---
title: IaC Security Rules
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules
---

# IaC Security Rules

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com



{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site) ().
{% /alert %}


{% /callout %}

[Infrastructure as Code (IaC) Security](https://docs.datadoghq.com/security/code_security/iac_security/) identifies misconfigurations and security risks in infrastructure-as-code files before deployment, helping ensure that cloud environments remain secure and compliant.

{% alert level="info" %}
For Helm resolution to work correctly, each chart directory must include the charts it depends on. For details, see [Chart File Structure](https://helm.sh/docs/topics/charts/#the-chart-file-structure) in the Helm documentation.
{% /alert %}

{% icon name="icon-cloud-thicc" /%}
 Allow unsafe lookups enabled in defaultsallow_unsafe_lookups_enabled_in_defaults\>
{% icon name="icon-cloud-thicc" /%}
 Communication over HTTP in defaultscommunication_over_http_in_defaults\>
{% icon name="icon-cloud-thicc" /%}
 Logging of sensitive data in defaultslogging_of_sensitive_data_in_defaults\>
{% icon name="icon-cloud-thicc" /%}
 Privilege escalation using become plugin in defaultsprivilege_escalation_using_become_plugin_in_defaults\>
{% icon name="icon-cloud-thicc" /%}
 Ansible Tower exposed to the internetansible_tower_exposed_to_internet\> ALB listening on HTTPalb_listening_on_http\> AMI not encryptedami_not_encrypted\> AMI shared with multiple accountsami_shared_with_multiple_accounts\> API Gateway endpoint config is not privateapi_gateway_endpoint_config_is_not_private\> API gateway with CloudWatch Logs disabledapi_gateway_with_cloudwatch_logging_disabled\> API Gateway without configured authorizerapi_gateway_without_configured_authorizer\> API Gateway without SSL certificateapi_gateway_without_ssl_certificate\> API gateway without WAFapi_gateway_without_waf\> API Gateway X-Ray disabledapi_gateway_xray_disabled\> Authentication without MFAauthentication_without_mfa\> Auto Scaling Group with no associated ELBauto_scaling_group_with_no_associated_elb\> Automatic minor upgrades disabledautomatic_minor_upgrades_disabled\> AWS password policy with unchangeable passwordsaws_password_policy_with_unchangeable_passwords\> Batch job definition with privileged container propertiesbatch_job_definition_with_privileged_container_properties\> CA certificate identifier is outdatedca_certificate_identifier_is_outdated\> CDN configuration is missingcdn_configuration_is_missing\> Certificate has expiredcertificate_has_expired\> Certificate RSA key bytes lower than 256certificate_rsa_key_bytes_lower_than_256\> CloudFront logging disabledcloudfront_logging_disabled\> CloudFront viewer protocol policy allows HTTPviewer_protocol_policy_allows_http\> CloudFront without minimum protocol TLS 1.2cloudfront_without_minimum_protocol_tls_1.2\> CloudFront without WAFcloudfront_without_waf\> CloudTrail log file validation disabledcloudtrail_log_file_validation_disabled\> CloudTrail log files not encrypted with KMScloudtrail_log_files_not_encrypted_with_kms\> CloudTrail logging disabledcloudtrail_logging_disabled\> CloudTrail multi-region is disabledcloudtrail_multi_region_disabled\> CloudTrail not integrated with CloudWatchcloudtrail_not_integrated_with_cloudwatch\> CloudTrail SNS topic name undefinedcloudtrail_sns_topic_name_undefined\> CloudWatch without retention period specifiedcloudwatch_without_retention_period_specified\> CMK is unusablecmk_is_unusable\> CMK rotation disabledcmk_rotation_disabled\> CodeBuild project is not encryptedcodebuild_not_encrypted\> Config rule for encrypted volumes disabledconfig_rule_for_encrypted_volumes_is_disabled\> Configuration aggregator to all regions disabledconfig_configuration_aggregator_to_all_regions_disabled\> Cross-account IAM assume role policy without ExternalId or MFAcross_account_iam_assume_role_policy_without_external_id_or_mfa\> DB instance storage not encrypteddb_instance_storage_not_encrypted\> DB security group open to large scopedb_security_group_open_to_large_scope\> DB security group with public scopedb_security_group_with_public_scope\> Default security groups with unrestricted trafficdefault_security_groups_with_unrestricted_traffic\> EBS volume encryption disabledebs_volume_encryption_disabled\> EC2 instance has public IPec2_instance_has_public_ip\> EC2 instance is not EBS optimizedec2_not_ebs_optimized\> EC2 instance using default security groupec2_instance_using_default_security_group\> EC2 instance using default VPCec2_instance_using_default_vpc\> EC2 security group allows public accessec2_group_has_public_interface\> ECR image tag not immutableecr_image_tag_not_immutable\> ECR repository is publicly accessibleecr_repository_is_publicly_accessible\> ECS service admin role is presentecs_service_admin_role_is_present\> ECS service without running tasksecs_service_without_running_tasks\> ECS services should not be assigned public IP addressesecs_services_assigned_with_public_ip_address\> ECS task definition network mode not recommendedecs_task_definition_network_mode_not_recommended\> EFS not encryptedefs_not_encrypted\> EFS without KMSefs_without_kms\> EFS without tagsefs_without_tags\> ElastiCache using default portelasticache_using_default_port\> ElastiCache without VPCelasticache_without_vpc\> Elasticsearch with HTTPS disabledelasticsearch_with_https_disabled\> ELB using insecure protocolselb_using_insecure_protocols\> ELB using weak cipherselb_using_weak_ciphers\> Hardcoded AWS access keyhardcoded_aws_access_key\> Hardcoded AWS access key in Lambdahardcoded_aws_access_key_in_lambda\> HTTP port open to internethttp_port_open_to_internet\> IAM access key is exposediam_access_key_is_exposed\> IAM database authentication is not enablediam_database_auth_not_enabled\> IAM group without usersiam_group_without_users\> IAM password without minimum lengthiam_password_without_minimum_length\> IAM policies attached to useriam_policies_attached_to_user\> IAM policies with full privilegesiam_policies_with_full_privileges\> IAM policy grants 'AssumeRole' permission across all servicesiam_policy_grants_assumerole_permission_across_all_services\> IAM policy grants full permissionsiam_policy_grants_full_permissions\> IAM role allows all principals to assumeiam_role_allows_all_principals_to_assume\> Instance uses metadata service IMDSv1instance_uses_metadata_service_IMDSv1\> Instance with no VPCinstance_with_no_vpc\> Kinesis not encrypted with KMSkinesis_not_encrypted_with_kms\> KMS key with vulnerable policykms_key_with_full_permissions\> Lambda function without tagslambda_function_without_tags\> Lambda functions without X-Ray tracinglambda_functions_without_x-ray_tracing\> Lambda permission misconfiguredlambda_permission_misconfigured\> Lambda permission principal is wildcardlambda_permission_principal_is_wildcard\> Launch configuration is not encryptedlaunch_configuration_is_not_encrypted\> Misconfigured password policy expirationmisconfigured_password_policy_expiration\> No stack policyno_stack_policy\> Password without reuse preventionpassword_without_reuse_prevention\> Public Lambda via API Gatewaypublic_lambda_via_api_gateway\> Public port with wide port rangepublic_port_wide\> RDS DB instance is not publicly accessiblerds_db_instance_publicly_accessible\> RDS instance associated with a public subnetrds_associated_with_public_subnet\> RDS instance uses a default portrds_using_default_port\> RDS instance with backup disabledrds_with_backup_disabled\> Redis not compliantredis_not_compliant\> Redshift cluster is not encryptedredshift_not_encrypted\> Redshift publicly accessibleredshift_publicly_accessible\> Redshift using default portredshift_using_default_port\> Remote desktop port open to internetremote_desktop_port_open\> Root account has active access keysroot_account_has_active_access_keys\> Route 53 record undefinedroute53_record_undefined\> S3 bucket access to any principals3_bucket_access_to_any_principal\> S3 bucket ACL allows read access to all userss3_bucket_acl_allows_read_to_all_users\> S3 bucket ACL allows read access to any authenticated users3_bucket_acl_allows_read_to_any_authenticated_user\> S3 bucket allows delete action from all principalss3_bucket_allows_delete_action_from_all_principals\> S3 bucket allows GET action from all principalss3_bucket_allows_get_action_from_all_principals\> S3 bucket allows list action from all principalss3_bucket_allows_list_action_from_all_principals\> S3 bucket allows put action from all principalss3_bucket_allows_put_action_from_all_principals\> S3 bucket logging disableds3_bucket_logging_disabled\> S3 bucket with all permissionss3_bucket_with_all_permissions\> S3 bucket with public accesss3_bucket_with_public_access\> S3 bucket with unsecured CORS rules3_bucket_with_unsecured_cors_rule\> S3 bucket without server-side encryptions3_bucket_without_server-side_encryption\> S3 bucket without versionings3_bucket_without_versioning\> Secure ciphers disabledsecure_ciphers_disabled\> Security group ingress not restrictedsecurity_group_ingress_not_restricted\> Security group with unrestricted access to SSHsecurity_group_with_unrestricted_access_to_ssh\> SES policy with allowed IAM actionsses_policy_with_allowed_iam_actions\> SNS topic is publicly accessiblesns_topic_is_publicly_accessible\> SQL Analysis Services port 2383 (TCP) is publicly accessiblesql_analysis_services_port_2383_is_publicly_accessible\> SQS policy allows all actionssqs_policy_allows_all_actions\> SQS policy with public accesssqs_policy_with_public_access\> SQS queue exposedsqs_queue_exposed\> SQS queue with SSE disabledsqs_with_sse_disabled\> Stack notifications disabledstack_notifications_disabled\> Stack retention disabledstack_retention_disabled\> Stack without templatestack_without_template\> Unknown port exposed to internetunknown_port_exposed_to_internet\> Unrestricted security group ingressunrestricted_security_group_ingress\> User data contains encoded private keyuser_data_contains_encoded_private_key\> Vulnerable default SSL certificatevulnerable_default_ssl_certificate\> AD admin not configured for SQL serverad_admin_not_configured_for_sql_server\> Admin user enabled for container registryadmin_user_enabled_for_container_registry\> AKS monitoring logging disabledaks_monitoring_logging_disabled\> AKS network policy misconfiguredaks_network_policy_misconfigured\> AKS RBAC disabledaks_rbac_disabled\> Azure container registry with no locksazure_container_registry_with_no_locks\> Azure instance using basic authenticationazure_instance_using_basic_authentication\> Cosmos DB account without tagscosmosdb_account_without_tags\> CosmosDB account IP range filter not setcosmosdb_account_ip_range_filter_not_set\> Default Azure storage account network access is too permissivedefault_azure_storage_account_network_access_is_too_permissive\> Firewall rule allows too many hosts to access Redis Cachefirewall_rule_allows_too_many_hosts_to_access_redis_cache\> Key Vault soft delete is disabledkey_vault_soft_delete_is_disabled\> Log retention is not setlog_retention_is_not_set\> Monitoring log profile without all activitiesmonitoring_log_profile_without_all_activities\> MySQL SSL connection disabledmysql_ssl_connection_disabled\> PostgreSQL log checkpoints disabledpostgresql_log_checkpoints_disabled\> PostgreSQL log connections not setpostgresql_log_connections_not_set\> PostgreSQL log disconnections not setpostgresql_log_disconnections_not_set\> PostgreSQL log duration not setpostgresql_log_duration_not_set\> PostgreSQL server without connection throttlingpostgresql_server_without_connection_throttling\> Public storage accountpublic_storage_account\> Redis cache allows non-SSL connectionsredis_cache_allows_non_ssl_connections\> Redis entirely accessibleredis_entirely_accessible\> Redis publicly accessibleredis_publicly_accessible\> Role definition allows custom role creationrole_definition_allows_custom_role_creation\> Security group is not configuredsecurity_group_is_not_configured\> Sensitive port is exposed to entire networksensitive_port_is_exposed_to_entire_network\> Small activity log retention periodsmall_activity_log_retention_period\> SQL Server predictable Active Directory account namesql_server_predictable_active_directory_admin_account_name\> SQL Server predictable admin account namesql_server_predictable_admin_account_name\> SQLServer ingress from any IPsql_server_ingress_from_any_ip\> SSL enforce disabledssl_enforce_is_disabled\> Storage account not forcing HTTPSstorage_account_not_forcing_https\> Storage account not using latest TLS encryption versionstorage_account_not_using_latest_tls_encryption_version\> Storage container is publicly accessiblestorage_container_is_publicly_accessible\> Trusted Microsoft services not enabledtrusted_microsoft_services_not_enabled\> Unrestricted SQL Server accessunrestricted_sql_server_acess\> VM not attached to networkvm_not_attached_to_network\> WAF is disabled for Azure Application Gatewaywaf_is_disabled_for_azure_application_gateway\> Web app accepting traffic other than HTTPSweb_app_accepting_traffic_other_than_https\>
{% icon name="icon-cloud-thicc" /%}
 Communication over HTTPcommunication_over_http\>
{% icon name="icon-cloud-thicc" /%}
 Insecure relative path resolutioninsecure_relative_path_resolution\>
{% icon name="icon-cloud-thicc" /%}
 Logging of sensitive datalogging_of_sensitive_data\>
{% icon name="icon-cloud-thicc" /%}
 Privilege escalation using become pluginprivilege_escalation_using_become_plugin\>
{% icon name="icon-cloud-thicc" /%}
 Risky file permissionsrisky_file_permissions\>
