MFA) not enabled at the account level in TerraformMEDIUM
IAC-1077IBM Cloud Service ID creation is not restricted in account settings in TerraformMEDIUM
IAC-1078IBM Cloud Kubernetes clusters are accessible by using public endpoint in TerraformMEDIUM
IAC-1197Minimize the admission of pods which lack an associated NetworkPolicyMEDIUM
IAC-1199Ensure SSH key set in authorized_keysMEDIUM
IAC-1200Ensure email is setMEDIUM
IAC-1201Ensure username is setMEDIUM
IAC-1204Ensure HTTP HTTPS Target group defines HealthcheckMEDIUM
IAC-1205Ensure every access control groups rule has a descriptionMEDIUM
IAC-1206Ensure no security group rules allow outbound traffic to 0.0.0.0/0MEDIUM
IAC-1211Ensure no NACL allow inbound from 0.0.0.0:0 to port 20MEDIUM
IAC-1212Ensure no NACL allow inbound from 0.0.0.0:0 to port 21MEDIUM
IAC-1215An inbound Network ACL rule should not allow ALL ports.MEDIUM
IAC-1216Ensure LB Listener uses only secure protocolsMEDIUM
IAC-1218Ensure Load Balancer Target Group is not using HTTPMEDIUM
IAC-1219Ensure Load Balancer isn’t exposed to the internetMEDIUM
IAC-1220Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks.MEDIUM
IAC-1221Ensure Naver Kubernetes Service public endpoint disabledMEDIUM
IAC-1222Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivityMEDIUM
IAC-1223Ensure NKS control plane logging enabled for all log typesMEDIUM
IAC-1224Ensure Server instance should not have public IP.MEDIUM
IAC-1225Ensure Load Balancer Listener Using HTTPSMEDIUM
IAC-1226Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80MEDIUM
IAC-1227Ensure Access Control Group has Access Control Group Rule attachedMEDIUM
IAC-1232OCI Compute Instance has Legacy MetaData service endpoint enabledMEDIUM
IAC-1238OCI IAM password policy for local (non-federated) users does not have a lowercase characterMEDIUM
IAC-1239OCI IAM password policy for local (non-federated) users does not have a numberMEDIUM
IAC-1240OCI IAM password policy for local (non-federated) users does not have a symbolMEDIUM
IAC-1241OCI IAM password policy for local (non-federated) users does not have an uppercase characterMEDIUM
IAC-1244OCI VCN Security list has stateful security rulesMEDIUM
IAC-1245OCI IAM password policy for local (non-federated) users does not have minimum 14 charactersMEDIUM
IAC-1248OCI Network Security Groups (NSG) has stateful security rulesMEDIUM
IAC-1250Ensure OCI Data Catalog is configured without overly permissive network accessMEDIUM
IAC-1251OCI tenancy administrator users are associated with API keysMEDIUM
IAC-1254OCI File Storage File System access is not restricted to root usersMEDIUM
IAC-1265Security scopes of operations are not defined in securityDefinitionMEDIUM
IAC-1268Security definition uses the deprecated implicit flow on OAuth2MEDIUM
IAC-1270Operation Objects Uses 'Implicit' FlowMEDIUM
IAC-1273Operation objects for PUT, POST, and PATCH operations do not have a 'consumes' field definedMEDIUM
IAC-1275The global security scope is not defined in the securityDefinitionsMEDIUM
IAC-1277Array does not have a maximum number of itemsMEDIUM
IAC-1284Plain-text management HTTP enabled for Interface Management Profile in Palo Alto Networks devicesMEDIUM
IAC-1285Plain-text management Telnet enabled for Interface Management Profile in Palo Alto Networks devicesMEDIUM
IAC-1286Disable Server Response Inspection (DSRI) enabled in security policies for Palo Alto Networks devicesMEDIUM
IAC-1287Security rule allows any application on Palo Alto Networks devicesMEDIUM
IAC-1294IPsec profile uses insecure authentication algorithms on Palo Alto Networks devicesMEDIUM
IAC-1295IPsec profile uses insecure authentication protocols on Palo Alto Networks devicesMEDIUM
IAC-1299Security rules apply to all zones on Palo Alto Networks devicesMEDIUM
IAC-1300Artifactory CredentialsMEDIUM
IAC-1303Basic Auth CredentialsMEDIUM
IAC-1311Private KeyMEDIUM
IAC-1312Slack TokenMEDIUM
IAC-1315Stripe Access KeyMEDIUM
IAC-1319Ensure Tencent Cloud CVM instance does not allocate a public IPMEDIUM
IAC-1320Ensure Tencent Cloud CVM monitor service is enabledMEDIUM
IAC-1321Ensure Tencent Cloud CVM instances do not use the default security groupMEDIUM
IAC-1322Ensure Tencent Cloud CVM instances do not use the default VPCMEDIUM
IAC-1323Ensure Tencent Cloud TKE clusters enable log agentMEDIUM
IAC-1324Ensure Tencent Cloud TKE cluster is not assigned a public IP addressMEDIUM
IAC-1326Ensure Tencent Cloud mysql instances do not enable access from public networksMEDIUM
IAC-1327Ensure Tencent Cloud MySQL instances intranet ports are not set to the default 3306MEDIUM
IAC-1328Ensure Tencent Cloud CLB has a logging ID and topicMEDIUM
IAC-1329Ensure Tencent Cloud CLBs use modern, encrypted protocolsMEDIUM
IAC-1331Ensure Tencent Cloud VPC flow logs are enabledMEDIUM
IAC-1332Terraform module sources do not use a git url with a commit hash revisionMEDIUM
IAC-1334Ensure security group is assigned to database cluster.MEDIUM
IAC-1335Ensure compute instance does not have public IP.MEDIUM
IAC-1337Ensure compute instance does not have serial console enabled.MEDIUM
IAC-1338Ensure Kubernetes cluster does not have public IP address.MEDIUM
IAC-1339Ensure Kubernetes cluster node group does not have public IP addresses.MEDIUM
IAC-1340Ensure Kubernetes cluster auto-upgrade is enabled.MEDIUM
IAC-1341Ensure Kubernetes node group auto-upgrade is enabled.MEDIUM
IAC-1342Ensure KMS symmetric key is rotated.MEDIUM
IAC-1344Ensure security group is assigned to network interface.MEDIUM
IAC-1345Ensure public IP is not assigned to database cluster.MEDIUM
IAC-1346Ensure cloud member does not have elevated access.MEDIUM
