---
title: IaC Security Rules
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules
---

# IaC Security Rules

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com



{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md) ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}


{% /callout %}

[Infrastructure as Code (IaC) Security](https://docs.datadoghq.com/security/code_security/iac_security.md) identifies misconfigurations and security risks in infrastructure-as-code files before deployment, helping ensure that cloud environments remain secure and compliant.

{% alert level="info" %}
For Helm resolution to work correctly, each chart directory must include the charts it depends on. For details, see [Chart File Structure](https://helm.sh/docs/topics/charts/#the-chart-file-structure) in the Helm documentation.
{% /alert %}

## Further reading{% #further-reading %}

- [Set up IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/setup.md)
- [Configure IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/configuration.md)
 Allow unsafe lookups enabled in defaultsansible-allow-unsafe-lookups-enabled-in-defaults\> Ansible Tower exposed to the internetansible-ansible-tower-exposed-to-internet\> Communication over HTTPansible-communication-over-http\> Communication over HTTP in defaultsansible-communication-over-http-in-defaults\> Insecure relative path resolutionansible-insecure-relative-path-resolution\> Logging of sensitive dataansible-logging-of-sensitive-data\> Logging of sensitive data in defaultsansible-logging-of-sensitive-data-in-defaults\> Privilege escalation using become pluginansible-privilege-escalation-using-become-plugin\> Privilege escalation using become plugin in defaultsansible-privilege-escalation-using-become-plugin-in-defaults\> Risky file permissionsansible-risky-file-permissions\> Unpinned package versionansible-unpinned-package-version\> ALB listening on HTTPansible-aws-alb-listening-on-http\> AMI not encryptedansible-aws-ami-not-encrypted\> AMI shared with multiple accountsansible-aws-ami-shared-with-multiple-accounts\> API Gateway endpoint config is not privateansible-aws-api-gateway-endpoint-config-is-not-private\> API Gateway with CloudWatch Logs disabledansible-aws-api-gateway-with-cloudwatch-logging-disabled\> API Gateway without configured authorizeransible-aws-api-gateway-without-configured-authorizer\> API Gateway without SSL certificateansible-aws-api-gateway-without-ssl-certificate\> API Gateway without WAFansible-aws-api-gateway-without-waf\> API Gateway X-Ray disabledansible-aws-api-gateway-xray-disabled\> Authentication without MFAansible-aws-authentication-without-mfa\> Auto Scaling Group with no associated ELBansible-aws-auto-scaling-group-with-no-associated-elb\> Automatic minor upgrades disabledansible-aws-automatic-minor-upgrades-disabled\> AWS password policy with unchangeable passwordsansible-aws-aws-password-policy-with-unchangeable-passwords\> Batch job definition with privileged container propertiesansible-aws-batch-job-definition-with-privileged-container-properties\> CA certificate identifier is outdatedansible-aws-ca-certificate-identifier-is-outdated\> CDN configuration is missingansible-aws-cdn-configuration-is-missing\> Certificate has expiredansible-aws-certificate-has-expired\> Certificate RSA key bytes lower than 256ansible-aws-certificate-rsa-key-bytes-lower-than-256\> CloudFront logging disabledansible-aws-cloudfront-logging-disabled\> CloudFront viewer protocol policy allows HTTPansible-aws-viewer-protocol-policy-allows-http\> CloudFront without minimum protocol TLS 1.2ansible-aws-cloudfront-without-minimum-protocol-tls-1-2\> CloudFront without WAFansible-aws-cloudfront-without-waf\> CloudTrail log file validation disabledansible-aws-cloudtrail-log-file-validation-disabled\> CloudTrail log files not encrypted with KMSansible-aws-cloudtrail-log-files-not-encrypted-with-kms\> CloudTrail logging disabledansible-aws-cloudtrail-logging-disabled\> CloudTrail multi-region is disabledansible-aws-cloudtrail-multi-region-disabled\> CloudTrail not integrated with