{% icon name="icon-cloud-thicc" /%}
 Unpinned package versionunpinned_package_version\> BigQuery dataset is publicbigquery_dataset_is_public\> Client certificate disabledclient_certificate_disabled\> Cloud DNS without DNSSECcloud_dns_without_dnnsec\> Cloud SQL instance with contained database authentication oncloud_sql_instance_with_contained_database_authentication_on\> Cloud SQL instance with cross DB ownership chaining oncloud_sql_instance_with_cross_db_ownership_chaining_on\> Cloud storage anonymous or publicly accessiblecloud_storage_anonymous_or_publicly_accessible\> Cloud storage bucket logging not enabledcloud_storage_bucket_logging_not_enabled\> Cloud storage bucket versioning disabledcloud_storage_bucket_versioning_disabled\> Cluster labels disabledcluster_labels_disabled\> Cluster master authentication disabledcluster_master_authentication_disabled\> Compute instance is publicly accessiblecompute_instance_is_publicly_accessible\> COS node image not usedcos_node_image_not_used\> Disk encryption disableddisk_encryption_disabled\> DNSSEC using RSASHA1dnssec_using_rsasha1\> GKE basic authentication enabledgke_basic_authentication_enabled\> GKE legacy authorization enabledgke_legacy_authorization_enabled\> GKE master authorized networks disabledgke_master_authorized_networks_disabled\> GKE using default service accountgke_using_default_service_account\> Google Compute network using default firewall rulegoogle_compute_network_using_default_firewall_rule\> Google Compute network using firewall rule that allows all portsgoogle_compute_network_using_firewall_rule_allows_all_ports\> Google Compute network using firewall rule that allows port rangegoogle_compute_network_using_firewall_allows_port_range\> Google Compute SSL policy weak cipher in usegoogle_compute_ssl_policy_weak_cipher_in_use\> Google Compute subnetwork with Private Google Access disabledgoogle_compute_subnetwork_with_private_google_access_disabled\> Google container node pool auto repair disabledgoogle_container_node_pool_auto_repair_disabled\> High Google KMS crypto key rotation periodhigh_google_kms_crypto_key_rotation_period\> IP aliasing disabledip_aliasing_disabled\> IP forwarding enabledip_forwarding_enabled\> MySQL instance with local infile onmysql_instance_with_local_infile_on\> Network policy disablednetwork_policy_disabled\> Node auto-upgrade disablednode_auto_upgrade_disabled\> OSLogin is disabled in VM instanceoslogin_is_disabled_for_vm_instance\> PostgreSQL log connections disabledpostgresql_log_connections_disabled\> PostgreSQL log_checkpoints flag not set to onpostgresql_log_checkpoints_flag_not_set_to_on\> PostgreSQL logging of temporary files disabledpostgresql_logging_of_temporary_files_disabled\> PostgreSQL misconfigured log messages flagpostgresql_misconfigured_log_messages_flag\> PostgreSQL misconfigured logging duration flagpostgresql_misconfigured_logging_duration_flag\> Private cluster disabledprivate_cluster_disabled\> Project-wide SSH keys are enabled in VM instancesproject_wide_ssh_keys_are_enabled_in_vm_instances\> RDP access is not restrictedrdp_access_is_not_restricted\> Serial ports are enabled for VM instancesserial_ports_enabled_for_vm_instances\> Shielded VM disabledshielded_vm_disabled\> SQL DB instance backup disabledsql_db_instance_backup_disabled\> SQL DB instance publicly accessiblesql_db_instance_is_publicly_accessible\> SQL DB instance with SSL disabledsql_db_instance_with_ssl_disabled\> SSH access is not restrictedssh_access_is_not_restricted\> Stackdriver logging disabledstackdriver_logging_disabled\> Stackdriver monitoring disabledstackdriver_monitoring_disabled\> Using default service accountusing_default_service_account\> VM with full cloud accessvm_with_full_cloud_access\> Run block injectionrun_block_injection\> Script block injectionscript_block_injection\> Unpinned actions full length commit SHAunpinned_actions_full_length_commit_sha\> Unsecured commandsunsecured_commands\> Unspecified workflows level permissionsunspecified_workflows_permissions\> ALB is not integrated with WAFalb_is_not_integrated_with_waf\> ALB listening on HTTPalb_listening_on_http\> Alexa skill plaintext client secret exposedalexa_skill_plaintext_client_secret_exposed\> Amazon MQ broker encryption disabledamazon_mq_broker_encryption_disabled\> Amazon MQ broker is publicly accessiblemq_broker_is_publicly_accessible\> Amazon MQ broker logging disabledmq_broker_logging_disabled\> Amplify app access token exposedamplify_app_access_token_exposed\> Amplify app basic auth config password exposedamplify_app_basic_auth_config_password_exposed\> Amplify app OAuth token exposedamplify_app_oauth_token_exposed\> Amplify branch basic auth config password exposedamplify_branch_basic_auth_config_password_exposed\> API Gateway cache cluster disabledapi_gateway_cache_cluster_disabled\> API Gateway cache encrypted disabledapi_gateway_cache_encrypted_disabled\> API Gateway deployment without access log settingapi_gateway_deployment_without_access_log_setting\> API Gateway deployment without usage plan associatedapi_gateway_deployment_without_api_gateway_usage_plan_associated\> API Gateway endpoint config is not privateapi_gateway_endpoint_config_is_not_private\> API Gateway method does not contain an API keyapi_gateway_method_does_not_contains_an_api_key\> API Gateway stage without usage plan associatedapi_gateway_stage_without_api_gateway_usage_plan_associated\> API Gateway V2 stage access logging settings not definedapi_gateway_access_logging_disabled\> API Gateway with invalid compressionapi_gateway_with_invalid_compression\> API Gateway with open accessapi_gateway_with_open_access\> API Gateway without configured authorizerapi_gateway_without_configured_authorizer\> API Gateway without security policyapi_gateway_without_security_policy\> API Gateway without SSL certificateapi_gateway_without_ssl_certificate\> API Gateway without WAFapi_gateway_without_waf\> API Gateway X-Ray disabledapi_gateway_xray_disabled\> Auto Scaling group with no associated ELBauto_scaling_group_with_no_associated_elb\> Automatic minor upgrades disabledautomatic_minor_upgrades_disabled\> AWS DMS replication instance is publicly accessibleamazon_dms_replication_instance_is_publicly_accessible\> Batch job definition with privileged container propertiesbatch_job_definition_with_privileged_container_properties\> CDN configuration is missingcdn_configuration_is_missing\> CloudFormation metadata contains plaintext credentialscloudformation_specifying_credentials_not_safe\> CloudFront logging disabledcloudfront_logging_disabled\> CloudFront viewer protocol policy allows HTTPcloudfront_viewer_protocol_policy_allows_http\> CloudFront without minimum protocol TLS 1.2cloudfront_without_minimum_protocol_tls_1.2\> CloudFront without WAFcloudfront_without_waf\> CloudTrail log file validation disabledcloudtrail_log_file_validation_disabled\> CloudTrail log files not encrypted with KMScloudtrail_log_files_not_encrypted_with_kms\> CloudTrail logging disabledcloudtrail_logging_disabled\> CloudTrail multi-region disabledcloudtrail_multi_region_disabled\> CloudTrail not integrated with CloudWatchcloudtrail_not_integrated_with_cloudwatch\> CloudTrail SNS topic name undefinedcloudtrail_sns_topic_name_undefined\> CloudWatch logging disabledcloudwatch_logging_disabled\> CloudWatch metrics disabledcloudwatch_metrics_disabled\> CMK is unusablecmk_is_unusable\> CMK rotation disabledcmk_rotation_disabled\> CMK unencrypted storagecmk_unencrypted_storage\> CodeBuild not encryptedcodebuild_not_encrypted\> Cognito user pool without MFAcognito_userpool_without_mfa\> Config rule for encrypted volumes disabledconfig_rule_for_encryption_volumes_disabled\> Configuration aggregator to all regions disabledconfig_configuration_aggregator_to_all_regions_disabled\> Connection between CloudFront origin not encryptedconnection_between_cloudfront_origin_not_encrypted\> Cross-account IAM assume role policy without external ID or MFAcross_account_iam_assume_role_policy_without_external_id_or_mfa\> DB security group open to large scopedb_security_group_open_to_large_scope\> DB security group with public scopedb_security_group_with_public_scope\> Default KMS key usagedefault_kms_key_usage\> Default security groups with unrestricted trafficdefault_security_groups_with_unrestricted_traffic\> Directory service Microsoft AD password set to plaintext or default refdirectory_service_microsoft_ad_password_set_to_plaintext_or_default_ref\> Directory service simple AD password exposeddirectory_service_simple_ad_password_exposed\> DMS endpoint MongoDB settings password exposeddms_endpoint_mongo_db_settings_password_exposed\> DMS endpoint password exposeddms_endpoint_password_exposed\> DocDB cluster master password in plaintextdocdb_cluster_master_password_in_plaintext\> DocDB logging is disableddocdb_logging_disabled\> DynamoDB table not encrypteddynamodb_table_not_encrypted\> DynamoDB table point-in-time recovery disableddynamodb_table_point_in_time_recovery_disabled\> DynamoDB with AWS-owned CMKdynamodb_with_aws_owned_cmk\> DynamoDB with non-recommended table billing modedynamodb_with_table_billing_mode_not_recommended\> EBS volume encryption disabledebs_volume_encryption_disabled\> EBS volume not attached to instancesebs_volume_not_attached_to_instances\> EBS volume without KmsKeyIdebs_volume_without_kms_key_id\> EC2 instance has no IAM roleec2_instance_has_no_iam_role\> EC2 instance monitoring disabledec2_instance_monitoring_disabled\> EC2 instance subnet has public IP mapping on launchec2_instance_subnet_has_public_ip_mapping_on_launch\> EC2 instance using default security groupec2_instance_using_default_security_group\> EC2 instance using default VPCec2_instance_using_default_vpc\> EC2 Network ACL Deny rule not blocking all trafficec2_network_acl_ineffective_denied_traffic\> EC2 network ACL duplicate ruleec2_network_acl_duplicate_rule\> EC2 network ACL overlapping portsec2_network_acl_overlapping_ports\> EC2 not EBS optimizedec2_not_ebs_optimized\> EC2 permissive network ACL protocolsec2_permissive_network_acl_protocols\> EC2 public instance exposed through subnetec2_public_instance_exposed_through_subnet\> EC2 sensitive port is publicly exposedec2_sensitive_port_is_publicly_exposed\> ECR image tag not immutableecr_image_tag_not_immutable\> ECR repository is publicly accessibleecr_repository_is_publicly_accessible\> ECS cluster not encrypted at restecs_cluster_not_encrypted_at_rest\> ECS cluster with Container Insights disabledecs_cluster_container_insights_disabled\> ECS no load balancer attachedecs_no_load_balancer_attached\> ECS service admin role is presentecs_service_admin_role_is_present\> ECS service without running tasksecs_service_without_running_tasks\> ECS task definition health check missingecs_task_definition_healthcheck_missing\> ECS task definition invalid CPU or memoryecs_task_definition_invalid_cpu_or_memory\> ECS task definition network mode not recommendedecs_task_definition_network_mode_not_recommended\> EFS not encryptedefs_not_encrypted\> EFS volume with disabled transit encryptionefs_volume_with_disabled_transit_encryption\> EFS without KMSefs_without_kms\> EFS without tagsefs_without_tags\> EKS node group remote accesseks_node_group_remote_access\> ElastiCache nodes not created across multi-AZelasticache_nodes_not_created_across_multi_az\> ElastiCache using default portelasticache_using_default_port\> ElastiCache with disabled at-rest encryptionelasticache_with_disabled_at_rest_encryption\> ElastiCache with disabled transit encryptionelasticache_with_disabled_transit_encryption\> ElastiCache without VPCelasticache_without_vpc\> Elasticsearch encryption with KMS disabledelasticsearch_domain_encryption_with_kms_disabled\> Elasticsearch logs disabledelasticsearch_logs_disabled\> Elasticsearch not encrypted at restelasticsearch_not_encrypted_at_rest\> Elasticsearch with HTTPS disabledelasticsearch_with_https_disabled\> Elasticsearch without IAM authenticationelasticsearch_without_iam_authentication\> Elasticsearch without slow logselasticsearch_without_slow_logs\> ELB access log disabledelb_access_log_disabled\> ELB sensitive port is exposed to entire networkelb_sensitive_port_is_exposed_to_entire_network\> ELB using insecure protocolselb_using_insecure_protocols\> ELB using weak cipherselb_using_weak_ciphers\> ELB with security group without inbound ruleselb_with_security_group_without_inbound_rules\> ELB with security group without outbound ruleselb_with_security_group_without_outbound_rules\> ELB without secure protocolelb_without_secure_protocol\> ELBv2 ALB access log disabledelb_v2_alb_access_log_disabled\> Empty roles for ECS cluster task definitionsempty_roles_for_ecs_cluster_task_definitions\> EMR cluster without security configurationemr_cluster_without_security_configuration\> EMR security configuration encryption disabledemr_security_configuration_encryptions_enabled\> EMR without VPCemr_wihout_vpc\> Fully open ingressfully_open_ingress\> GameLift fleet EC2 inbound permissions with port rangegamelift_fleet_ec2_inbound_permissions_with_port_range\> Geo restriction disabledgeo_restriction_disabled\> GitHub repository set to publicgithub_repository_set_to_public\> GuardDuty detector disabledguardduty_detector_disabled\> Hardcoded AWS access key in Lambdahardcoded_aws_access_key_in_lambda\> High access key rotation periodaccess_key_not_rotated_within_90_days\> HTTP port open to internethttp_port_open\> IAM Access Analyzer not enablediam_access_analyzer_not_enabled\> IAM database auth not enablediam_database_auth_not_enabled\> IAM group inline policiesiam_groups_inline_policies\> IAM group without usersiam_group_without_users\> IAM