IAC-1347Ensure security group is assigned to Kubernetes cluster.MEDIUM
IAC-1348Ensure security group is assigned to Kubernetes node group.MEDIUM
IAC-1349Ensure network policy is assigned to Kubernetes cluster.MEDIUM
IAC-1351Ensure compute instance group does not have public IP.MEDIUM
IAC-1354Ensure organization member does not have elevated access.MEDIUM
IAC-1355Ensure compute instance group has security group assigned.MEDIUM
IAC-1356Ensure folder member does not have elevated access.MEDIUM
IAC-1357Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible.MEDIUM
IAC-0007Alibaba Cloud disk encryption is disabledLOW
IAC-0008Alibaba Cloud Disk is not encrypted with Customer Master KeyLOW
IAC-0009Alibaba Cloud database instance accessible to publicLOW
IAC-0010Alibaba Cloud OSS bucket has versioning disabledLOW
IAC-0011Alibaba Cloud OSS bucket has transfer Acceleration disabledLOW
IAC-0012Alibaba Cloud OSS bucket has access logging enabledLOW
IAC-0020Alibaba Cloud RDS instance does not use SSLLOW
IAC-0021Alibaba Cloud API Gateway API Protocol does not use HTTPSLOW
IAC-0022Alibaba Cloud Transparent Data Encryption is disabled on instanceLOW
IAC-0024Alibaba Cloud RAM does not enforce MFALOW
IAC-0025Alibaba Cloud RDS Instance SQL Collector Retention Period is less than 180LOW
IAC-0026Alibaba Cloud Kubernetes does not install plugin Terway or Flannel to support standard policiesLOW
IAC-0027Alibaba Cloud KMS Key Rotation is disabledLOW
IAC-0028Alibaba Cloud KMS Key is disabledLOW
IAC-0029Alibaba cloud ALB ACL does not restrict public accessLOW
IAC-0030Alibaba Cloud RDS instance is not set to perform auto upgrades for minor versionsLOW
IAC-0031Alibaba Cloud Kubernetes node pools are not set to auto repairLOW
IAC-0032Alibaba Cloud launch template data disks are not encryptedLOW
IAC-0033Alibaba Cloud Cypher Policy is not securedLOW
IAC-0034Alibaba Cloud RDS instance does not have log_duration enabledLOW
IAC-0035Alibaba Cloud RDS instance has log_disconnections disabledLOW
IAC-0036Alibaba RDS instance has log_connections disabledLOW
IAC-0037Alibaba Cloud RDS log audit is disabledLOW
IAC-0038Alibaba Cloud MongoDB is not deployed inside a VPCLOW
IAC-0039Alibaba Cloud Mongodb instance does not use SSLLOW
IAC-0040Alibaba Cloud MongoDB instance is publicLOW
IAC-0041Alibaba Cloud MongoDB does not have transparent data encryption enabledLOW
IAC-0046Usage of packages with unauthenticated or missing signatures allowedLOW
IAC-0047Usage of the force parameter disabling signature validation allowedLOW
IAC-0050Missing 'Rescue' section in Ansible block tasksLOW
IAC-0066AWS IAM password policy does not have a numberLOW
IAC-0076AWS SageMaker notebook instance not configured with data encryption at rest using KMS keyLOW
IAC-0092AWS EKS cluster security group overly permissive to all trafficLOW
IAC-0093AWS EKS cluster endpoint access publicly enabledLOW
IAC-0104AWS Lambda functions with tracing not enabledLOW
IAC-0128Global Accelerator does not have Flow logs enabledLOW
IAC-0140AWS Redshift cluster is publicly accessibleLOW
IAC-0159AWS EBS volume region with encryption is disabledLOW
IAC-0167AWS EMR cluster is not configured with Kerberos AuthenticationLOW
IAC-0175AWS SageMaker notebook instance configured with direct internet access featureLOW
IAC-0177AWS CloudFormation stack configured without SNS topicLOW
IAC-0180Respective logs of Amazon RDS are disabledLOW
IAC-0181AWS VPC subnets should not allow automatic public IP assignmentLOW
IAC-0183AWS RDS instance without Automatic Backup settingLOW
IAC-0185EC2 EBS is not optimizedLOW
IAC-0187AWS Elasticsearch is not configured inside a VPCLOW
IAC-0188AWS Elastic Load Balancer (Classic) with cross-zone load balancing disabledLOW
IAC-0190Unencrypted RDS global clustersLOW
IAC-0191Redshift clusters version upgrade is not defaultLOW
IAC-0193S3 bucket lock configuration disabledLOW
IAC-0194S3 bucket cross-region replication disabledLOW
IAC-0195S3 buckets are not encrypted with KMSLOW
IAC-0196AWS RDS DB snapshot is not encryptedLOW
IAC-0198Default VPC is planned to be provisionedLOW
IAC-0200AWS Elastic Load Balancer v2 with deletion protection feature disabledLOW
IAC-0202Autoscaling groups did not supply tags to launch configurationsLOW
IAC-0220AWS EMR cluster is not configured with SSE KMS for data at rest encryption (Amazon S3 with EMRFS)LOW
IAC-0224AWS WAF does not have associated rulesLOW
IAC-0225AWS WAF Web Access Control Lists logging is disabledLOW
IAC-0226AWS Kinesis Video Stream not encrypted using Customer Managed KeyLOW
IAC-0227AWS fx ontap file system not encrypted using Customer Managed KeyLOW
IAC-0228AWS FSX Windows filesystem not encrypted using Customer Managed KeyLOW
IAC-0229AWS Image Builder component not encrypted using Customer Managed KeyLOW
IAC-0230AWS S3 Object Copy not encrypted using Customer Managed KeyLOW
IAC-0231AWS Doc DB not encrypted using Customer Managed KeyLOW
IAC-0232AWS EBS Snapshot Copy not encrypted using Customer Managed KeyLOW
IAC-0233AWS Elastic File System (EFS) is not encrypted using Customer Managed KeyLOW
IAC-0234AWS Kinesis streams encryption is using default KMS keys instead of Customer's Managed Master KeysLOW
IAC-0235AWS S3 bucket Object not encrypted using Customer Managed KeyLOW
IAC-0236AWS Sagemaker domain not encrypted using Customer Managed KeyLOW
IAC-0237AWS EBS Volume not encrypted using Customer Managed KeyLOW
IAC-0238AWS lustre file system not configured with CMK keyLOW
IAC-0239AWS Elasticache replication group not configured with CMK keyLOW
IAC-0244AWS Elasticache security groups are not definedLOW
IAC-0245AWS MQBroker audit logging is disabledLOW
IAC-0246AWS RDS security groups are not definedLOW