CloudWatchansible-aws-cloudtrail-not-integrated-with-cloudwatch\> CloudTrail SNS topic name undefinedansible-aws-cloudtrail-sns-topic-name-undefined\> CloudWatch without retention period specifiedansible-aws-cloudwatch-without-retention-period-specified\> CMK is unusableansible-aws-cmk-is-unusable\> CMK rotation disabledansible-aws-cmk-rotation-disabled\> CodeBuild project is not encryptedansible-aws-codebuild-not-encrypted\> Config rule for encrypted volumes disabledansible-aws-config-rule-for-encrypted-volumes-is-disabled\> Configuration aggregator to all regions disabledansible-aws-config-configuration-aggregator-to-all-regions-disabled\> Cross-account IAM assume role policy without ExternalId or MFAansible-aws-cross-account-iam-assume-role-policy-without-external-id-or-mfa\> DB instance storage not encryptedansible-aws-db-instance-storage-not-encrypted\> DB security group open to large scopeansible-aws-db-security-group-open-to-large-scope\> DB security group with public scopeansible-aws-db-security-group-with-public-scope\> Default security groups with unrestricted trafficansible-aws-default-security-groups-with-unrestricted-traffic\> EBS volume encryption disabledansible-aws-ebs-volume-encryption-disabled\> EC2 instance has public IPansible-aws-ec2-instance-has-public-ip\> EC2 instance is not EBS optimizedansible-aws-ec2-not-ebs-optimized\> EC2 instance using default security groupansible-aws-ec2-instance-using-default-security-group\> EC2 instance using default VPCansible-aws-ec2-instance-using-default-vpc\> EC2 security group allows public accessansible-aws-ec2-group-has-public-interface\> ECR image tag not immutableansible-aws-ecr-image-tag-not-immutable\> ECR repository is publicly accessibleansible-aws-ecr-repository-is-publicly-accessible\> ECS service admin role is presentansible-aws-ecs-service-admin-role-is-present\> ECS service without running tasksansible-aws-ecs-service-without-running-tasks\> ECS services should not be assigned public IP addressesansible-aws-ecs-services-assigned-with-public-ip-address\> ECS task definition network mode not recommendedansible-aws-ecs-task-definition-network-mode-not-recommended\> EFS not encryptedansible-aws-efs-not-encrypted\> EFS without KMSansible-aws-efs-without-kms\> EFS without tagsansible-aws-efs-without-tags\> ElastiCache using default portansible-aws-elasticache-using-default-port\> ElastiCache without VPCansible-aws-elasticache-without-vpc\> Elasticsearch with HTTPS disabledansible-aws-elasticsearch-with-https-disabled\> ELB using insecure protocolsansible-aws-elb-using-insecure-protocols\> ELB using weak ciphersansible-aws-elb-using-weak-ciphers\> Hardcoded AWS access keyansible-aws-hardcoded-aws-access-key\> Hardcoded AWS access key in Lambdaansible-aws-hardcoded-aws-access-key-in-lambda\> HTTP port open to internetansible-aws-http-port-open-to-internet\> IAM access key is exposedansible-aws-iam-access-key-is-exposed\> IAM database authentication is not enabledansible-aws-iam-database-auth-not-enabled\> IAM group without usersansible-aws-iam-group-without-users\> IAM password without minimum lengthansible-aws-iam-password-without-minimum-length\> IAM policies attached to useransible-aws-iam-policies-attached-to-user\> IAM policies with full privilegesansible-aws-iam-policies-with-full-privileges\> IAM policy grants 'AssumeRole' permission across all servicesansible-aws-iam-policy-grants-assumerole-permission-across-all-services\> IAM policy grants full permissionsansible-aws-iam-policy-grants-full-permissions\> IAM role allows all principals to assumeansible-aws-iam-role-allows-all-principals-to-assume\> Instance uses metadata service IMDSv1ansible-aws-instance-uses-metadata-service-imdsv1\> Instance with no VPCansible-aws-instance-with-no-vpc\> Kinesis not encrypted with KMSansible-aws-kinesis-not-encrypted-with-kms\> KMS key with vulnerable policyansible-aws-kms-key-with-full-permissions\> Lambda function without tagsansible-aws-lambda-function-without-tags\> Lambda functions without X-Ray tracingansible-aws-lambda-functions-without-x-ray-tracing\> Lambda permission