managed policy applied to a useriam_managed_policy_applied_to_a_user\> IAM password without minimum lengthiam_password_without_minimum_length\> IAM policies attached to a useriam_policies_attached_to_user\> IAM policies with full privilegesiam_policies_with_full_privileges\> IAM policies without groupsiam_policies_without_groups\> IAM policy grants AssumeRole permission across all servicesiam_policy_grants_assumerole_permission_across_all_services\> IAM policy grants full permissionsiam_policy_grants_full_permissions\> IAM policy on useriam_policy_on_user\> IAM role allows all principals to assumeiam_role_allows_all_principals_to_assume\> IAM user has too many access keysiam_user_too_many_access_keys\> IAM user LoginProfile password is in plaintextiam_user_login_profile_password_is_in_plaintext\> IAM user with no groupiam_user_with_no_group\> IAM user without password resetuser_iam_missing_password_reset_required\> Inline policies are attached to an ECS serviceinline_policies_are_attached_to_ecs_service\> Instance with no VPCinstance_with_no_vpc\> IoT policy allows a wildcard resourceiot_policy_allows_wildcard_resource\> IoT policy allows action as a wildcardiot_policy_allows_action_as_wildcard\> Kinesis SSE not configuredkinesis_sse_not_configured\> KMS allows a wildcard principalkms_allows_wildcard_principal\> KMS key rotation disabledkms_enable_key_rotation_disabled\> KMS key with a vulnerable policykms_key_with_full_permissions\> Lambda function without dead-letter queuelambda_function_without_dead_letter_queue\> Lambda function without tagslambda_function_without_tags\> Lambda functions with full privilegeslambda_functions_with_full_privileges\> Lambda functions without unique IAM roleslambda_functions_without_unique_iam_roles\> Lambda functions without X-Ray tracinglambda_functions_without_x-ray_tracing\> Lambda permission misconfiguredlambda_permission_misconfigured\> Lambda permission principal is a wildcardlambda_permission_principal_is_wildcard\> Low RDS backup retention periodlow_rds_backup_retention_period\> MSK broker is publicly accessiblemsk_broker_is_publicly_accessible\> MSK cluster encryption disabledmsk_cluster_encryption_disabled\> MSK cluster logging disabledmsk_cluster_logging_disabled\> Neptune cluster with IAM database authentication disabledneptune_cluster_with_iam_database_authentication_disabled\> Neptune database cluster encryption disabledneptune_database_cluster_encryption_disabled\> Permissive Web ACL default actionwebacl_allow_defaultaction\> Public Lambda function via API Gatewaypublic_lambda_via_api_gateway\> RDS associated with a public subnetrds_associated_with_public_subnet\> RDS DB instance publicly accessiblerds_db_instance_publicly_accessible\> RDS DB instance with deletion protection disabledrds_db_instance_with_deletion_protection_disabled\> RDS Multi-AZ deployment disabledrds_multi_az_deployment_disabled\> RDS storage encryption disabledrds_storage_encryption_disabled\> RDS storage not encryptedrds_storage_not_encrypted\> RDS using default portrds_using_default_port\> RDS with backup disabledrds_with_backup_disabled\> Redshift cluster logging disabledredshift_cluster_logging_disabled\> Redshift cluster without a KMS CMKredshift_cluster_without_kms_cmk\> Redshift not encryptedredshift_not_encrypted\> Redshift publicly accessibleredshift_publicly_accessible\> Redshift using default portredshift_using_default_port\> Refresh token is exposedrefresh_token_is_exposed\> Remote Desktop port open to the internetremote_desktop_port_open_to_internet\> Root account has active access keysroot_account_has_active_access_keys\> Route table with default routingroutertable_with_default_routing\> Route53 record undefinedroute53_record_undefined\> S3 bucket access to any principals3_bucket_access_to_any_principal\> S3 bucket ACL allows read or write to all userss3_bucket_acl_allows_read_or_write_to_all_users\> S3 bucket ACL allows read to all userss3_bucket_acl_allows_read_to_all_users\> S3 bucket ACL allows read to any authenticated users3_bucket_acl_allows_read_to_any_authenticated_user\> S3 bucket allows delete action from all principalss3_bucket_allows_delete_actions_from_all_principals\> S3 bucket allows get action from all principalss3_bucket_allows_get_actions_from_all_principals\> S3 bucket allows list action from all principalss3_bucket_allows_list_actions_from_all_principals\> S3 bucket allows public ACLs3_bucket_allows_public_acl\> S3 bucket allows public policys3_bucket_with_public_policy\> S3 bucket allows put action from all principalss3_bucket_allows_put_actions_from_all_principals\> S3 bucket allows restore actions from all principalss3_bucket_allows_restore_actions_from_all_principals\> S3 bucket CloudTrail logging disableds3_bucket_cloudtrail_logging_disabled\> S3 bucket logging disableds3_bucket_logging_disabled\> S3 bucket should have bucket policys3_bucket_should_have_bucket_policy\> S3 bucket with all permissionss3_bucket_with_all_permissions\> S3 bucket with unsecured CORS rules3_bucket_with_unsecured_cors_rule\> S3 bucket without ignore public ACLs3_bucket_without_ignore_public_acl\> S3 bucket without restriction of public buckets3_bucket_without_restriction_of_public_bucket\> S3 bucket without server-side encryptions3_bucket_without_server_side_encryption\> S3 bucket without SSL in write actionss3_bucket_without_ssl_in_write_actions\> S3 bucket without versionings3_bucket_without_versioning\> S3 static website host enableds3_static_website_host_enabled\> SageMaker data encryption disabledsagemaker_data_encryption_disabled\> SageMaker enabling internet accesssagemaker_enabling_internet_access\> SageMaker endpoint config should specify KmsKeyId attributesagemaker_endpoint_config_should_specify_kms_key_id_attribute\> SageMaker notebook not placed in VPCsagemaker_notebook_not_placed_in_vpc\> SDB domain declared as a resourcesdb_domain_declared_as_a_resource\> Secrets manager should specify KmsKeyIdsecrets_manager_should_specify_kms_key_id\> Secure ciphers disabledsecure_ciphers_disabled\> Security group egress CIDR open to worldsecurity_group_egress_cidr_open_to_world\> Security group egress with all protocolssecurity_group_egress_with_all_protocols\> Security group egress with port rangesecurity_group_egress_with_port_range\> Security group ingress has CIDR not recommendedsecurity_group_ingress_has_cidr_not_recommended\> Security group ingress with all protocolssecurity_group_ingress_with_all_protocols\> Security group ingress with port rangesecurity_group_ingress_with_port_range\> Security group rule without descriptionsecurity_group_rule_without_description\> Security group unrestricted access to RDPsecurity_groups_unrestricted_access_to_rdp\> Security group with unrestricted access to SSHsecurity_groups_with_unrestricted_access_to_ssh\> Security groups allows unrestricted outbound trafficsecurity_groups_allows_unrestricted_outbound_traffic\> Security groups with exposed admin portssecurity_groups_with_exhibited_admin_ports\> Security groups with meta IPsecurity_groups_with_meta_ip\> Security groups without VPC attachedsecurity_groups_without_vpc_attached\> Serverless API access logging setting undefinedserverless_api_access_logging_setting_undefined\> Serverless API cache cluster disabledserverless_api_cache_cluster_disabled\> Serverless API endpoint config not privateserverless_api_endpoint_config_not_private\> Serverless API without content encodingserverless_api_without_content_encoding\> Serverless API X-Ray tracing disabledserverless_api_xray_tracing_disabled\> Serverless function environment variables not encryptedserverless_function_environment_variables_not_encrypted\> Serverless function without dead-letter queueserverless_function_without_dead_letter_queue\> Serverless function without tagsserverless_function_without_tags\> Serverless function without unique IAM roleserverless_function_without_unique_iam_role\> Serverless function without X-Ray tracingserverless_function_without_x-ray_tracing\> Shield Advanced not in useshield_advanced_not_in_use\> SNS topic is publicly accessiblesns_topic_is_publicly_accessible\> SNS topic publicity has Allow and NotAction simultaneouslysns_topic_publicity_has_allow_and_not_action_simultaneously\> SNS topic without KmsMasterKeyIdsns_topic_without_kms_master_key_id\> SQS policy with public accesssqs_policy_with_public_access\> SQS with SSE disabledsqs_with_sse_disabled\> Stack notifications disabledstack_notifications_disabled\> Stack retention disabledstack_retention_disabled\> Support has no role associatedsupport_has_no_role_associated\> TCP UDP protocol network ACL entry allows all portstcp_or_udp_protocol_network_acl_entry_allows_all_ports\> Unknown port exposed to internetunknown_port_exposed_to_internet\> Unrestricted security group ingressunrestricted_security_group_ingress\> Unscanned ECR imageunscanned_ecr_image\> User data contains encoded private keyuser_data_contains_encoded_private_key\> VPC attached with too many gatewaysvpc_attached_with_too_many_gateways\> VPC Flow Logs disabledvpc_flowlogs_disabled\> VPC without attached subnetvpc_without_attached_subnet\> VPC without Network Firewallvpc_without_network_firewall\> Vulnerable default SSL certificatevulnerable_default_ssl_certificate\> Wildcard in ACM certificate domain namewildcard_in_acm_certificate_domain_name\> Workspace without encryptionworkspace_without_encryption\> ADD instead of COPYadd_instead_of_copy\> apk add using local cache pathapk_add_using_local_cache_path\> apt-get install lists were not deletedapt_get_install_lists_were_not_deleted\> apt-get install pin version not definedapt_get_install_pin_version_not_defined\> apt-get missing flags to avoid manual inputapt_get_missing_flags_to_avoid_manual_input\> apt-get not avoiding additional packagesapt_get_not_avoiding_additional_packages\> Avoid chmod 777avoid_chmod_777\> Avoid HTTPavoid_http\> Changing default shell using RUN commandchanging_default_shell_using_run_command\> chown flag existschown_flag_exists\> COPY --from references current FROM aliascopy_from_references_current_from_alias\> COPY with more than two arguments not ending with a slashcopy_with_more_than_two_arguments_not_ending_with_slash\> curl or wget instead of ADDcurl_or_wget_instead_of_add\> Dockerfile should specify base imageshould_specify_base_image\> ENV refers to itselfenv_no_refer_envvar\> Exposing port 22 (SSH)exposing_port_22\> First instruction must be ARG or FROMfirst_instruction_should_be_arg_or_from\> gem install without versiongem_install_without_version\> Healthcheck instruction missinghealthcheck_instruction_missing\> Image version not explicitimage_version_not_explicit\> Image version using latestimage_version_using_latest\> Last user is rootlast_user_is_root\> MAINTAINER instruction being usedmaintainer_instruction_being_used\> Missing dnf clean allmissing_dnf_clean_all\> Missing flag from dnf installmissing_flag_from_dnf_install\> Missing user instructionmissing_user_instruction\> Missing version specification in dnf installmissing_version_specification_in_dnf_install\> Missing zypper cleanmissing_zypper_clean\> Missing Zypper non-interactive switchmissing_zypper_non_interactive_switch\> Multiple CMD instructions listedmultiple_cmd_instructions_listed\> Multiple ENTRYPOINT instructions listedmultiple_entrypoint_instructions_listed\> Multiple HEALTHCHECK instructionsdo_not_use_multiple_healthcheck\> Multiple RUN, ADD, COPY instructions listedmultiple_run_add_copy_instructions_listed\> Not using JSON for CMD and ENTRYPOINT argumentsnot_using_json_in_cmd_and_entrypoint_arguments\> npm install command without pinned versionnpm_install_without_pinned_version\> ONBUILD cannot trigger FROM or MAINTAINERfrom_or_maintainer_cannot_be_triggered_within_onbuild\> Package update without install in same RUNupdate_instruction_alone\> pip install keeping cached packagespip_install_keeping_cached_packages\> RUN instruction using cd instead of WORKDIRrun_command_cd_instead_of_workdir\> Run using aptrun_using_apt\> Run using sudorun_using_sudo\> Run using wget and curlrun_using_wget_and_curl\> Run utilities and POSIX commandsrun_utilities_and_posix_commands\> Run yarn clean after yarn installrun_yarn_clean_after_yarn_install\> Same alias in different FROM statementssame_alias_in_different_froms\> Shell running a pipe without the pipefail flagshell_running_a_pipe_without_pipefail_flag\> UNIX ports out of rangeunix_ports_out_of_range\> Unpinned package version in apk addunpinned_package_version_in_apk_add\> Unpinned package version in pip installunpinned_package_version_in_pip_install\> Use only allowed registry in FROMuse_only_an_allowed_registry_in_the_from_image\> Use recommended flags with useradduse_recommended_flags_with_useradd\> Using --platform flag with FROM commandusing_platform_with_from\> Using unnamed build stagesusing_unnamed_build_stages\> WORKDIR path not absoluteworkdir_path_not_absolute\> yum clean all missingyum_clean_all_missing\> yum install allows manual inputyum_install_allows_manual_input\> yum install without versionyum_install_without_version\> Zypper install without explicit package versionzypper_install_without_version\> Always admit admission control plugin setalways_admit_admission_control_plugin_set\> Always pull images admission control plugin not setalways_pull_images_admission_control_plugin_not_set\> Anonymous auth is not set to falseanonymous_auth_is_not_set_to_false\> Audit log maxage not properly setaudit_log_maxage_not_properly_set\> Audit log maxbackup not properly setaudit_log_maxbackup_not_properly_set\> Audit log maxsize not properly setaudit_log_maxsize_not_properly_set\> Audit log path not