IAC-0247AWS Image Builder Distribution Configuration is not encrypting AMI by Key Management Service (KMS) using a Customer Managed Key (CMK)LOW
IAC-0248AWS Image Recipe EBS Disk are not encrypted using a Customer Managed Key (CMK)LOW
IAC-0249AWS MemoryDB is not encrypted at rest by AWS' Key Management Service KMS using CMKsLOW
IAC-0250AWS MemoryDB data is not encrypted in transitLOW
IAC-0251AWS FSX openzfs is not encrypted by AWS' Key Management Service (KMS) using a Customer Managed Key (CMK)LOW
IAC-0252AWS AMIs are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)LOW
IAC-0253AWS AMI launch permissions are not limitedLOW
IAC-0254AWS API Gateway Domain does not use a modern security policyLOW
IAC-0255AWS MQBroker's minor version updates are disabledLOW
IAC-0256AWS MQBroker version is not up to dateLOW
IAC-0257AWS MQ Broker is not encrypted by Customer Managed Key (CMK)LOW
IAC-0258AWS Batch Job is defined as a privileged containerLOW
IAC-0259AWS RDS does not use a modern CaCertLOW
IAC-0260AWS EBS Volume is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)LOW
IAC-0261AWS ELB Policy uses some unsecure protocolsLOW
IAC-0262AWS Appsync API Cache is not encrypted at restLOW
IAC-0263AWS Appsync API Cache is not encrypted in transitLOW
IAC-0264AWS Cloudfront distribution is disabledLOW
IAC-0265AWS API deployments do not enable Create before DestroyLOW
IAC-0266AWS Cloudsearch does not use the latest (Transport Layer Security) TLSLOW
IAC-0267AWS CodePipeline artifactStore is not encrypted by Key Management Service (KMS) using a Customer Managed Key (CMK)LOW
IAC-0268AWS Cloudsearch does not use HTTPsLOW
IAC-0269AWS Code Artifact Domain is not encrypted by KMS using a Customer Managed Key (CMK)LOW
IAC-0270AWS DMS replication instance automatic version upgrade disabledLOW
IAC-0271AWS ECS Cluster does not enable logging of ECS ExecLOW
IAC-0272AWS cluster logging is not enabled or client to container communication not encrypted using a Customer Managed Key (CMK)LOW
IAC-0273AWS API Gateway method settings do not enable cachingLOW
IAC-0274AWS DB instance does not get all minor upgrades automaticallyLOW
IAC-0275AWS Key Management Service (KMS) key is disabledLOW
IAC-0276AWS Elasticsearch domain does not use an updated TLS policyLOW
IAC-0277AWS NACL allows ingress from 0.0.0.0/0 to port 21LOW
IAC-0278AWS NACL allows ingress from 0.0.0.0/0 to port 20LOW
IAC-0279AWS NACL allows ingress from 0.0.0.0/0 to port 3389LOW
IAC-0280AWS NACL allows ingress from 0.0.0.0/0 to port 22LOW
IAC-0281AWS ACM certificate does not enable Create before DestroyLOW
IAC-0282AWS ACM certificates does not have logging preferenceLOW
IAC-0283AWS copied AMIs are not encryptedLOW
IAC-0284AWS AMI copying does not use a Customer Managed Key (CMK)LOW
IAC-0285Ensure AWS API gateway enables Create before DestroyLOW
IAC-0287AWS DAX cluster endpoint does not use TLS (Transport Layer Security)LOW
IAC-0288AWS Kinesis Firehose's delivery stream is not encryptedLOW
IAC-0289AWS Kinesis Firehose Delivery Streams are not encrypted with CMKLOW
IAC-0290AWS MWAA environment has scheduler logs disabledLOW
IAC-0291AWS MWAA environment has worker logs disabledLOW
IAC-0292AWS MWAA environment has webserver logs disabledLOW
IAC-0293AWS replicated backups are not encrypted at rest by Key Management Service (KMS) using a Customer Managed Key (CMK)LOW
IAC-0294AWS RDS Cluster activity streams are not encrypted by Key Management Service (KMS) using Customer Managed Keys (CMKs)LOW
IAC-0295AWS all data stored in the Elasticsearch domain is not encrypted using a Customer Managed Key (CMK)LOW
IAC-0296AWS Elasticsearch uses the default security groupLOW
IAC-0297AWS Execution Role ARN and Task Role ARN are different in ECS Task definitionsLOW
IAC-0300AWS CloudTrail does not define an SNS TopicLOW
IAC-0301AWS DLM cross-region events are not encryptedLOW
IAC-0302AWS DLM cross-region events are not encrypted with a Customer Managed Key (CMK)LOW
IAC-0303AWS DLM-cross region schedules are not encryptedLOW
IAC-0304AWS DLM cross-region schedules are not encrypted using a Customer Managed Key (CMK)LOW
IAC-0305AWS Codecommit branch changes has less than 2 approvalsLOW
IAC-0307AWS CloudFront response header policy does not enforce Strict Transport SecurityLOW
IAC-0309AWS HTTP and HTTPS target groups do not define health checkLOW
IAC-0310AWS Kendra index Server side encryption does not use Customer Managed Keys (CMKs)LOW
IAC-0311AWS App Flow flow does not use Customer Managed Keys (CMKs)LOW
IAC-0312AWS App Flow connector profile does not use Customer Managed Keys (CMKs)LOW
IAC-0313AWS Keyspace Table does not use Customer Managed Keys (CMKs)LOW
IAC-0314AWS RDS DB snapshot does not use Customer Managed Keys (CMKs)LOW
IAC-0321Access is not controlled through Single Sign-On (SSO)LOW
IAC-0324Data Trace is not enabled in the API Gateway Method SettingsLOW
IAC-0332State machine does not have X-ray tracing enabledLOW
IAC-0348AWS Lambda Function resource-based policy is overly permissiveLOW
IAC-0360RDS cluster is not configured to copy tags to snapshotsLOW
IAC-0370ElastiCache cluster is using the default subnet groupLOW
IAC-0372RDS Cluster audit logging for MySQL engine is disabledLOW
IAC-0378AWS Transit Gateway auto accept vpc attachment is enabledLOW
IAC-0380AWS ECS services have automatic public IP address assignment enabledLOW
IAC-0389WAF rule does not have any actionsLOW
IAC-0396AWS EMR cluster is not enabled with local disk encryptionLOW
IAC-0398AWS EMR cluster is not enabled with data encryption in transitLOW
IAC-0400RDS instances have performance insights disabledLOW