misconfiguredansible-aws-lambda-permission-misconfigured\> Lambda permission principal is wildcardansible-aws-lambda-permission-principal-is-wildcard\> Launch configuration is not encryptedansible-aws-launch-configuration-is-not-encrypted\> Misconfigured password policy expirationansible-aws-misconfigured-password-policy-expiration\> No stack policyansible-aws-no-stack-policy\> Password without reuse preventionansible-aws-password-without-reuse-prevention\> Public Lambda via API Gatewayansible-aws-public-lambda-via-api-gateway\> Public port with wide port rangeansible-aws-public-port-wide\> RDS DB instance is not publicly accessibleansible-aws-rds-db-instance-publicly-accessible\> RDS instance associated with a public subnetansible-aws-rds-associated-with-public-subnet\> RDS instance uses a default portansible-aws-rds-using-default-port\> RDS instance with backup disabledansible-aws-rds-with-backup-disabled\> Redis not compliantansible-aws-redis-not-compliant\> Redshift cluster is not encryptedansible-aws-redshift-not-encrypted\> Redshift publicly accessibleansible-aws-redshift-publicly-accessible\> Redshift using default portansible-aws-redshift-using-default-port\> Remote desktop port open to internetansible-aws-remote-desktop-port-open\> Root account has active access keysansible-aws-root-account-has-active-access-keys\> Route 53 record undefinedansible-aws-route53-record-undefined\> S3 bucket access to any principalansible-aws-s3-bucket-access-to-any-principal\> S3 bucket ACL allows read access to all usersansible-aws-s3-bucket-acl-allows-read-to-all-users\> S3 bucket ACL allows read access to any authenticated useransible-aws-s3-bucket-acl-allows-read-to-any-authenticated-user\> S3 bucket allows delete action from all principalsansible-aws-s3-bucket-allows-delete-action-from-all-principals\> S3 bucket allows GET action from all principalsansible-aws-s3-bucket-allows-get-action-from-all-principals\> S3 bucket allows list action from all principalsansible-aws-s3-bucket-allows-list-action-from-all-principals\> S3 bucket allows put action from all principalsansible-aws-s3-bucket-allows-put-action-from-all-principals\> S3 bucket logging disabledansible-aws-s3-bucket-logging-disabled\> S3 bucket with all permissionsansible-aws-s3-bucket-with-all-permissions\> S3 bucket with public accessansible-aws-s3-bucket-with-public-access\> S3 bucket with unsecured CORS ruleansible-aws-s3-bucket-with-unsecured-cors-rule\> S3 bucket without server-side encryptionansible-aws-s3-bucket-without-server-side-encryption\> S3 bucket without versioningansible-aws-s3-bucket-without-versioning\> Secure ciphers disabledansible-aws-secure-ciphers-disabled\> Security group ingress not restrictedansible-aws-security-group-ingress-not-restricted\> Security group with unrestricted access to SSHansible-aws-security-group-with-unrestricted-access-to-ssh\> SES policy with allowed IAM actionsansible-aws-ses-policy-with-allowed-iam-actions\> SNS topic is publicly accessibleansible-aws-sns-topic-is-publicly-accessible\> SQL Analysis Services port 2383 (TCP) is publicly accessibleansible-aws-sql-analysis-services-port-2383-is-publicly-accessible\> SQS policy allows all actionsansible-aws-sqs-policy-allows-all-actions\> SQS policy with public accessansible-aws-sqs-policy-with-public-access\> SQS queue exposedansible-aws-sqs-queue-exposed\> SQS queue with SSE disabledansible-aws-sqs-with-sse-disabled\> Stack notifications disabledansible-aws-stack-notifications-disabled\> Stack retention disabledansible-aws-stack-retention-disabled\> Stack without templateansible-aws-stack-without-template\> Unknown port exposed to internetansible-aws-unknown-port-exposed-to-internet\> Unrestricted security group ingressansible-aws-unrestricted-security-group-ingress\> User data contains encoded private keyansible-aws-user-data-contains-encoded-private-key\> Vulnerable default SSL certificateansible-aws-vulnerable-default-ssl-certificate\> AD admin not configured for SQL serveransible-azure-ad-admin-not-configured-for-sql-server\> Admin user enabled for container registryansible-azure-admin-user-enabled-for-container-registry\> AKS