setaudit_log_path_not_set\> Audit policy does not cover key security concernsaudit_policy_not_cover_key_security_concerns\> Audit policy file not definedaudit_policy_file_not_defined\> Authorization mode node not setauthorization_mode_node_not_set\> Authorization mode RBAC not setauthorization_mode_rbac_not_set\> Authorization mode set to always allowauthorization_mode_set_to_always_allow\> Auto TLS set to trueauto_tls_set_to_true\> Basic auth file is setbasic_auth_file_is_set\> Bind address not properly setbind_address_not_properly_set\> Certificate authority is not uniquenot_unique_certificate_authority\> Client certificate authentication not set up properlyclient_certificate_authentication_not_setup_properly\> Cluster admin rolebinding with superuser permissionscluster_admin_role_binding_with_super_user_permissions\> Cluster allows unsafe sysctlscluster_allows_unsafe_sysctls\> CNI plugin does not support network policiescni_plugin_does_not_support_network_policies\> Container is privilegedcontainer_is_privileged\> Container running as rootcontainers_running_as_root\> Container with low UIDcontainers_run_with_low_uid\> Container with unmasked /proc accesscontainer_runs_unmasked\> Containers missing drop capabilitiesno_drop_capabilities_for_containers\> Containers with added capabilitiescontainers_with_added_capabilities\> Containers with sys admin capabilitiescontainers_with_sys_admin_capabilities\> CPU limits not setcpu_limits_not_set\> CPU requests not setcpu_requests_not_set\> CronJob deadline not configuredcronjob_deadline_not_configured\> Dashboard is enableddashboard_is_enabled\> Deployment without podAntiAffinitydeployment_has_no_pod_anti_affinity\> Deployment without PodDisruptionBudgetdeployment_without_pod_disruption_budget\> Docker daemon socket is exposed to containersdocker_daemon_socket_is_exposed_to_containers\> Encryption provider config is not definedencryption_provider_config_is_not_defined\> Encryption provider not properly configuredencryption_provider_not_properly_configured\> Ensure administrative boundaries between resourcesensure_administrative_boundaries_between_resources\> etcd client certificate authentication set to falseetcd_client_certificate_authentication_set_to_false\> etcd client certificate file not definedetcd_client_certificate_file_not_defined\> etcd peer client certificate authentication set to falseetcd_peer_client_certificate_authentication_set_to_false\> etcd peer TLS certificate files not properly setetcd_peer_tls_certificate_files_not_properly_set\> etcd TLS certificate files not properly setetcd_tls_certificate_files_not_properly_set\> etcd TLS certificate not properly configuredetcd_tls_certificate_not_properly_configured\> Event rate limit admission control plugin not setevent_rate_limit_admission_control_plugin_not_set\> HPA targeted deployments with configured replica counthpa_targeted_deployments_with_configured_replica_count\> HPA targets invalid objecthpa_targets_invalid_object\> Image policy webhook admission control plugin not setimage_policy_webhook_admission_control_plugin_not_set\> Image pull policy of the container is not set to alwaysimage_pull_policy_of_container_is_not_always\> Image without digestimage_without_digest\> Incorrect volume claim access mode ReadWriteOnceincorrect_volume_claim_access_mode_read_write_once\> Ingress controller exposes workloadingress_controller_exposes_workload\> Insecure bind address setinsecure_bind_address_set\> Insecure port not properly setinsecure_port_not_properly_set\> Invalid image taginvalid_image\> Invalid metadata labelmetadata_label_is_invalid\> Kubelet certificate authority not setkubelet_certificate_authority_not_set\> Kubelet client certificate or key not setkubelet_client_certificate_or_key_not_set\> Kubelet client periodic certificate switch disabledkubelet_client_periodic_certificate_switch_disabled\> Kubelet event QPS not properly setkubelet_event_qps_not_properly_set\> Kubelet hostname override is setkubelet_hostname_override_is_set\> Kubelet HTTPS set to falsekubelet_https_set_to_false\> Kubelet not managing IP tableskubelet_not_managing_ip_tables\> Kubelet protect-kernel-defaults set to falsekubelet_protect_kernel_defaults_set_to_false\> Kubelet read-only port is not set to zerokubelet_read_only_port_is_not_set_to_zero\> Kubelet streaming connection timeout disabledkubelet_streaming_connection_timeout_disabled\> Liveness probe is not definedliveness_probe_is_not_defined\> Memory limits not definedmemory_limits_not_defined\> Memory requests not definedmemory_requests_not_defined\> Missing AppArmor profilemissing_app_armor_config\> Namespace lifecycle admission control plugin disablednamespace_lifecycle_admission_control_plugin_disabled\> NET_RAW capabilities disabled for PSPnet_raw_capabilities_disabled_for_psp\> NET_RAW capabilities not droppednet_raw_capabilities_not_being_dropped\> Network policy without Pod targetnetwork_policy_is_not_targeting_any_pod\> Node restriction admission control plugin not setnode_restriction_admission_control_plugin_not_set\> Non kube-system pod with host mountnon_kube_system_pod_with_host_mount\> Object is using a deprecated API versionobject_is_using_a_deprecated_api_version\> Peer auto TLS set to truepeer_auto_tls_set_to_true\> Permissive access to create podspermissive_access_to_create_pods\> Pod misconfigured network policypod_misconfigured_network_policy\> Pod or container without LimitRangepod_or_container_without_limit_range\> Pod or container without ResourceQuotapod_or_container_without_resource_quota\> Pod or container without security contextpod_or_container_without_security_context\> Pod security policy admission control plugin not setpod_security_policy_admission_control_plugin_not_set\> PodSecurityPolicy allows host network sharingpsp_containers_share_host_network_namespace\> Privilege escalation allowedprivilege_escalation_allowed\> Profiling not set to falseprofiling_not_set_to_false\> PSP allows privilege escalationpsp_allows_privilege_escalation\> PSP allows sharing host IPCpsp_allows_sharing_host_ipc\> PSP allows sharing host PIDpsp_allows_sharing_host_pid\> PSP set to privilegedpsp_set_to_privileged\> PSP with added capabilitiespsp_with_added_capabilities\> PSP with unrestricted access to host pathpsp_with_unrestricted_access_to_host_path\> RBAC roles allow privilege escalationrbac_roles_allow_privilege_escalation\> RBAC roles with attach permissionrbac_roles_with_attach_permission\> RBAC roles with exec permissionrbac_roles_with_exec_permission\> RBAC roles with impersonate permissionrbac_roles_with_impersonate_permission\> RBAC roles with port-forwarding permissionrbac_roles_with_portforwarding_permissions\> RBAC roles with read secrets permissionsrbac_roles_with_read_secrets_permissions\> RBAC wildcard in rulerbac_wildcard_in_rule\> Readiness probe is not configuredreadiness_probe_is_not_configured\> Request timeout not properly setrequest_timeout_not_properly_set\> Role binding to default service accountrole_binding_to_default_service_account\> Root CA file not definedroot_ca_file_not_defined\> Root container not mounted as read-onlyroot_container_not_mounted_as_read_only\> Root containers admittedroot_containers_admitted\> Rotate Kubelet server certificate not activerotate_kubelet_server_certificate_not_active\> Seccomp profile is not configuredseccomp_profile_is_not_configured\> Secrets used as environment variablessecrets_as_environment_variables\> Secure port set to zerosecure_port_set_to_zero\> Security context deny admission control plugin not setsecurity_context_deny_admission_control_plugin_not_set\> Service account admission control plugin disabledservice_account_admission_control_plugin_disabled\> Service account key file not properly setservice_account_key_file_not_properly_set\> Service account lookup set to falseservice_account_lookup_set_to_false\> Service account name undefined or emptyservice_account_name_undefined_or_empty\> Service account private key file not definedservice_account_private_key_file_not_defined\> Service account token auto-mount not disabledservice_account_token_automount_not_disabled\> Service does not target a Podservice_does_not_target_pod\> Service type is NodePortservice_type_is_nodeport\> Service with external load balancerservice_with_external_load_balancer\> ServiceAccount allows access to secretsservice_account_allows_access_secrets\> Shared host IPC namespaceshared_host_ipc_namespace\> Shared host network namespaceshared_host_network_namespace\> Shared host PID namespaceshared_host_pid_namespace\> Shared service accountshared_service_account\> StatefulSet requests storagestatefulset_requests_storage\> StatefulSet without podAntiAffinitystatefulset_has_no_pod_anti_affinity\> StatefulSet without PodDisruptionBudgetstatefulset_without_pod_disruption_budget\> StatefulSet without service namestatefulset_without_service_name\> Terminated pod garbage collector threshold not properly setterminated_pod_garbage_collector_threshold_not_properly_set\> Tiller (Helm v2) deployedtiller_is_deployed\> Tiller Deployment accessible within clustertiller_deployment_is_accessible_from_within_the_cluster\> Tiller Service presenttiller_service_is_not_deleted\> TLS connection certificate not set uptls_connection_certificate_not_setup\> Token auth file is settoken_auth_file_is_set\> Unrestricted capabilities in PodSecurityPolicynot_limited_capabilities_for_pod_security_policy\> Use service account credentials not set to trueuse_service_account_credentials_not_set_to_true\> Using Kubernetes native secret managementusing_kubernetes_native_secret_management\> Using unrecommended namespaceusing_unrecommended_namespace\> Volume mount with OS directory write permissionsvolume_mount_with_os_directory_write_permissions\> Weak TLS cipher suitesweak_tls_cipher_suites\> Workload host port not specifiedworkload_host_port_not_specified\> Workload mounting with sensitive OS directoryworkload_mounting_with_sensitive_os_directory\>
{% icon name="icon-cloud-thicc" /%}
 Action trail logging for all regions disabledaction_trail_logging_all_regions_disabled\>
{% icon name="icon-cloud-thicc" /%}
 ActionTrail trail OSS bucket is publicly accessibleactiontrail_trail_oss_bucket_is_publicly_accessible\>
{% icon name="icon-cloud-thicc" /%}
 ALB listening on HTTPalb_listening_on_http\>
{% icon name="icon-cloud-thicc" /%}
 API gateway API protocol not HTTPSapi_gateway_api_protocol_not_https\>
{% icon name="icon-cloud-thicc" /%}
 CMK is unusablecmk_is_unusable\>
{% icon name="icon-cloud-thicc" /%}
 CS Kubernetes node pool auto repair disabledcs_kubernetes_node_pool_auto_repair_disabled\>
{% icon name="icon-cloud-thicc" /%}
 Disk encryption disableddisk_encryption_disabled\>
{% icon name="icon-cloud-thicc" /%}
 ECS data disk KMS key ID undefinedecs_data_disk_kms_key_id_undefined\>
{% icon name="icon-cloud-thicc" /%}
 High KMS key rotation periodhigh_kms_key_rotation_period\>
{% icon name="icon-cloud-thicc" /%}
 Kubernetes cluster without Terway as CNI network pluginkubernetes_cluster_without_terway_as_cni_network_plugin\>
{% icon name="icon-cloud-thicc" /%}
 Launch template is not encryptedlaunch_template_is_not_encrypted\>
{% icon name="icon-cloud-thicc" /%}
 Log retention is not greater than 90 dayslog_retention_is_not_greater_than_90_days\>
{% icon name="icon-cloud-thicc" /%}
 NAS file system not encryptednas_file_system_not_encrypted\>
{% icon name="icon-cloud-thicc" /%}
 NAS file system without KMSnas_file_system_without_kms\>
{% icon name="icon-cloud-thicc" /%}
 No ROS stack policyno_ros_stack_policy\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows all actions from all principalsoss_bucket_allows_all_actions_from_all_principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows delete action from all principalsoss_bucket_allows_delete_from_all_principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows list action from all principalsoss_bucket_allows_list_action_from_all_principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows put action from all principalsoss_bucket_allows_put_action_from_all_principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket encryption using CMK disabledoss_bucket_cmk_encryption_disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket has static websiteoss_bucket_has_static_website\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket IP restriction disabledoss_bucket_ip_restriction_disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket lifecycle rule disabledoss_bucket_lifecycle_disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket logging disabledoss_bucket_logging_disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket public access enabledoss_bucket_public_access_enabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket transfer acceleration disabledoss_bucket_transfer_acceleration_disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket versioning disabledoss_bucket_versioning_disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS buckets secure transport disabledoss_buckets_securetransport_disabled\>
{% icon name="icon-cloud-thicc" /%}
 Public security group rule all ports or protocolspublic_security_group_rule_all_ports_or_protocols\>
{% icon name="icon-cloud-thicc" /%}
 Public security group rule sensitive portpublic_security_group_rule_sensitive_port\>
{% icon name="icon-cloud-thicc" /%}