IAC-0406AWS Neptune Cluster not configured with IAM authenticationLOW
IAC-0407AWS DocumentDB clusters have backup retention period less than 7 daysLOW
IAC-0409Clusters of Neptune DB do not replicate tags to snapshotsLOW
IAC-0421AWS CloudFront web distribution with geo restriction disabledLOW
IAC-0422AWS S3 bucket has global view ACL permissions enabledLOW
IAC-0423AWS Elastic Load Balancer with listener TLS/SSL is not configuredLOW
IAC-0424Route 53 domains do not have transfer lock protectionLOW
IAC-0427AWS Transfer Server not using latest Security PolicyLOW
IAC-0428AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK)LOW
IAC-0429AWS Security Group allows unrestricted egress trafficLOW
IAC-0430AWS Bedrock agent is not associated with Bedrock guardrailsLOW
IAC-0441Not only encrypted EBS volumes are attached to EC2 instancesLOW
IAC-0442GuardDuty is not enabled to specific org/regionLOW
IAC-0443API Gateway stage does not have logging level defined appropriatelyLOW
IAC-0444Security Groups are not attached to EC2 instances or ENIsLOW
IAC-0445S3 Bucket does not have public access blocksLOW
IAC-0446Amazon EMR clusters' security groups are open to the worldLOW
IAC-0447RDS clusters do not have an AWS Backup backup planLOW
IAC-0448EBS does not have an AWS Backup backup planLOW
IAC-0451AWS Default Security Group does not restrict all trafficLOW
IAC-0453Auto scaling groups associated with a load balancer do not use elastic load balancing health checksLOW
IAC-0455Amazon EFS does not have an AWS Backup backup planLOW
IAC-0456Not all EIP addresses allocated to a VPC are attached to EC2 instancesLOW
IAC-0457ALB does not redirect HTTP requests into HTTPS onesLOW
IAC-0458Not all IAM users are members of at least one IAM groupLOW
IAC-0462AWS Application Load Balancer (ALB) not configured with AWS Web Application Firewall v2 (AWS WAFv2)LOW
IAC-0464AWS Postgres RDS have Query Logging disabledLOW
IAC-0465AWS WAF2 does not have a Logging ConfigurationLOW
IAC-0466AWS CloudFront distribution does not have a strict security headers policy attachedLOW
IAC-0467AWS AppSync is not protected by WAFLOW
IAC-0468AWS SSM Parameter is not encryptedLOW
IAC-0469AWS NAT Gateways are not utilized for the default routeLOW
IAC-0470AWS Terraform sends SSM secrets to untrusted domains over HTTPLOW
IAC-0471AWS Codecommit is not associated with an approval ruleLOW
IAC-0473Domain Name System (DNS) query logging is not enabled for Amazon Route 53 hosted zonesLOW
IAC-0476AWS CloudFront web distribution with default SSL certificateLOW
IAC-0478AWS route table with VPC peering overly permissive to all trafficLOW
IAC-0480AWS Cloudfront Distribution with S3 have Origin Access set to disabledLOW
IAC-0483AWS Database Migration Service endpoint do not have SSL configuredLOW
IAC-0485AWS API Gateway endpoints without client certificate authenticationLOW
IAC-0486AWS OpenSearch Fine-grained access control is disabledLOW
IAC-0487AWS API gateway request parameter is not validatedLOW
IAC-0491AWS Secret Manager Automatic Key Rotation is not enabledLOW
IAC-0493AWS Elasticsearch domain has Dedicated master set to disabledLOW
IAC-0496S3 buckets do not have event notifications enabledLOW
IAC-0499AWS S3 bucket access control lists (ACLs) in useLOW
IAC-0504AWS ACM Certificate with wildcard domain nameLOW
IAC-0514Azure Storage Account without Secure transfer enabledLOW
IAC-0532Azure Microsoft Defender for Cloud security alert email notification is not setLOW
IAC-0554Storage Account name does not follow naming rulesLOW
IAC-0555Azure Storage Account using insecure TLS versionLOW
IAC-0565Azure Function App authentication is offLOW
IAC-0566CORS allows resource to access app servicesLOW
IAC-0567Azure Synapse Workspaces do not enable managed virtual networksLOW
IAC-0568Azure storage account does allow public accessLOW
IAC-0570CORS allows resources to access function appsLOW
IAC-0571Azure App service HTTP logging is disabledLOW
IAC-0572Azure file sync enables public network accessLOW
IAC-0573App service disables detailed error messagesLOW
IAC-0574App service does not enable failed request tracingLOW
IAC-0576PostgreSQL server does not disable public network accessLOW
IAC-0581Azure Automation account variables are not encryptedLOW
IAC-0584Azure Batch account does not use key vault to encrypt dataLOW
IAC-0586Azure App Services FTP deployment is All allowedLOW
IAC-0588Azure App Service Web app doesn't use latest .Net framework versionLOW
IAC-0589Azure App Service Web app does not use latest PHP versionLOW
IAC-0590Azure App Service Web app does not use latest Python versionLOW
IAC-0591Azure App Service Web app does not use latest Java versionLOW
IAC-0596App services do not use Azure filesLOW
IAC-0597Azure cache for Redis has public network access enabledLOW
IAC-0598Not only SSL are enabled for cache for RedisLOW
IAC-0599Azure Linux and Windows Virtual Machines does not utilize Managed DisksLOW
IAC-0600Managed disks do not use a specific set of disk encryption sets for customer-managed key encryptionLOW
IAC-0601My SQL server disables geo-redundant backupsLOW
IAC-0602Automatic OS image patching is disabled for Virtual Machine scale setsLOW
IAC-0603MySQL server disables infrastructure encryptionLOW
IAC-0604Virtual machine scale sets do not have encryption at host enabledLOW
IAC-0605Azure container container group is not deployed into a virtual networkLOW
IAC-0606Cosmos DB accounts do not have restricted accessLOW
IAC-0607Cosmos DB Accounts do not have CMKs encrypting data at restLOW
IAC-0608Azure Cosmos DB enables public network accessLOW
IAC-0609PostgreSQL server enables geo-redundant backupsLOW
IAC-0610Azure Data Factory does not use Git repository for source controlLOW