monitoring logging disabledansible-azure-aks-monitoring-logging-disabled\> AKS network policy misconfiguredansible-azure-aks-network-policy-misconfigured\> AKS RBAC disabledansible-azure-aks-rbac-disabled\> Azure Container Registry with no locksansible-azure-azure-container-registry-with-no-locks\> Azure instance using basic authenticationansible-azure-azure-instance-using-basic-authentication\> Cosmos DB account without tagsansible-azure-cosmosdb-account-without-tags\> CosmosDB account IP range filter not setansible-azure-cosmosdb-account-ip-range-filter-not-set\> Default Azure storage account network access is too permissiveansible-azure-default-azure-storage-account-network-access-is-too-permissive\> Firewall rule allows too many hosts to access Redis Cacheansible-azure-firewall-rule-allows-too-many-hosts-to-access-redis-cache\> Key Vault soft delete is disabledansible-azure-key-vault-soft-delete-is-disabled\> Log retention is not setansible-azure-log-retention-is-not-set\> Monitoring log profile without all activitiesansible-azure-monitoring-log-profile-without-all-activities\> MySQL SSL connection disabledansible-azure-mysql-ssl-connection-disabled\> PostgreSQL log checkpoints disabledansible-azure-postgresql-log-checkpoints-disabled\> PostgreSQL log connections not setansible-azure-postgresql-log-connections-not-set\> PostgreSQL log disconnections not setansible-azure-postgresql-log-disconnections-not-set\> PostgreSQL log duration not setansible-azure-postgresql-log-duration-not-set\> PostgreSQL server without connection throttlingansible-azure-postgresql-server-without-connection-throttling\> Public storage accountansible-azure-public-storage-account\> Redis cache allows non-SSL connectionsansible-azure-redis-cache-allows-non-ssl-connections\> Redis entirely accessibleansible-azure-redis-entirely-accessible\> Redis publicly accessibleansible-azure-redis-publicly-accessible\> Role definition allows custom role creationansible-azure-role-definition-allows-custom-role-creation\> Security group is not configuredansible-azure-security-group-is-not-configured\> Sensitive port is exposed to entire networkansible-azure-sensitive-port-is-exposed-to-entire-network\> Small activity log retention periodansible-azure-small-activity-log-retention-period\> SQL Server predictable Active Directory account nameansible-azure-sql-server-predictable-active-directory-admin-account-name\> SQL Server predictable admin account nameansible-azure-sql-server-predictable-admin-account-name\> SQLServer ingress from any IPansible-azure-sql-server-ingress-from-any-ip\> SSL enforce disabledansible-azure-ssl-enforce-is-disabled\> Storage account not forcing HTTPSansible-azure-storage-account-not-forcing-https\> Storage account not using latest TLS encryption versionansible-azure-storage-account-not-using-latest-tls-encryption-version\> Storage container is publicly accessibleansible-azure-storage-container-is-publicly-accessible\> Trusted Microsoft services not enabledansible-azure-trusted-microsoft-services-not-enabled\> Unrestricted SQL Server accessansible-azure-unrestricted-sql-server-access\> VM not attached to networkansible-azure-vm-not-attached-to-network\> WAF is disabled for Azure Application Gatewayansible-azure-waf-is-disabled-for-azure-application-gateway\> Web app accepting traffic other than HTTPSansible-azure-web-app-accepting-traffic-other-than-https\> BigQuery dataset is publicansible-gcp-bigquery-dataset-is-public\> Client certificate disabledansible-gcp-client-certificate-disabled\> Cloud DNS without DNSSECansible-gcp-cloud-dns-without-dnssec\> Cloud SQL instance with contained database authentication onansible-gcp-cloud-sql-instance-with-contained-database-authentication-on\> Cloud SQL instance with cross DB ownership chaining onansible-gcp-cloud-sql-instance-with-cross-db-ownership-chaining-on\> Cloud storage anonymous or publicly accessibleansible-gcp-cloud-storage-anonymous-or-publicly-accessible\> Cloud storage bucket logging not enabledansible-gcp-cloud-storage-bucket-logging-not-enabled\> Cloud storage bucket versioning