 Public security group rule unknown portpublic_security_group_rule_unknown_port\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy does not enforce minimum password lengthram_account_password_policy_not_required_minimum_length\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy does not require numbersram_account_password_policy_not_required_numbers\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy does not require symbolsram_account_password_policy_not_required_symbols\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy max login attempts not recommendedram_account_password_policy_max_login_attempts_unrecommended\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy max password age not recommendedram_account_password_policy_max_password_age_unrecommended\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy not require at least one lowercase characterram_password_security_policy_not_require_at_least_one_lowercase_character\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy not require at least one uppercase characterram_password_security_policy_not_require_at_least_one_uppercase_character\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy without reuse preventionram_account_password_policy_without_reuse_prevention\>
{% icon name="icon-cloud-thicc" /%}
 RAM policy admin access not attached to users groups rolesram_policy_admin_access_not_attached_to_users_groups_roles\>
{% icon name="icon-cloud-thicc" /%}
 RAM policy attached to userram_policy_attached_to_user\>
{% icon name="icon-cloud-thicc" /%}
 RAM security preference does not enforce MFA loginram_security_preference_not_enforce_mfa\>
{% icon name="icon-cloud-thicc" /%}
 RDS DB instance publicly accessiblerds_instance_address_publicly_accessible\>
{% icon name="icon-cloud-thicc" /%}
 RDS DB instance publicly accessiblerds_instance_publicly_accessible\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance events not loggedrds_instance_events_not_logged\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance log connections disabledrds_instance_log_connections_disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance log disconnections disabledrds_instance_log_disconnections_disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance log duration disabledrds_instance_log_duration_disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance retention period not recommendedrds_instance_retention_not_recommended\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance SSL action disabledrds_instance_ssl_action_disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance TDE status disabledrds_instance_tde_status_disabled\>
{% icon name="icon-cloud-thicc" /%}
 ROS stack notifications disabledros_stack_notifications_disabled\>
{% icon name="icon-cloud-thicc" /%}
 ROS stack retention disabledros_stack_retention_disabled\>
{% icon name="icon-cloud-thicc" /%}
 ROS stack without templateros_stack_without_template\>
{% icon name="icon-cloud-thicc" /%}
 SLB policy with insecure TLS version in useslb_policy_with_insecure_tls_version_in_use\>
{% icon name="icon-cloud-thicc" /%}
 VPC flow logs disabledvpc_flow_logs_disabled\> ALB deletion protection disabledalb_deletion_protection_disabled\> ALB is not integrated with WAFalb_is_not_integrated_with_waf\> ALB listening on HTTPalb_listening_on_http\> ALB not dropping invalid headersalb_not_dropping_invalid_headers\> Amazon DMS replication instance is publicly accessibleamazon_dms_replication_instance_is_publicly_accessible\> AmazonMQ broker encryption disabledamazon_mq_broker_encryption_disabled\> AMI most recent without owner or filterami_owner_missing\> AMI not encryptedami_not_encrypted\> AMI shared with multiple accountsami_shared_with_multiple_accounts\> API Gateway access logging disabledapi_gateway_access_logging_disabled\> API Gateway deployment without access log settingapi_gateway_deployment_without_access_log_setting\> API gateway deployment without API gateway usage plan associatedapi_gateway_deployment_without_api_gateway_usage_plan_associated\> API Gateway endpoint config is not privateapi_gateway_endpoint_config_is_not_private\> API Gateway method does not contains an API keyapi_gateway_method_does_not_contains_an_api_key\> API Gateway method settings cache not encryptedapi_gateway_method_settings_cache_not_encrypted\> API Gateway stage without API Gateway usage plan associatedapi_gateway_stage_without_api_gateway_usage_plan_associated\> API Gateway with CloudWatch logging disabledapi_gateway_with_cloudwatch_logging_disabled\> API Gateway with invalid compressionapi_gateway_with_invalid_compression\> API Gateway with open accessapi_gateway_with_open_access\> API Gateway without configured authorizerapi_gateway_without_configured_authorizer\> API Gateway without security policyapi_gateway_without_security_policy\> API Gateway without SSL certificateapi_gateway_without_ssl_certificate\> API Gateway without WAFapi_gateway_without_waf\> API Gateway X-Ray disabledapi_gateway_xray_disabled\> Athena database not encryptedathena_database_not_encrypted\> Athena workgroup not encryptedathena_workgroup_not_encrypted\> Aurora with disabled at rest encryptionaurora_with_disabled_at_rest_encryption\> Authentication without MFAauthentication_without_mfa\> Auto scaling group with no associated ELBauto_scaling_group_with_no_associated_elb\> Automatic minor upgrades disabledautomatic_minor_upgrades_disabled\> Autoscaling groups supply tagsautoscaling_groups_supply_tags\> AWS password policy with unchangeable passwordsaws_password_policy_with_unchangeable_passwords\> Batch job definition with privileged container propertiesbatch_job_definition_with_privileged_container_properties\> CA certificate identifier is outdatedca_certificate_identifier_is_outdated\> CDN configuration is missingcdn_configuration_is_missing\> Certificate has expiredcertificate_has_expired\> Certificate RSA key bytes lower than 256certificate_rsa_key_bytes_lower_than_256\> CloudFront logging disabledcloudfront_logging_disabled\> Cloudfront viewer protocol policy allows HTTPcloudfront_viewer_protocol_policy_allows_http\> CloudFront without minimum protocol TLS 1.2cloudfront_without_minimum_protocol_tls_1.2\> CloudFront without WAFcloudfront_without_waf\> CloudTrail log file validation disabledcloudtrail_log_file_validation_disabled\> CloudTrail log files not encrypted with KMScloudtrail_log_files_not_encrypted_with_kms\> CloudTrail log files S3 bucket is publicly accessiblecloudtrail_log_files_s3_bucket_is_publicly_accessible\> CloudTrail log files S3 bucket with logging disabledcloudtrail_log_files_s3_bucket_with_logging_disabled\> CloudTrail logging disabledcloudtrail_logging_disabled\> CloudTrail multi region disabledcloudtrail_multi_region_disabled\> CloudTrail not integrated with CloudWatchcloudtrail_not_integrated_with_cloudwatch\> CloudTrail SNS topic name undefinedcloudtrail_sns_topic_name_undefined\> CloudWatch AWS Config configuration changes alarm missingcloudwatch_aws_config_configuration_changes_alarm_missing\> CloudWatch changes to NACL alarm missingcloudwatch_changes_to_nacl_alarm_missing\> Cloudwatch CloudTrail configuration changes alarm missingcloudwatch_cloudtrail_configuration_changes_alarm_missing\> CloudWatch console sign-in without MFA alarm missingcloudwatch_management_console_sign_in_without_mfa_alarm_missing\> CloudWatch disabling or scheduled deletion of customer created CMK alarm missingcloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing\> CloudWatch IAM policy changes alarm missingcloudwatch_iam_policy_changes_alarm_missing\> CloudWatch log group without KMScloudwatch_log_group_not_encrypted\> CloudWatch logging disabledcloudwatch_logging_disabled\> CloudWatch logs destination with vulnerable policycloudwatch_logs_destination_with_vulnerable_policy\> CloudWatch management console auth failed alarm missingcloudwatch_management_console_auth_failed_alarm_missing\> CloudWatch metrics disabledcloudwatch_metrics_disabled\> CloudWatch network gateways changes alarm missingcloudwatch_network_gateways_changes_alarm_missing\> CloudWatch root account use missingcloudwatch_root_account_use_alarm_missing\> CloudWatch route table changes alarm missingcloudwatch_route_table_changes_alarm_missing\> CloudWatch S3 policy change alarm missingcloudwatch_s3_policy_change_alarm_missing\> Cloudwatch security group changes alarm missingcloudwatch_security_group_changes_alarm_missing\> CloudWatch unauthorized access alarm missingcloudwatch_unauthorized_access_defined_alarm_missing\> CloudWatch VPC changes alarm missingcloudwatch_vpc_changes_alarm_missing\> CloudWatch without retention period specifiedcloudwatch_without_retention_period_specified\> CMK is unusablecmk_is_unusable\> CMK rotation disabledcmk_rotation_disabled\> CodeBuild project encrypted with AWS managed keycodebuild_project_encrypted_with_aws_managed_key\> Cognito user pool without MFAcognito_userpool_without_mfa\> Config rule for encrypted volumes disabledconfig_rule_for_encrypted_volumes_is_disabled\> Configuration aggregator to all regions disabledconfig_configuration_aggregator_to_all_regions_disabled\> Cross-account IAM assume role policy without external id or MFAcross_account_iam_assume_role_policy_without_external_id_or_mfa\> DAX cluster not encrypteddax_cluster_not_encrypted\> DB instance storage not encrypteddb_instance_storage_not_encrypted\> DB security group has public interfacedb_security_group_has_public_interface\> DB security group open to large scopedb_security_group_open_to_large_scope\> DB security group with public scopedb_security_group_with_public_scope\> DB snapshot is publicdb_snapshot_public\> Default security groups with unrestricted trafficdefault_security_groups_with_unrestricted_traffic\> Default VPC existsdefault_vpc_exists\> DMS endpoints without SSLdms_endpoint_no_ssl_configured\> DocumentDB cluster encrypted with AWS managed keydocdb_cluster_encrypted_with_aws_managed_key\> DocumentDB cluster not encrypteddocdb_cluster_not_encrypted\> DocumentDB cluster without KMSdocdb_cluster_without_kms\> DocumentDB logging is disableddocdb_logging_disabled\> DynamoDB table not encrypteddynamodb_table_not_encrypted\> DynamoDB table Point-in-Time Recovery disableddynamodb_table_point_in_time_recovery_disabled\> Dynamodb VPC endpoint without route table associationdynamodb_vpc_endpoint_without_route_table_association\> EBS default encryption disabledebs_default_encryption_disabled\> EBS volume encryption disabledebs_volume_encryption_disabled\> EBS volume snapshot not encryptedebs_volume_snapshot_not_encrypted\> EC2 instance has public IPec2_instance_has_public_ip\> EC2 instance monitoring disabledec2_instance_monitoring_disabled\> EC2 instance using API keysec2_instance_using_api_keys\> EC2 instance using default security groupec2_instance_using_default_security_group\> EC2 instance using default VPCec2_instance_using_default_vpc\> EC2 not EBS optimizedec2_not_ebs_optimized\> ECR image tag not immutableecr_image_tag_not_immutable\> ECR repository is publicly accessibleecr_repository_is_publicly_accessible\> ECR repository not encrypted with CMKecr_repository_not_encrypted\> ECR repository without policyecr_repository_without_policy\> ECS cluster with container insights disabledecs_cluster_container_insights_disabled\> ECS service admin role is presentecs_service_admin_role_is_present\> ECS service without running tasksecs_service_without_running_tasks\> ECS task definition network mode not recommendedecs_task_definition_network_mode_not_recommended\> ECS task definition volume not encryptedecs_task_definition_volume_not_encrypted\> EFS not encryptedefs_not_encrypted\> EFS with vulnerable policyefs_with_vulnerable_policy\> EFS without KMSefs_without_kms\> EKS cluster encryption disabledeks_cluster_encryption_disabled\> EKS cluster has public accesseks_cluster_has_public_access\> EKS cluster has public access CIDRseks_cluster_has_public_access_cidrs\> EKS cluster logging is not enabledeks_cluster_log_disabled\> EKS node group remote access disabledeks_node_group_remote_access_disabled\> ElastiCache nodes not created across multi AZelasticache_nodes_not_created_across_multi_az\> ElastiCache Redis cluster without backupelasticache_redis_cluster_without_backup\> ElastiCache replication group not encrypted at restelasticache_replication_group_not_encrypted_at_rest\> ElastiCache replication group not encrypted at transitelasticache_replication_group_not_encrypted_at_transit\> ElastiCache using default portelasticache_using_default_port\> ElastiCache without VPCelasticache_without_vpc\> Elasticsearch domain not encrypted node to nodeelasticsearch_domain_not_encrypted_node_to_node\> Elasticsearch domain with vulnerable policyelasticsearch_domain_with_vulnerable_policy\> Elasticsearch encryption with KMS disabledelasticsearch_encryption_with_kms_is_disabled\> Elasticsearch log disabledelasticsearch_logs_disabled\> Elasticsearch not encrypted at restelasticsearch_not_encrypted_at_rest\> Elasticsearch uses default security groupelasticsearch_using_default_security_group\> Elasticsearch with HTTPS disabledelasticsearch_with_https_disabled\> Elasticsearch without IAM authenticationelasticsearch_without_iam_authentication\> Elasticsearch without slow logselasticsearch_without_slow_logs\> ELB access log disabledelb_access_logging_disabled\> ELB using insecure protocolselb_using_insecure_protocols\> ELB using weak cipherselb_using_weak_ciphers\> EMR without VPCemr_without_vpc\> Fine-grained access control disabled for OpenSearch/Elasticsearchelasticsearch_no_finegrain_access_control\> Global Accelerator flow logs disabledglobal_accelerator_flow_logs_disabled\> Glue Data Catalog encryption disabledglue_data_catalog_encryption_disabled\> Glue security configuration encryption disabledglue_security_configuration_encryption_disabled\> Glue with vulnerable policyglue_with_vulnerable_policy\> Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack\> Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances\> Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint\> Group