IAC-0614API management services do not use virtual networksLOW
IAC-0618Key vault does not enable soft-deleteLOW
IAC-0619Key vault key is not backed by HSMLOW
IAC-0620SQL Server is enabled for public network accessLOW
IAC-0621Key vault secrets do not have content_type setLOW
IAC-0622AKS is not enabled for private clustersLOW
IAC-0623AKS does not use Azure policies add-onLOW
IAC-0624Azure AKS cluster is not configured with disk encryption setLOW
IAC-0626Network interfaces use public IPsLOW
IAC-0627Azure application gateway does not have WAF enabledLOW
IAC-0628Azure Front Door does not have the Azure Web application firewall (WAF) enabledLOW
IAC-0629Application gateway does not use WAF in Detection or Prevention modesLOW
IAC-0630Azure front door does not use WAF in Detection or Prevention modesLOW
IAC-0631Azure cognitive search does not disable public network accessLOW
IAC-0632Active Directory is not used for authentication for Service FabricLOW
IAC-0633Azure Service Fabric cluster not configured with cluster protection level securityLOW
IAC-0634My SQL server does not enable Threat Detection policyLOW
IAC-0635PostgreSQL server does not enable Threat Detection policyLOW
IAC-0636MariaDB server does not enable geo-redundant backupsLOW
IAC-0637PostgreSQL server does not enable infrastructure encryptionLOW
IAC-0640Azure Front Door Web application firewall (WAF) policy rule for Remote Command Execution is disabledLOW
IAC-0642Azure Application Gateway Web application firewall (WAF) policy rule for Remote Command Execution is disabledLOW
IAC-0643Azure PostgreSQL Flexible Server does not enable geo-redundant backupsLOW
IAC-0644Azure ACR admin account is enabledLOW
IAC-0645Azure ACR enables anonymous image pullingLOW
IAC-0647Azure CosmosDB does not have Local Authentication disabledLOW
IAC-0648Azure Kubernetes Service (AKS) local admin account is enabledLOW
IAC-0649Azure Machine Learning Compute Cluster Local Authentication is enabledLOW
IAC-0650Azure AKS cluster nodes have public IP addressesLOW
IAC-0651Azure Machine Learning Workspace is publicly accessibleLOW
IAC-0652Azure Function App doesn't use latest TLS versionLOW
IAC-0653Server Parameter 'log_retention' is Set to 'OFF' for PostgreSQL Database ServerLOW
IAC-0654Azure PostgreSQL does not use the latest version of TLS encryptionLOW
IAC-0655Azure Redis Cache does not use the latest version of TLS encryptionLOW
IAC-0656Azure SQL on Virtual Machine (Linux) with basic authenticationLOW
IAC-0657Azure Machine Learning Compute Cluster Minimum Nodes is not set to 0LOW
IAC-0658Azure Windows VM does not enable encryptionLOW
IAC-0659Azure Client Certificates are not enforced for API managementLOW
IAC-0660Azure web app does not redirect all HTTP traffic to HTTPS in Azure App Service SlotLOW
IAC-0661Azure App's service slot does not use the latest version of TLS encryptionLOW
IAC-0662Azure App service slot does not have debugging disabledLOW
IAC-0663Azure SQL Server does not have default auditing policy configuredLOW
IAC-0664Azure Data exfiltration protection for Azure Synapse workspace is disabledLOW
IAC-0665Azure Databricks workspace is publicLOW
IAC-0666Azure Built-in logging for Azure function app is disabledLOW
IAC-0667Azure HTTP (port 80) access from the internet is not restrictedLOW
IAC-0668Azure Spring Cloud API Portal is not enabled for HTTPSLOW
IAC-0669Azure Spring Cloud API Portal Public Access Is EnabledLOW
IAC-0674Azure Container Registry (ACR) Doesn't Have a Retention Policy SetLOW
IAC-0675Azure Kubernetes Cluster (AKS) Nodes Don't Limit the Maximum Pods to Greater than 50LOW
IAC-0676Azure Kubernetes Cluster (AKS) Nodes Do Not Use Scale SetsLOW
IAC-0677AKS Doesn't Use the Paid SKU for its SLALOW
IAC-0678AKS Cluster Without Upgrade ChannelLOW
IAC-0682Web PubSub Without SLA SKULOW
IAC-0686VM Without Azure VM Agent InstalledLOW
IAC-0687Azure Data Explorer without SLALOW
IAC-0689VNET With Only One DNS EndpointLOW
IAC-0695App Configuration Not Using Standard SKULOW
IAC-0703Azure SignalR Service not Using Paid SKU for its SLALOW
IAC-0710Azure Service Bus with Local Authentication EnabledLOW
IAC-0713Azure Storage Accounts Without Proper ReplicationLOW
IAC-0715Azure Cognitive Search Without SLA Index UpdatesLOW
IAC-0716Azure Cognitive Search Without SLA for Search Index QueriesLOW
IAC-0718Azure App Service Plan is Not Suitable for ProductionLOW
IAC-0719Azure App Service Instance Lacks RedundancyLOW
IAC-0720Azure App Service Health Check MissingLOW
IAC-0721Azure App Service Not Always OnLOW
IAC-0725Azure Application Gateway is configured with SSL policy having TLS version 1.1 or lowerLOW
IAC-0740Azure Container Registry (ACR) not zone redundantLOW
IAC-0742Azure Container Instance environment variable with regular value typeLOW
IAC-0743Azure Cognitive Services account configured with local authenticationLOW
IAC-0744Azure Container Registry dedicated data endpoint is disabledLOW
IAC-0747Azure Synapse Workspace not encrypted with a Customer Managed Key (CMK)LOW
IAC-0748Azure Synapse SQL pool not encryptedLOW
IAC-0751Local users used for Azure StorageLOW
IAC-0752Azure Container Instance is not configured with virtual networkLOW
IAC-0753Azure AKS cluster HTTP application routing enabledLOW
IAC-0761Azure SQL Server ADS Vulnerability Assessment (VA) Periodic recurring scans is disabledLOW
IAC-0762Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configuredLOW
IAC-0763Azure SQL Server ADS Vulnerability Assessment (VA) 'Also send email notifications to admins and subscription owners' is disabledLOW
IAC-0765Azure SQL servers which doesn't have Azure Active Directory admin configuredLOW