disabledansible-gcp-cloud-storage-bucket-versioning-disabled\> Cluster labels disabledansible-gcp-cluster-labels-disabled\> Cluster master authentication disabledansible-gcp-cluster-master-authentication-disabled\> Compute instance is publicly accessibleansible-gcp-compute-instance-is-publicly-accessible\> COS node image not usedansible-gcp-cos-node-image-not-used\> Disk encryption disabledansible-gcp-disk-encryption-disabled\> DNSSEC using RSASHA1ansible-gcp-dnssec-using-rsasha1\> GKE basic authentication enabledansible-gcp-gke-basic-authentication-enabled\> GKE legacy authorization enabledansible-gcp-gke-legacy-authorization-enabled\> GKE master authorized networks disabledansible-gcp-gke-master-authorized-networks-disabled\> GKE using default service accountansible-gcp-gke-using-default-service-account\> Google Compute network using default firewall ruleansible-gcp-google-compute-network-using-default-firewall-rule\> Google Compute network using firewall rule that allows all portsansible-gcp-google-compute-network-using-firewall-rule-allows-all-ports\> Google Compute network using firewall rule that allows port rangeansible-gcp-google-compute-network-using-firewall-allows-port-range\> Google Compute SSL policy weak cipher in useansible-gcp-google-compute-ssl-policy-weak-cipher-in-use\> Google Compute subnetwork with Private Google Access disabledansible-gcp-google-compute-subnetwork-with-private-google-access-disabled\> Google container node pool auto repair disabledansible-gcp-google-container-node-pool-auto-repair-disabled\> High Google KMS crypto key rotation periodansible-gcp-high-google-kms-crypto-key-rotation-period\> IP aliasing disabledansible-gcp-ip-aliasing-disabled\> IP forwarding enabledansible-gcp-ip-forwarding-enabled\> MySQL instance with local infile onansible-gcp-mysql-instance-with-local-infile-on\> Network policy disabledansible-gcp-network-policy-disabled\> Node auto-upgrade disabledansible-gcp-node-auto-upgrade-disabled\> OSLogin is disabled in VM instanceansible-gcp-oslogin-is-disabled-for-vm-instance\> PostgreSQL log connections disabledansible-gcp-postgresql-log-connections-disabled\> PostgreSQL log_checkpoints flag not set to onansible-gcp-postgresql-log-checkpoints-flag-not-set-to-on\> PostgreSQL logging of temporary files disabledansible-gcp-postgresql-logging-of-temporary-files-disabled\> PostgreSQL misconfigured log messages flagansible-gcp-postgresql-misconfigured-log-messages-flag\> PostgreSQL misconfigured logging duration flagansible-gcp-postgresql-misconfigured-logging-duration-flag\> Private cluster disabledansible-gcp-private-cluster-disabled\> Project-wide SSH keys are enabled in VM instancesansible-gcp-project-wide-ssh-keys-are-enabled-in-vm-instances\> RDP access is not restrictedansible-gcp-rdp-access-is-not-restricted\> Serial ports are enabled for VM instancesansible-gcp-serial-ports-enabled-for-vm-instances\> Shielded VM disabledansible-gcp-shielded-vm-disabled\> SQL DB instance backup disabledansible-gcp-sql-db-instance-backup-disabled\> SQL DB instance publicly accessibleansible-gcp-sql-db-instance-is-publicly-accessible\> SQL DB instance with SSL disabledansible-gcp-sql-db-instance-with-ssl-disabled\> SSH access is not restrictedansible-gcp-ssh-access-is-not-restricted\> Stackdriver logging disabledansible-gcp-stackdriver-logging-disabled\> Stackdriver monitoring disabledansible-gcp-stackdriver-monitoring-disabled\> Using default service accountansible-gcp-using-default-service-account\> VM with full cloud accessansible-gcp-vm-with-full-cloud-access\> Anonymous definitioncicd-github-anonymous-definition\> Cache poisoningcicd-github-cache-poisoning\> Concurrency limitscicd-github-concurrency-limits\> Dangerous triggerscicd-github-dangerous-triggers\> Dependabot cooldowncicd-github-dependabot-cooldown\> Dependabot executioncicd-github-dependabot-execution\> GitHub environment file injectioncicd-github-github-env\> Hardcoded container credentialscicd-github-hardcoded-container-credentials\> Misfeaturecicd-github-misfeature\> Obfuscationcicd-github-obfuscation\> Overprovisioned secretscicd-github-overprovisioned-secrets\> Run