with privilege escalation by actions 'glue:UpdateDevEndpoint'group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint\> Group with privilege escalation by actions 'iam:AddUserToGroup'group_with_privilege_escalation_by_actions_iam_AddUserToGroup\> Group with privilege escalation by actions 'iam:AttachGroupPolicy'group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy\> Group with privilege escalation by actions 'iam:AttachRolePolicy'group_with_privilege_escalation_by_actions_iam_AttachRolePolicy\> Group with privilege escalation by actions 'iam:AttachUserPolicy'group_with_privilege_escalation_by_actions_iam_AttachUserPolicy\> Group with privilege escalation by actions 'iam:CreateAccessKey'group_with_privilege_escalation_by_actions_iam_CreateAccessKey\> Group with privilege escalation by actions 'iam:CreateLoginProfile'group_with_privilege_escalation_by_actions_iam_CreateLoginProfile\> Group with privilege escalation by actions 'iam:CreatePolicyVersion'group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion\> Group with privilege escalation by actions 'iam:PutGroupPolicy'group_with_privilege_escalation_by_actions_iam_PutGroupPolicy\> Group with privilege escalation by actions 'iam:PutRolePolicy'group_with_privilege_escalation_by_actions_iam_PutRolePolicy\> Group with privilege escalation by actions 'iam:PutUserPolicy'group_with_privilege_escalation_by_actions_iam_PutUserPolicy\> Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion'group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion\> Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole\> Group with privilege escalation by actions 'iam:UpdateLoginProfile'group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile\> Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction\> Group with privilege escalation by actions 'lambda:UpdateFunctionCode'group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode\> GuardDuty detector disabledguardduty_detector_disabled\> HTTP port open to internethttp_port_open\> IAM access key is exposediam_access_key_is_exposed\> IAM database auth not enablediam_database_auth_not_enabled\> IAM group without usersiam_group_without_users\> IAM password policy does not require lowercase letteriam_password_does_not_require_lowercase\> IAM password policy does not require numbersiam_password_does_not_require_number\> IAM password policy does not require symboliam_password_does_not_require_symbol\> IAM password policy does not require uppercase letteriam_password_does_not_require_uppercase\> IAM password without minimum lengthiam_password_without_minimum_length\> IAM policies attached to useriam_policies_attached_to_user\> IAM policies with full privilegesiam_policies_with_full_privileges\> IAM policy grants 'AssumeRole' permission across all servicesiam_policy_grants_assumerole_permission_across_all_services\> IAM policy grants full permissionsiam_policy_grants_full_permissions\> IAM role allows all principals to assumeiam_role_allows_all_principals_to_assume\> IAM role policy passrole allows alliam_role_policy_passrole_allows_all\> IAM role with full privilegesiam_role_with_full_privileges\> IAM user has too many access keysiam_user_too_many_access_keys\> IAM user policy without MFAiam_user_policy_without_mfa\> IAM user with access to consoleiam_user_with_access_to_console\> IMDSv1 enabledimdsv1_is_enabled\> Instance with no VPCinstance_with_no_vpc\> Kinesis not encrypted with KMSkinesis_not_encrypted_with_kms\> Kinesis SSE not configuredkinesis_sse_not_configured\> KMS key with no deletion windowkms_key_with_no_deletion_window\> KMS key with vulnerable policykms_key_with_full_permissions\> Lambda function publicly accessiblelambda_function_publicly_accessible\> Lambda function with privileged rolelambda_function_with_privileged_role\> Lambda functions without X-Ray tracinglambda_functions_without_x-ray_tracing\> Lambda IAM InvokeFunction misconfiguredlambda_iam_invokefunction_misconfigured\> Lambda permission misconfiguredlambda_permission_misconfigured\> Lambda permission principal is wildcardlambda_permission_principal_is_wildcard\> Lambda with vulnerable policylambda_with_vulnerable_policy\> Launch configuration is not encryptedlaunch_configuration_is_not_encrypted\> Misconfigured password policy expirationmisconfigured_password_policy_expiration\> Missing CloudWatch alarm for AWS Organizations changescloudwatch_aws_organizations_changes_missing_alarm\> Missing cluster log typesmissing_cluster_log_types\> MQ broker is publicly accessiblemq_broker_is_publicly_accessible\> MQ broker logging disabledmq_broker_logging_disabled\> MSK broker is publicly accessiblemsk_broker_is_publicly_accessible\> MSK cluster encryption disabledmsk_cluster_encryption_disabled\> MSK cluster logging disabledmsk_cluster_logging_disabled\> Neptune cluster instance is publicly accessibleneptune_cluster_instance_is_publicly_accessible\> Neptune cluster snapshot not encryptedneptune_snapshots_not_encrypted\> Neptune cluster with IAM database authentication disabledneptune_cluster_with_iam_database_authentication_disabled\> Neptune database cluster encryption disabledneptune_database_cluster_encryption_disabled\> Neptune logging is disabledneptune_logging_disabled\> Network ACL with unrestricted access to RDPnetwork_acl_with_unrestricted_access_to_rdp\> Network ACL with unrestricted access to SSHnetwork_acl_with_unrestricted_access_to_ssh\> No password policy enabledno_password_policy_enabled\> No stack policyno_stack_policy\> Password without reuse preventionpassword_without_reuse_prevention\> Policy without principalpolicy_without_principal\> Public and private EC2 share rolepublic_and_private_ec2_share_role\> Public Lambda via API Gatewaypublic_lambda_via_api_gateway\> RDS associated with public subnetrds_associated_with_public_subnet\> RDS cluster with backup disabledrds_cluster_with_backup_disabled\> RDS database cluster not encryptedrds_database_cluster_not_encrypted\> RDS DB instance publicly accessiblerds_db_instance_publicly_accessible\> RDS storage not encryptedrds_storage_not_encrypted\> RDS using default portrds_using_default_port\> RDS with backup disabledrds_with_backup_disabled\> RDS without loggingrds_without_logging\> Redis disabledredis_disabled\> Redis not compliantredis_not_compliant\> Redshift cluster logging disabledredshift_cluster_logging_disabled\> Redshift cluster without VPCredshift_cluster_without_vpc\> Redshift not encryptedredshift_not_encrypted\> Redshift publicly accessibleredshift_publicly_accessible\> Redshift using default portredshift_using_default_port\> Remote Desktop port open to internetremote_desktop_port_open_to_internet\> Resource not using tagsresource_not_using_tags\> REST API with vulnerable policyrest_api_with_vulnerable_policy\> Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack\> Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances\> Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint\> Role with privilege escalation by actions 'glue:UpdateDevEndpoint'role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint\> Role with privilege escalation by actions 'iam:AddUserToGroup'role_with_privilege_escalation_by_actions_iam_AddUserToGroup\> Role with privilege escalation by actions 'iam:AttachGroupPolicy'role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy\> Role with privilege escalation by actions 'iam:AttachRolePolicy'role_with_privilege_escalation_by_actions_iam_AttachRolePolicy\> Role with privilege escalation by actions 'iam:AttachUserPolicy'role_with_privilege_escalation_by_actions_iam_AttachUserPolicy\> Role with privilege escalation by actions 'iam:CreateAccessKey'role_with_privilege_escalation_by_actions_iam_CreateAccessKey\> Role with privilege escalation by actions 'iam:CreateLoginProfile'role_with_privilege_escalation_by_actions_iam_CreateLoginProfile\> Role with privilege escalation by actions 'iam:CreatePolicyVersion'role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion\> Role with privilege escalation by actions 'iam:PutGroupPolicy'role_with_privilege_escalation_by_actions_iam_PutGroupPolicy\> Role with privilege escalation by actions 'iam:PutRolePolicy'role_with_privilege_escalation_by_actions_iam_PutRolePolicy\> Role with privilege escalation by actions 'iam:PutUserPolicy'role_with_privilege_escalation_by_actions_iam_PutUserPolicy\> Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion'role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion\> Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole\> Role with privilege escalation by actions 'iam:UpdateLoginProfile'role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile\> Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction\> Role with privilege escalation by actions 'lambda:UpdateFunctionCode'role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode\> Root account has active access keysroot_account_has_active_access_keys\> Route53 record undefinedroute53_record_undefined\> S3 bucket access to any principals3_bucket_access_to_any_principal\> S3 bucket ACL allows read or write to all userss3_bucket_acl_allows_read_or_write_to_all_users\> S3 bucket ACL allows read to any authenticated users3_bucket_acl_allows_read_to_any_authenticated_user\> S3 bucket ACL grants WRITE_ACP permissions3_bucket_acl_grants_write_acp_permission\> S3 bucket allows authenticated users accesss3_bucket_allows_access_to_all_authenticated_users\> S3 bucket allows delete action from all principalss3_bucket_allows_delete_action_from_all_principals\> S3 bucket allows get action from all principalss3_bucket_allows_get_action_from_all_principals\> S3 bucket allows list action from all principalss3_bucket_allows_list_action_from_all_principals\> S3 bucket allows public ACLs3_bucket_allows_public_acl\> S3 bucket allows public policys3_bucket_with_public_policy\> S3 bucket allows put action from all principalss3_bucket_allows_put_action_from_all_principals\> S3 bucket logging disableds3_bucket_logging_disabled\> S3 bucket object not encrypteds3_bucket_object_not_encrypted\> S3 bucket object-level CloudTrail logging disableds3_bucket_object_level_cloudtrail_logging_disabled\> S3 bucket policy accepts HTTP requestss3_bucket_policy_accepts_http_requests\> S3 bucket public ACL overridden by public access blocks3_bucket_public_acl_overridden_by_public_access_block\> S3 bucket with all permissionss3_bucket_with_all_permissions\> S3 bucket with unsecured CORS rules3_bucket_with_unsecured_cors_rule\> S3 bucket without enabled MFA deletes3_bucket_without_enabled_mfa_delete\> S3 bucket without ignore public ACLs3_bucket_without_ignore_public_acl\> S3 bucket without restriction of public buckets3_bucket_without_restriction_of_public_bucket\> S3 bucket without versionings3_bucket_without_versioning\> S3 static website host enableds3_static_website_host_enabled\> SageMaker endpoint configuration encryption disabledsagemaker_endpoint_configuration_encryption_disabled\> SageMaker notebook instance without KMSsagemaker_notebook_instance_without_kms\> SageMaker notebook internet access enabledsagemaker_direct_internet_access_enabled\> Secrets Manager secret encrypted with AWS-managed keysecretsmanager_secret_encrypted_with_aws_managed_key\> Secrets Manager secret without KMSsecretsmanager_secret_without_kms\> Secrets Manager with vulnerable policysecrets_manager_with_vulnerable_policy\> Secure ciphers disabledsecure_ciphers_disabled\> Security group not usedsecurity_groups_not_used\> Security group rule without descriptionsecurity_group_rules_without_description\> Security group rule without descriptionsecurity_group_without_description\> Security group with unrestricted access to SSHsecurity_group_with_unrestricted_access_to_ssh\> Sensitive port is exposed to entire networksensitive_port_is_exposed_to_entire_network\> Sensitive port is exposed to small public networksensitive_port_is_exposed_to_small_public_network\> Sensitive port is exposed to wide private networksensitive_port_is_exposed_to_wide_private_network\> Service control policies disabledservice_control_policies_disabled\> SES policy with allowed IAM actionsses_policy_with_allowed_iam_actions\> Shield Advanced not in useshield_advanced_not_in_use\> SNS topic encrypted with AWS managed keysns_topic_encrypted_with_aws_managed_key\> SNS topic is publicly accessiblesns_topic_is_publicly_accessible\> SNS topic not encryptedsns_topic_not_encrypted\> SNS topic publicity has allow and NotAction simultaneouslysns_topic_publicity_has_allow_and_not_action_simultaneously\> SQL analysis services port 2383 (TCP) is publicly accessiblesql_analysis_services_port_2383_is_publicly_accessible\> SQS policy allows all actionssqs_policy_allows_all_actions\> SQS policy with public accesssqs_policy_with_public_access\> SQS queue exposedsqs_queue_exposed\> SQS VPC endpoint without DNS resolutionsqs_vpc_endpoint_without_dns_resolution\> SQS with SSE disabledsqs_with_sse_disabled\> SSM session transit encryption disabledssm_session_transit_encryption_disabled\> SSO identity user unsafe creationsso_identity_user_unsafe_creation\> SSO permission with inadequate user session durationsso_permission_with_inadequate_user_session_duration\> SSO policy with full privilegessso_policy_with_full_privileges\> Stack notifications disabledstack_notifications_disabled\> Stack retention disabledstack_retention_disabled\> Stack without templatestack_without_template\> Team tag missing on AWS resourceteam_tag_not_present\> Unknown port exposed to internetunknown_port_exposed_to_internet\> Unrestricted security group