IAC-0766Azure Storage account container storing activity logs is publicly accessibleLOW
IAC-0767Azure Virtual Machines does not utilise Managed DisksLOW
IAC-0768Microsoft Antimalware is not configured to automatically update Virtual MachinesLOW
IAC-0769Azure Data Explorer encryption at rest does not use a customer-managed keyLOW
IAC-0770Virtual Machines are not backed up using Azure BackupLOW
IAC-0772Unattached disks are not encryptedLOW
IAC-0773Azure data factories are not encrypted with a customer-managed keyLOW
IAC-0774MySQL server does not enable customer-managed key for encryptionLOW
IAC-0775PostgreSQL server does not enable customer-managed key for encryptionLOW
IAC-0776Azure Synapse workspaces have IP firewall rules attachedLOW
IAC-0777Azure storage account logging setting for tables is disabledLOW
IAC-0778Azure storage account logging setting for blobs is disabledLOW
IAC-0779Azure Cognitive Services does not Customer Managed Keys (CMKs) for encryptionLOW
IAC-0782Azure SQL database Transparent Data Encryption (TDE) encryption disabledLOW
IAC-0788Azure Virtual Network subnet is not configured with a Network Security GroupLOW
IAC-0789Azure Key vault Private endpoint connection is not configuredLOW
IAC-0794Azure MariaDB database server not using latest TLS versionLOW
IAC-0795Azure Storage account soft delete is disabledLOW
IAC-0796Azure Virtual machine configured with public IP and serial console accessLOW
IAC-0797Azure Storage account configured with Shared Key authorizationLOW
IAC-0798Azure Storage account not configured with SAS expiration policyLOW
IAC-0812Azure Spring Cloud app end-to-end TLS is disabledLOW
IAC-0829Detecting image usages in circleci pipelinesLOW
IAC-0872GCP Kubernetes Engine Clusters have Network policy disabledLOW
IAC-0873GCP Kubernetes engine clusters have client certificate disabledLOW
IAC-0878GKE control plane is publicLOW
IAC-0879GCP Kubernetes Engine Clusters have Master authorized networks disabledLOW
IAC-0881GCP Kubernetes Engine Clusters not using Container-Optimized OS for Node imageLOW
IAC-0882GCP Kubernetes Engine Clusters have Alias IP disabledLOW
IAC-0883GCP Kubernetes Engine Clusters have pod security policy disabledLOW
IAC-0888GCP cloud storage bucket with uniform bucket-level access disabledLOW
IAC-0893GCP Projects have OS Login disabledLOW
IAC-0894GCP VM instances have serial port access enabledLOW
IAC-0899GCP VM instance with the external IP addressLOW
IAC-0908GCP IAM primitive roles are in useLOW
IAC-0910GCP PostgreSQL instance with log_checkpoints database flag is disabledLOW
IAC-0918GCP SQL Server instance database flag 'contained database authentication' is enabledLOW
IAC-0919GCP Cloud SQL database instances have public IPsLOW
IAC-0923GCP Kubernetes Engine Clusters not configured with private nodes featureLOW
IAC-0924Kubernetes RBAC users are not managed with Google Groups for GKELOW
IAC-0925GCP Kubernetes Engine Clusters have binary authorization disabledLOW
IAC-0926GCP Kubernetes cluster shielded GKE node with Secure Boot disabledLOW
IAC-0927The GKE metadata server is disabledLOW
IAC-0930GCP Kubernetes cluster shielded GKE node with integrity monitoring disabledLOW
IAC-0932GCP VPC Network subnets have Private Google access disabledLOW
IAC-0934GCP VPC Network subnets have Private Google access for IPv6 disabledLOW
IAC-0935GCP Google compute firewall ingress allow FTP port (20) accessLOW
IAC-0936GCP Cloud storage does not have versioning enabledLOW
IAC-0937GCP SQL database does not use the latest Major versionLOW
IAC-0938GCP Big Query Tables are not encrypted with Customer Supplied Encryption Keys (CSEK)LOW
IAC-0939GCP Big Query Datasets are not encrypted with Customer Supplied Encryption Keys (CSEK)LOW
IAC-0940GCP KMS keys are not protected from deletionLOW
IAC-0941GCP Pub/Sub Topics are not encrypted with Customer Supplied Encryption Keys (CSEK)LOW
IAC-0942GCP Artifact Registry repositories are not encrypted with Customer Supplied Encryption Keys (CSEK)LOW
IAC-0943GCP Big Table Instances are not encrypted with Customer Supplied Encryption Keys (CSEKs)LOW
IAC-0944GCP cloud build workers are not privateLOW
IAC-0945GCP data fusion instances are not privateLOW
IAC-0946GCP Firewall rule allows all traffic on MySQL DB port (3306)LOW
IAC-0948GCP data flow jobs are not encrypted with Customer Supplied Encryption Keys (CSEK)LOW
IAC-0949GCP Dataproc Cluster not configured with Customer-Managed Encryption Key (CMEK)LOW
IAC-0950GCP Vertex AI datasets do not use a Customer Manager Key (CMK)LOW
IAC-0951GCP Spanner Database is not encrypted with Customer Supplied Encryption Keys (CSEKs)LOW
IAC-0954GCP Vertex AI Metadata Store does not use a Customer Manager Key (CMK)LOW
IAC-0955GCP Memorystore for Redis does not use intransit encryptionLOW
IAC-0962GCP DataFusion does not have stack driver logging enabledLOW
IAC-0963GCP DataFusion does not have stack driver monitoring enabledLOW
IAC-0967Log levels of the GCP PostgreSQL database are not set to ERROR or lowerLOW
IAC-0968pgAudit is disabled for your GCP PostgreSQL databaseLOW
IAC-0981GKE NodePool configuration managed at cluster levelLOW
IAC-0982GCP Cloud Function configured with overly permissive Ingress settingLOW
IAC-0986GCP Kubernetes Engine Cluster Nodes have default Service account for Project accessLOW
IAC-0988There are not only GCP-managed service account keys for each service accountLOW
IAC-0989GCP Log bucket retention policy is not configured using bucket lockLOW
IAC-0992A MySQL database instance allows anyone to connect with administrative privilegesLOW
IAC-0997GCP Firewall with Inbound rule overly permissive to All TrafficLOW
IAC-1005GCP SQL MySQL DB instance point-in-time recovery backup (Binary logs) is not enabledLOW
IAC-1032GitHub repository defined in Terraform is not PrivateLOW
IAC-1034GitHub Repository defined in Terraform doesn't have vulnerability alerts enabledLOW
IAC-1037GitHub repository defined in Terraform does not have GPG signatures for all commitsLOW
IAC-1068Detecting image usages in gitlab workflowsLOW
IAC-1072Gitlab project defined in Terraform does not require signed commitsLOW
IAC-1228OCI private keys are hard coded in the providerLOW
IAC-1229OCI Block Storage Block Volume does not have backup enabledLOW
IAC-1231OCI Compute Instance boot volume has in-transit data encryption is disabledLOW
IAC-1234OCI Object Storage bucket does not emit object eventsLOW
IAC-1235OCI Object Storage Bucket has object Versioning disabledLOW
IAC-1255OCI Kubernetes Engine Cluster boot volume is not configured with in-transit data encryptionLOW
IAC-1256OCI Kubernetes Engine Cluster pod security policy not enforcedLOW
IAC-1272Operation objects do not have the 'produces' field defined for GET operationsLOW
IAC-1278OpenStack hard coded password, token, or application_credential_secret exists in providerLOW
IAC-1280OpenStack Security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp)LOW
IAC-1281OpenStack instance use basic credentialsLOW
IAC-1282OpenStack firewall rule does not have destination IP configuredLOW
IAC-1288Security rule permits any service on Palo Alto Networks devicesLOW
IAC-1289Security Rule in Palo Alto Networks devices with overly broad Source and Destination IPsLOW
IAC-1291Log Forwarding Profile not selected for a Palo Alto Networks device security policy ruleLOW
IAC-1292End-of-session logging disabled on Palo Alto Networks security policiesLOW
IAC-1296Security zone on Palo Alto Networks devices does not have an associated Zone Protection ProfileLOW
IAC-1297Include ACL (Access Control List) not defined for a security zone in Palo Alto Networks devices with User-ID enabledLOW
IAC-1298Logging at session start enabled on Palo Alto Networks devicesLOW
IAC-1304Cloudant CredentialsLOW
IAC-1305Base64 High Entropy StringsLOW
IAC-1307IBM COS HMAC CredentialsLOW
IAC-1308JSON Web TokenLOW
IAC-1309Mailchimp Access KeyLOW
IAC-1310NPM TokenLOW
IAC-1313SoftLayer CredentialsLOW
IAC-1314Square OAuth SecretLOW
IAC-1316Twilio Access KeyLOW
IAC-1317Hex High Entropy StringLOW
IAC-0002Alibaba Cloud Security group allow internet traffic to SSH port (22)INFO
IAC-0003Alibaba Cloud Security group allow internet traffic to RDP port (3389)INFO
IAC-0013Alibaba Cloud RAM password policy does not have a minimum of 14 charactersINFO
IAC-0015Alibaba Cloud RAM password policy does not have a symbolINFO
IAC-0016Alibaba Cloud RAM password policy does not expire in 90 daysINFO
IAC-0017Alibaba Cloud RAM password policy does not have a lowercase characterINFO
IAC-0063AWS IAM password policy does not expire in 90 daysINFO
IAC-0064AWS IAM password policy does not have a minimum of 14 charactersINFO
IAC-0065AWS IAM password policy does not have a lowercase characterINFO
IAC-0068AWS IAM password policy does not have a symbolINFO
IAC-0069AWS IAM password policy does not have an uppercase characterINFO
IAC-0091AWS EKS control plane logging disabledINFO
IAC-0125AWS SQS queue access policy is overly permissiveINFO
IAC-0172AWS DynamoDB encrypted using AWS owned CMK instead of AWS managed CMKINFO
IAC-0184AWS ElastiCache Redis cluster is not configured with automatic backupINFO
IAC-0189AWS RDS cluster delete protection is disabledINFO
IAC-0192AWS Redshift Cluster not encrypted using Customer Managed KeyINFO
IAC-0201AWS Elastic Load Balancer v2 (ELBv2) with cross-zone load balancing disabledINFO
IAC-0286AWS GuardDuty detector is not enabledINFO
IAC-0299AWS CloudTrail logging is disabledINFO
IAC-0342CloudTrail Event Data Store does not use Customer Managed Keys (CMKs)INFO
IAC-0353AWS SageMaker notebook instance is not placed in VPCINFO
IAC-0354AWS SageMaker notebook instance with root access enabledINFO
IAC-0361AWS CodeBuild project not configured with logging configurationINFO
IAC-0369AWS ElastiCache Redis cluster automatic version upgrade disabledINFO
IAC-0374AWS RDS DB cluster is encrypted using default KMS key instead of CMKINFO
IAC-0383AWS ECS task definition is not configured with read-only access to container root filesystemsINFO
IAC-0385AWS CloudWatch log groups retention set to less than 365 daysINFO
IAC-0387AWS Elastic Beanstalk environment managed platform updates are not enabledINFO
IAC-0408AWS Neptune DB clusters have backup retention period less than 7 daysINFO
IAC-0440AWS Network ACL is not in useINFO
IAC-0449AWS CloudTrail trail logs is not integrated with CloudWatch LogINFO
IAC-0450AWS VPC Flow Logs not enabledINFO
IAC-0452AWS IAM group not in useINFO
IAC-0454AWS DynamoDB table Auto Scaling not enabledINFO
IAC-0461AWS RDS Postgres Cluster does not have query logging enabledINFO
IAC-0475AWS EC2 Instance IAM Role not enabledINFO
IAC-0479AWS Config Recording is disabledINFO
IAC-0482AWS Config must record all possible resourcesINFO
IAC-0484AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to disabledINFO
IAC-0489AWS EMR cluster is not configured with security configurationINFO
IAC-0492AWS Neptune cluster deletion protection is disabledINFO
IAC-0494AWS RDS instance with copy tags to snapshots disabledINFO
IAC-0497AWS Network Firewall is not configured with logging configurationINFO
IAC-0506AWS SQS queue encryption using default KMS key instead of CMKINFO
IAC-0564Azure Microsoft Defender for Cloud is set to Off for ServersINFO