ingressunrestricted_security_group_ingress\> Unscanned ECR imageunscanned_ecr_image\> User data contains encoded private keyuser_data_contains_encoded_private_key\> User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack\> User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances\> User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint\> User with privilege escalation by actions 'glue:UpdateDevEndpoint'user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint\> User with privilege escalation by actions 'iam:AddUserToGroup'user_with_privilege_escalation_by_actions_iam_AddUserToGroup\> User with privilege escalation by actions 'iam:AttachGroupPolicy'user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy\> User with privilege escalation by actions 'iam:AttachRolePolicy'user_with_privilege_escalation_by_actions_iam_AttachRolePolicy\> User with privilege escalation by actions 'iam:AttachUserPolicy'user_with_privilege_escalation_by_actions_iam_AttachUserPolicy\> User with privilege escalation by actions 'iam:CreateAccessKey'user_with_privilege_escalation_by_actions_iam_CreateAccessKey\> User with privilege escalation by actions 'iam:CreateLoginProfile'user_with_privilege_escalation_by_actions_iam_CreateLoginProfile\> User with privilege escalation by actions 'iam:CreatePolicyVersion'user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion\> User with privilege escalation by actions 'iam:PutGroupPolicy'user_with_privilege_escalation_by_actions_iam_PutGroupPolicy\> User with privilege escalation by actions 'iam:PutRolePolicy'user_with_privilege_escalation_by_actions_iam_PutRolePolicy\> User with privilege escalation by actions 'iam:PutUserPolicy'user_with_privilege_escalation_by_actions_iam_PutUserPolicy\> User with privilege escalation by actions 'iam:SetDefaultPolicyVersion'user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion\> User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole\> User with privilege escalation by actions 'iam:UpdateLoginProfile'user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile\> User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction\> User with privilege escalation by actions 'lambda:UpdateFunctionCode'user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode\> VPC default security group accepts all trafficvpc_default_security_group_accepts_all_traffic\> VPC Flow Logs disabledvpc_flowlogs_disabled\> VPC peering route table with unrestricted CIDRvpc_peering_route_table_with_unrestricted_cidr\> VPC subnet assigns public IPvpc_subnet_assigns_public_ip\> VPC without Network Firewallvpc_without_network_firewall\> Vulnerable default SSL certificatevulnerable_default_ssl_certificate\> Workspaces workspace volume not encryptedworkspaces_workspace_volume_not_encrypted\> AD admin not configured for SQL serverad_admin_not_configured_for_sql_server\> Admin user enabled for container registryadmin_user_enabled_for_container_registry\> AKS disk encryption set ID undefinedaks_disk_encryption_set_id_undefined\> AKS network policy misconfiguredaks_network_policy_misconfigured\> AKS private cluster disabledaks_private_cluster_disabled\> AKS RBAC disabledaks_rbac_disabled\> App Service authentication disabledapp_service_authentication_disabled\> App Service FTPS enforce disabledapp_service_ftps_enforce_disabled\> App Service HTTP2 disabledapp_service_http2_disabled\> App Service managed identity disabledapp_service_managed_identity_disabled\> App Service not using latest TLS encryption versionapp_service_not_using_latest_tls_encryption_version\> App Service without latest PHP versionapp_service_without_latest_php_version\> App Service without latest Python versionapp_service_without_latest_python_version\> Azure Active Directory authenticationazure_active_directory_authentication\> Azure App Service client certificate disabledazure_app_service_client_certificate_disabled\> Azure Cognitive Search public network access enabledazure_cognitive_search_public_network_access_enabled\> Azure Container Registry with no locksazure_container_registry_with_no_locks\> Azure Front Door WAF disabledazure_front_door_waf_disabled\> Azure instance using basic authenticationazure_instance_using_basic_authentication\> Azure Policy Add-on Disabled in AKS Clusteraks_uses_azure_policies_addon_disabled\> Cosmos DB account without tagscosmos_db_account_without_tags\> CosmosDB account IP range filter not setcosmosdb_account_ip_range_filter_not_set\> Dashboard is enableddashboard_is_enabled\> Default Azure storage account network access is too permissivedefault_azure_storage_account_network_access_is_too_permissive\> Email alerts disabledemail_alerts_disabled\> Encryption on managed disk disabledencryption_on_managed_disk_disabled\> Ensure Azure MariaDB server is using latest TLS (1.2)mariadb_not_using_latest_tls\> Ensure MySQL is using the latest version of TLS encryptionmysql_not_using_latest_tls\> Ensure that Azure cloud resource has a team tagteam_tag_not_present\> Ensure that PostgreSQL server disables public network accesspostgres_sql_server_enables_public_access\> Ensure that UDP services are restricted from the Internetudp_services_not_restricted_from_internet\> Ensure web app is not remotely debuggableremote_debugging_enabled_app_service\> Firewall rule allows too many hosts to access Redis Cachefirewall_rule_allows_too_many_hosts_to_access_redis_cache\> Function App authentication disabledfunction_app_authentication_disabled\> Function App client certificates not requiredfunction_app_client_certificates_unrequired\> Function App FTPS enforce disabledfunction_app_ftps_enforce_disabled\> Function App HTTP2 disabledfunction_app_http2_disabled\> Function App managed identity disabledfunction_app_managed_identity_disabled\> Function App not using latest TLS encryption versionfunction_app_not_using_latest_tls_encryption_version\> Geo redundancy is disabledgeo_redundancy_is_disabled\> Key expiration not setkey_expiration_not_set\> Key Vault secrets content type undefinedkey_vault_secrets_content_type_undefined\> Log retention is not setlog_retention_is_not_set\> MariaDB server geo-redundant backup disabledmariadb_server_georedundant_backup_disabled\> MariaDB server public network access enabledmariadb_public_network_access_enabled\> MSSQL server auditing disabledmssql_server_auditing_disabled\> MSSQL server public network access enabledmssql_server_public_network_access_enabled\> MySQL server public access enabledmysql_server_public_access_enabled\> MySQL SSL connection disabledmysql_ssl_connection_disabled\> Network interfaces IP forwarding enablednetwork_interfaces_ip_forwarding_enabled\> Network interfaces with public IPnetwork_interfaces_with_public_ip\> Network watcher flow disablednetwork_watcher_flow_disabled\> PostgreSQL log checkpoints disabledpostgresql_log_checkpoints_disabled\> PostgreSQL log connections not setpostgresql_log_connections_not_set\> PostgreSQL log disconnections not setpostgresql_log_disconnections_not_set\> PostgreSQL log duration not setpostgresql_log_duration_not_set\> PostgreSQL server infrastructure encryption disabledpostgresql_server_infrastructure_encryption_disabled\> PostgreSQL Server threat detection policy disabledpostgresql_server_threat_detection_policy_disabled\> PostgreSQL server without connection throttlingpostgresql_server_without_connection_throttling\> Public storage accountpublic_storage_account\> RDP is exposed to the internetrdp_is_exposed_to_the_internet\> Redis cache allows non SSL connectionsredis_cache_allows_non_ssl_connections\> Redis entirely accessibleredis_entirely_accessible\> Redis not updated regularlyredis_not_updated_regularly\> Redis publicly accessibleredis_publicly_accessible\> Role assignment not limit guest user permissionsrole_assignment_not_limit_guest_users_permissions\> Role definition allows custom role creationrole_definition_allows_custom_role_creation\> Secret expiration not setsecret_expiration_not_set\> Security center pricing tier is not standardsecurity_center_pricing_tier_is_not_standard\> Security contact emailsecurity_contact_email\> Security group is not configuredsecurity_group_is_not_configured\> Sensitive port is exposed to entire networksensitive_port_is_exposed_to_entire_network\> Sensitive port is exposed to small public networksensitive_port_is_exposed_to_small_public_network\> Sensitive port is exposed to wide private networksensitive_port_is_exposed_to_wide_private_network\> Small activity log retention periodsmall_activity_log_retention_period\> Small flow logs retention periodsmall_flow_logs_retention_period\> Small MSSQL audit retention periodsmall_mssql_audit_retention_period\> Small MSSQL server audit retentionsmall_msql_server_audit_retention\> Small PostgreSQL DB server log retention periodsmall_postgresql_db_server_log_retention_period\> SQL database audit disabledsql_database_audit_disabled\> SQL server alert email disabledsql_server_alert_email_disabled\> SQL server auditing disabledsql_server_auditing_disabled\> SQL server predictable Active Directory admin account namesql_server_predictable_active_directory_admin_account_name\> SQL server predictable admin account namesql_server_predictable_admin_account_name\> Sqlserver ingress from any IPsql_server_ingress_from_any_ip\> SSH is exposed to the Internetssh_is_exposed_to_the_internet\> SSL enforce disabledssl_enforce_is_disabled\> ssl_enforcement_enabled is not set to ENABLED for MySQL database servermysql_enforce_ssl_connection_disabled\> ssl_enforcement_enabled is not set to ENABLED for PostgreSQL database serverpostgres_enforce_ssl_connection_disabled\> Storage account not forcing HTTPSstorage_account_not_forcing_https\> Storage account not using latest TLS encryption versionstorage_account_not_using_latest_tls_encryption_version\> Storage container is publicly accessiblestorage_container_is_publicly_accessible\> Storage share file allows all ACL permissionsstorage_share_file_allows_all_acl_permissions\> Storage table allows all ACL permissionsstorage_table_allows_all_acl_permissions\> Trusted Microsoft services not enabledtrusted_microsoft_services_not_enabled\> Unrestricted SQL server accessunrestricted_sql_server_access\> Vault auditing disabledvault_auditing_disabled\> Virtual network with DDoS protection plan disabledvirtual_network_with_ddos_protection_plan_disabled\> VM not attached to networkvm_not_attached_to_network\> WAF is disabled for Azure application gatewaywaf_is_disabled_for_azure_application_gateway\> Web app accepting traffic other than HTTPSweb_app_accepting_traffic_other_than_https\>
{% icon name="icon-cloud-thicc" /%}
 Generic Git module without revisiongeneric_git_module_without_revision\>
{% icon name="icon-cloud-thicc" /%}
 Output without descriptionoutput_without_description\>
{% icon name="icon-cloud-thicc" /%}
 Variable without descriptionvariable_without_description\>
{% icon name="icon-cloud-thicc" /%}
 Variable without typevariable_without_type\> Beta - check Databricks cluster AWS attribute best practicescluster_aws_attributes\> Beta - check Databricks cluster Azure attribute best practicescluster_azure_attributes\> Beta - check Databricks cluster GCP attribute best practicescluster_gcp_attributes\> Beta - Databricks autoscale configuration incompleteautoscale_badly_setup\> Beta - Databricks cluster or job with none or insecure permissionsdatabricks_permissions\> Beta - Databricks cluster uses non-LTS Spark versionuse_lts_spark_version\> Beta - Databricks group without user or instance profilegroup_without_user_or_instance_profile\> Beta - Databricks OBO token has indefinite lifetimeindefinitely_obo_token\> Beta - Databricks token has indefinite lifetimeindefinitely_token\> Beta - job's task is legacy (spark_submit_task)use_spark_submit_task\> Beta - unrestricted Databricks ACLunrestricted_acl\> Artifact Registry repo is publicartifact_registry_repository_is_public\> BigQuery dataset is publicbigquery_dataset_is_public\> BigQuery table is publicbigquery_table_is_public\> Cloud DNS without DNSSECcloud_dns_without_dnssec\> Cloud KMS key ring is anonymously or publicly accessiblecloud_kms_key_rings_are_public\> Cloud Run service is publiccloud_run_service_is_public\> Cloud Storage bucket is publicly accessiblecloud_storage_bucket_is_publicly_accessible\> Cloud Storage bucket logging not enabledcloud_storage_bucket_logging_not_enabled\> Cloud Storage bucket versioning disabledcloud_storage_bucket_versioning_disabled\> Cloud Storage is anonymous or publicly accessiblecloud_storage_anonymous_or_publicly_accessible\> Cluster labels disabledcluster_labels_disabled\> Container Registry repo is publiccontainer_registry_repository_is_public\> COS node image not usedcos_node_image_not_used\> Dataproc clusters has public IPsdataproc_cluster_has_public_ip\> Dataproc clusters publicly accessibledataproc_clusters_is_public\> Disk encryption disableddisk_encryption_disabled\> DNSSEC using RSASHA1dnssec_using_rsasha1\> Ensure legacy networks do not exist for a projectlegacy_networks_exist_for_project\> Ensure SQL database instance has skip show database flagsql_database_instance_does_not_have_skip_show_database\> GKE control plane is publicgke_control_plane_is_public\> GKE legacy authorization enabledgke_legacy_authorization_enabled\> GKE using default service accountgke_using_default_service_account\> Google Compute firewall ingress allows unrestricted FTP accessfirewall_ingress_allows_unrestricted_ftp_access\> Google Compute firewall ingress allows unrestricted MySQL accessfirewall_ingress_allows_unrestricted_mysql_access\> Google Compute network using default firewall rulegoogle_compute_network_using_default_firewall_rule\> Google Compute network