IAC-0569Azure Microsoft Defender for Cloud is set to Off for App ServiceINFO
IAC-0575Azure Function App doesn't use HTTP 2.0INFO
IAC-0577Azure Microsoft Defender for Cloud is set to Off for Azure SQL DatabasesINFO
IAC-0579Azure App Service Web app doesn't have a Managed Service IdentityINFO
IAC-0582Azure Data Explorer cluster disk encryption is disabledINFO
IAC-0583Azure Data Explorer cluster double encryption is disabledINFO
IAC-0587Azure Microsoft Defender for Cloud is set to Off for SQL servers on machinesINFO
IAC-0592Azure Microsoft Defender for Cloud is set to Off for StorageINFO
IAC-0595Azure Microsoft Defender for Cloud is set to Off for Key VaultINFO
IAC-0617Azure Key Vault Purge protection is not enabledINFO
IAC-0625Azure Virtual machine NIC has IP forwarding enabledINFO
IAC-0749Azure Synapse Spark Pool not using isolated computeINFO
IAC-0760Azure SQL Server ADS Vulnerability Assessment is disabledINFO
IAC-0764Azure PostgreSQL Database Server 'Allow access to Azure services' enabledINFO
IAC-0771Azure SQL server Defender setting is set to OffINFO
IAC-0784Azure SQL server not configured with Active Directory admin authenticationINFO
IAC-0786Azure AKS cluster Azure CNI networking not enabledINFO
IAC-0787Azure Container Instance not configured with the managed identityINFO
IAC-0791Azure SQL Server allow access to any Azure internal resourcesINFO
IAC-0792Azure Recovery Services vault is not configured with managed identityINFO
IAC-0793Azure Automation account is not configured with managed identityINFO
IAC-0808Azure Synapse SQL Pool does not have a security alert policyINFO
IAC-0809Azure Synapse SQL Pool vulnerability assessment disabledINFO
IAC-0810Azure Synapse Workspace missing extended audit logsINFO
IAC-0811Log monitoring disabled for Azure Synapse SQL PoolINFO
IAC-0862GCP Kubernetes Engine Clusters have Cloud Logging disabledINFO
IAC-0863GCP Firewall rule allows all traffic on SSH port (22)INFO
IAC-0864GCP Firewall rule allows all traffic on RDP port (3389)INFO
IAC-0867GCP Kubernetes Engine Clusters have Legacy Authorization enabledINFO
IAC-0868GCP Kubernetes Engine Clusters have Cloud Monitoring disabledINFO
IAC-0869GCP Kubernetes cluster node auto-repair configuration disabledINFO
IAC-0870GCP Kubernetes cluster node auto-upgrade configuration disabledINFO
IAC-0880GCP Kubernetes Engine Clusters without any label informationINFO
IAC-0885GCP VPC Flow logs for the subnet is set to OffINFO
IAC-0889GCP VM instance configured with default service accountINFO
IAC-0895GCP VM instances have IP Forwarding enabledINFO
IAC-0896GCP VM disks not encrypted with Customer-Supplied Encryption Keys (CSEK)INFO
IAC-0898GCP VM instance with Shielded VM features disabledINFO
IAC-0902GCP KMS Symmetric key not rotating in every 90 daysINFO
IAC-0909GCP MySQL instance with local_infile database flag is not disabledINFO
IAC-0911GCP PostgreSQL instance database flag log_connections is disabledINFO
IAC-0912GCP PostgreSQL instance database flag log_disconnections is disabledINFO
IAC-0913GCP PostgreSQL instance database flag log_lock_waits is disabledINFO
IAC-0914GCP PostgreSQL instance database flag log_min_messages is not setINFO
IAC-0915GCP PostgreSQL instance database flag log_temp_files is not set to 0INFO
IAC-0916GCP PostgreSQL instance database flag log_min_duration_statement is not set to -1INFO
IAC-0917GCP SQL Server instance database flag 'cross db ownership chaining' is enabledINFO
IAC-0920GCP Kubernetes cluster intra-node visibility disabledINFO
IAC-0921GCP Storage Bucket does not have Access and Storage Logging enabledINFO
IAC-0922GCP storage bucket is logging to itselfINFO
IAC-0928GCP Kubernetes Engine cluster not using Release Channel for version managementINFO
IAC-0929GCP Kubernetes cluster Shielded GKE Nodes feature disabledINFO
IAC-0933GCP Firewall rule allows all traffic on FTP port (21)INFO
IAC-0964GCP Firewall rule allows all traffic on HTTP port (80)INFO
IAC-0966GCP PostgreSQL instance database flag log_hostname is not set to offINFO
IAC-0990GCP Project audit logging is not configured properly across all services and all users in a projectINFO
IAC-0996GCP GCR Container Vulnerability Scanning is disabledINFO
IAC-0998GCP PostgreSQL instance database flag log_duration is not set to onINFO
IAC-0999GCP PostgreSQL instance database flag log_executor_stats is not set to offINFO
IAC-1000GCP PostgreSQL instance database flag log_parser_stats is not set to offINFO
IAC-1001GCP PostgreSQL instance database flag log_planner_stats is not set to offINFO
IAC-1002GCP PostgreSQL instance database flag log_statement_stats is not set to offINFO
IAC-1004GCP Kubernetes Engine Clusters have Alpha cluster feature enabledINFO
IAC-1230OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK)INFO
IAC-1233OCI Compute Instance has monitoring disabledINFO
IAC-1236OCI Object Storage Bucket is not encrypted with a Customer Managed Key (CMK)INFO
IAC-1242OCI File Storage File Systems are not encrypted with a Customer Managed Key (CMK)INFO
IAC-1243OCI VCN has no inbound security listINFO
IAC-1246OCI Security List allows all traffic on SSH port (22)INFO
IAC-1247OCI security lists allows unrestricted ingress access to port 3389INFO
IAC-1249OCI security group allows unrestricted ingress access to port 22INFO
IAC-1252OCI Network Security Group allows all traffic on RDP port (3389)INFO
IAC-1253OCI Kubernetes Engine Cluster endpoint is not configured with Network Security GroupsINFO
IAC-1290Security policies missing descriptions in Palo Alto Networks devicesINFO

Total Rules: 1042

Click on any rule ID to view detailed information, examples, and remediation guidance.

Copyright © 2026 Sttor