using firewall rule that allows all portsgoogle_compute_network_using_firewall_rule_allows_all_ports\> Google Compute network using firewall rule that allows port rangegoogle_compute_network_using_firewall_rule_allows_port_range\> Google Compute SSL policy weak cipher in usegoogle_compute_ssl_policy_weak_cipher_in_use\> Google Compute subnetwork logging disabledgoogle_compute_subnetwork_logging_disabled\> Google Compute subnetwork with private Google access disabledgoogle_compute_subnetwork_with_private_google_access_disabled\> Google Container node pool auto repair disabledgoogle_container_node_pool_auto_repair_disabled\> Google project auto create network disabledgoogle_project_auto_create_network_disabled\> Google project IAM binding service account has token creator or account user rolegoogle_project_iam_binding_service_account_has_token_creator_or_account_user_role\> Google project IAM member service account has admin rolegoogle_project_iam_member_service_account_has_admin_role\> Google project IAM member service account has token creator or account user rolegoogle_project_iam_member_service_account_has_token_creator_or_account_user_role\> Google Storage bucket level access disabledgoogle_storage_bucket_level_access_disabled\> High Google KMS crypto key rotation periodhigh_google_kms_crypto_key_rotation_period\> IAM audit not properly configurediam_audit_not_properly_configured\> IP aliasing disabledip_aliasing_disabled\> IP forwarding enabledip_forwarding_enabled\> KMS admin and CryptoKey roles in usekms_admin_and_crypto_key_roles_in_use\> KMS CryptoKey is publicly accessiblekms_crypto_key_publicly_accessible\> Legacy client certificate auth enabledlegacy_client_certificate_auth_enabled\> Network policy disablednetwork_policy_disabled\> Node auto upgrade disablednode_auto_upgrade_disabled\> Not proper email account in usenot_proper_email_account_in_use\> OSLogin disabledos_login_disabled\> OSLogin is disabled for VM instanceos_login_is_disabled_for_vm_instance\> Outdated GKE versionoutdated_gke_version\> Pod security policy disabledpod_security_policy_disabled\> Private cluster disabledprivate_cluster_disabled\> Project-wide SSH keys are enabled in VM instancesproject_wide_ssh_keys_are_enabled_in_vm_instances\> Pub/Sub Topics are anonymously or publicly accessiblepubsub_topic_is_public\> RDP access is not restrictedrdp_access_is_not_restricted\> Serial ports are enabled for VM instancesvm_serial_ports_are_enabled_for_vm_instances\> Service account with improper privilegesservice_account_with_improper_privileges\> Shielded GKE nodes disabledshielded_gke_nodes_disabled\> Shielded VM disabledshielded_vm_disabled\> SQL DB instance backup disabledsql_db_instance_backup_disabled\> SQL DB instance publicly accessiblesql_db_instance_is_publicly_accessible\> SQL DB instance with SSL disabledsql_db_instance_with_ssl_disabled\> SQL Server cross DB ownership chaining enabledsql_database_has_cross_db_ownership_chaining\> SSH access is not restrictedssh_access_is_not_restricted\> Stackdriver Logging disabledstackdriver_logging_disabled\> Stackdriver Monitoring disabledstackdriver_monitoring_disabled\> Team label missing on GCP resourceteam_label_not_present\> There are non GCP-managed service account keys for a service accountservice_has_non_gcp_managed_service_account_keys\> User with IAM roleuser_with_iam_role\> Using default service accountusing_default_service_account\> VM with full cloud accessvm_with_full_cloud_access\> Github organization webhook with SSL disabledgithub_organization_webhook_with_ssl_disabled\> GitHub repository set to publicgithub_repository_set_to_public\> Cluster admin rolebinding with superuser permissionscluster_admin_role_binding_with_super_user_permissions\> Cluster allows unsafe sysctlscluster_allows_unsafe_sysctls\> Container host PID is truecontainer_host_pid_is_true\> Container is privilegedcontainer_is_privileged\> Container resources limits undefinedcontainer_resources_limits_undefined\> Container runs unmaskedcontainer_runs_unmasked\> Containers with added capabilitiescontainer_with_added_capabilities\> Containers with sys admin capabilitiescontainers_with_sys_admin_capabilities\> CPU limits not setcpu_limits_not_set\> CPU requests not setcpu_requests_not_set\> CronJob deadline not configuredcronjob_deadline_not_configured\> Default service account in usedefault_service_account_in_use\> Deployment has no podAntiAffinitydeployment_has_no_pod_anti_affinity\> Deployment without PodDisruptionBudgetdeployment_without_pod_disruption_budget\> Docker daemon socket is exposed to containersdocker_daemon_socket_is_exposed_to_containers\> HPA targets invalid objecthpa_targets_invalid_object\> Image pull policy of the container is not set to alwaysimage_pull_policy_of_container_is_not_always\> Image without digestimage_without_digest\> Incorrect volume claim access mode ReadWriteOnceincorrect_volume_claim_access_mode_read_write_once\> Ingress controller exposes workloadingress_controller_exposes_workload\> Invalid imageinvalid_image\> Liveness probe is not definedliveness_probe_is_not_defined\> Memory limits not definedmemory_limits_not_defined\> Memory requests not definedmemory_requests_not_defined\> Metadata label is invalidmetadata_label_is_invalid\> Missing AppArmor configmissing_app_armor_config\> NET_RAW capabilities disabled for PSPnet_raw_capabilities_disabled_for_psp\> NET_RAW capabilities not being droppednet_raw_capabilities_not_being_dropped\> Network policy is not targeting any podnetwork_policy_is_not_targeting_any_pod\> No drop capabilities for containersno_drop_capabilities_for_containers\> Non kube system pod with host mountnon_kube_system_pod_with_host_mount\> Permissive access to create podspermissive_access_to_create_pods\> Pod or container without security contextpod_or_container_without_security_context\> Privilege escalation allowedprivilege_escalation_allowed\> PSP allows containers to share the host network namespacepsp_allows_containers_to_share_the_host_network_namespace\> PSP allows privilege escalationpsp_allows_privilege_escalation\> PSP allows sharing host IPCpsp_allows_sharing_host_ipc\> PSP set to privilegedpsp_set_to_privileged\> PSP with added capabilitiespsp_with_added_capabilities\> RBAC roles with read secrets permissionsrbac_roles_with_read_secrets_permissions\> Readiness probe is not configuredreadiness_probe_is_not_configured\> Role binding to default service accountrole_binding_to_default_service_account\> Root container not mounted as read-onlyroot_container_not_mounted_as_read_only\> Root containers admittedroot_containers_admitted\> Seccomp profile is not configuredseccomp_profile_is_not_configured\> Secrets as environment variablessecrets_as_environment_variables\> Service account allows access secretsservice_account_allows_access_secrets\> Service account name undefined or emptyservice_account_name_undefined_or_empty\> Service account token automount not disabledservice_account_token_automount_not_disabled\> Service type is NodePortservice_type_is_nodeport\> Service with external load balancerservice_with_external_load_balancer\> Shared host IPC namespaceshared_host_ipc_namespace\> Shared host network namespaceshared_host_network_namespace\> Shared service accountshared_service_account\> StatefulSet requests storagestatefulset_requests_storage\> StatefulSet without PodDisruptionBudgetstatefulset_without_pod_disruption_budget\> StatefulSet without service namestatefulset_without_service_name\> Tiller (Helm v2) is deployedtiller_is_deployed\> Using default namespaceusing_default_namespace\> Volume mount with OS directory write permissionsvolume_mount_with_os_directory_write_permissions\> Workload host port not specifiedworkload_host_port_not_specified\> Workload mounting with sensitive OS directoryworkload_mounting_with_sensitive_os_directory\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud computing has common private networkcomputing_instance_has_common_private\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud computing has public ingress security group rulecomputing_instance_has_public_ingress_sgr\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud computing undefined description to security groupcomputing_security_group_description_undefined\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud computing undefined description to security group rulecomputing_security_group_rule_description_undefined\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud computing undefined security group to instancecomputing_instance_security_group_undefined\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud DNS has verified recorddns_has_verified_record\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud ELB has common private networkelb_has_common_private\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud ELB listener use HTTP protocolelb_listener_use_http\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud ELB use HTTP protocolelb_use_http\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud LB listener use HTTP portload_balancer_listener_use_http\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud LB use HTTP portload_balancer_use_http\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud LB use insecure TLS policy IDload_balancer_use_insecure_tls_policy_id\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud LB use insecure TLS policy nameload_balancer_use_insecure_tls_policy_name\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud NAS has common private networknas_instance_has_common_private\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud NAS has public ingress NAS security group rulenas_security_group_has_public_ingress_sgr\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud NAS undefined description to NAS security groupnas_security_group_description_undefined\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud RDB has backup retention less than 2 daysdb_does_not_have_long_backup_retention\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud RDB has common private networkdb_instance_has_common_private\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud RDB has public DB accessdb_has_public_access\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud RDB has public DB ingress security group ruledb_security_group_has_public_ingress_sgr\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud RDB undefined description to DB security groupdb_security_group_description_undefined\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud router has common private networkrouter_has_common_private\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud router undefined security group to routerrouter_security_group_undefined\>
{% icon name="icon-cloud-thicc" /%}
 Beta - Nifcloud VPN gateway undefined security group to VPN gatewayvpn_gateway_security_group_undefined\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CDB instance internet service enabledcdb_instance_internet_service_enabled\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CDB instance internet using default intranet portcdb_instance_using_default_intranet_port\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CDB instance without backup policycdb_instance_without_backup_policy\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CLB instance log setting disabledclb_instance_log_setting_disabled\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CLB listener using insecure protocolsclb_listener_using_insecure_protocols\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CVM instance disable monitor servicecvm_instance_disable_monitor_service\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CVM instance has public IPcvm_instance_has_public_ip\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CVM instance using default security groupcvm_instance_using_default_security_group\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CVM instance using default VPCcvm_instance_using_default_vpc\>
{% icon name="icon-cloud-thicc" /%}
 Beta - CVM instance using user datacvm_instance_using_user_data\>
{% icon name="icon-cloud-thicc" /%}
 Beta - disk encryption disableddisk_encryption_disabled\>
{% icon name="icon-cloud-thicc" /%}
 Beta - security group rule set accepts all trafficsecurity_group_rule_set_accepts_all_traffic\>
{% icon name="icon-cloud-thicc" /%}
 Beta - TKE cluster encryption protection disabledtke_cluster_encryption_protection_disabled\>
{% icon name="icon-cloud-thicc" /%}
 Beta - TKE cluster has public accesstke_cluster_has_public_access\>
{% icon name="icon-cloud-thicc" /%}
 Beta - TKE cluster log agent is not enabledtke_cluster_log_disabled\>
{% icon name="icon-cloud-thicc" /%}
 Beta - VPC flow logs disabledvpc_flow_log_disabled\>ProvidersAll 
{% icon name="icon-cloud-thicc" /%}
 Ansible Config 
{% icon name="icon-cloud-thicc" /%}
 Ansible Inventory  AWS  Azure 
{% icon name="icon-cloud-thicc" /%}
 Common  GCP  GitHub  Dockerfile  Kubernetes 
{% icon name="icon-cloud-thicc" /%}
 Alicloud  Databricks 
{% icon name="icon-cloud-thicc" /%}
 Nifcloud 
{% icon name="icon-cloud-thicc" /%}
 TencentCloudPlatformsAll  Ansible  CICD  CloudFormation  Dockerfile  Kubernetes  TerraformCategoriesAll Insecure Configurations Best Practices Access Control Networking and Firewall Encryption Observability Availability Build Process Secret Management Resource Management Backup Insecure Defaults Supply-ChainSeveritiesAll CRITICAL HIGH MEDIUM LOW
## Further Reading

- [Set up IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/setup)
- [Configure IaC Security Exclusions](https://docs.datadoghq.com/security/code_security/iac_security/exclusions)