block injectioncicd-github-run-block-injection\> Script block injectioncicd-github-script-block-injection\> Secrets inheritcicd-github-secrets-inherit\> Secrets outside environmentcicd-github-secrets-outside-env\> Self-hosted runnercicd-github-self-hosted-runner\> Superfluous actionscicd-github-superfluous-actions\> Unpinned actions full length commit SHAcicd-github-unpinned-actions-full-length-commit-sha\> Unpinned imagescicd-github-unpinned-images\> Unredacted secretscicd-github-unredacted-secrets\> Unsecured commandscicd-github-unsecured-commands\> Unsound conditioncicd-github-unsound-conditions\> Unsound contains with controllable inputcicd-github-unsound-contains-with-controllable-input\> Unsound contains without controllable inputcicd-github-unsound-contains-no-controllable-input\> Unspecified workflows level permissionscicd-github-unspecified-workflows-permissions\> Use trusted publishing for authenticationcicd-github-use-trusted-publishing\> ALB is not integrated with WAFcloudformation-aws-alb-is-not-integrated-with-waf\> ALB listening on HTTPcloudformation-aws-alb-listening-on-http\> Alexa skill plaintext client secret exposedcloudformation-aws-alexa-skill-plaintext-client-secret-exposed\> Amazon MQ broker encryption disabledcloudformation-aws-amazon-mq-broker-encryption-disabled\> Amazon MQ broker is publicly accessiblecloudformation-aws-mq-broker-is-publicly-accessible\> Amazon MQ broker logging disabledcloudformation-aws-mq-broker-logging-disabled\> Amplify app access token exposedcloudformation-aws-amplify-app-access-token-exposed\> Amplify app basic auth config password exposedcloudformation-aws-amplify-app-basic-auth-config-password-exposed\> Amplify app OAuth token exposedcloudformation-aws-amplify-app-oauth-token-exposed\> Amplify branch basic auth config password exposedcloudformation-aws-amplify-branch-basic-auth-config-password-exposed\> API Gateway cache cluster disabledcloudformation-aws-api-gateway-cache-cluster-disabled\> API Gateway cache encrypted disabledcloudformation-aws-api-gateway-cache-encrypted-disabled\> API Gateway deployment without access log settingcloudformation-aws-api-gateway-deployment-without-access-log-setting\> API Gateway deployment without usage plan associatedcloudformation-aws-api-gateway-deployment-without-api-gateway-usage-plan-associated\> API Gateway endpoint config is not privatecloudformation-aws-api-gateway-endpoint-config-is-not-private\> API Gateway method does not contain an API keycloudformation-aws-api-gateway-method-does-not-contain-an-api-key\> API Gateway stage without usage plan associatedcloudformation-aws-api-gateway-stage-without-api-gateway-usage-plan-associated\> API Gateway V2 stage access logging settings not definedcloudformation-aws-api-gateway-access-logging-disabled\> API Gateway with invalid compressioncloudformation-aws-api-gateway-with-invalid-compression\> API Gateway with open accesscloudformation-aws-api-gateway-with-open-access\> API Gateway without configured authorizercloudformation-aws-api-gateway-without-configured-authorizer\> API Gateway without security policycloudformation-aws-api-gateway-without-security-policy\> API Gateway without SSL certificatecloudformation-aws-api-gateway-without-ssl-certificate\> API Gateway without WAFcloudformation-aws-api-gateway-without-waf\> API Gateway X-Ray disabledcloudformation-aws-api-gateway-xray-disabled\> Auto Scaling group with no associated ELBcloudformation-aws-auto-scaling-group-with-no-associated-elb\> Automatic minor upgrades disabledcloudformation-aws-automatic-minor-upgrades-disabled\> AWS DMS replication instance is publicly accessiblecloudformation-aws-amazon-dms-replication-instance-is-publicly-accessible\> Batch job definition with privileged container propertiescloudformation-aws-batch-job-definition-with-privileged-container-properties\> CDN configuration is missingcloudformation-aws-cdn-configuration-is-missing\> CloudFormation metadata contains plaintext credentialscloudformation-aws-cloudformation-specifying-credentials-not-safe\> CloudFront logging disabledcloudformation-aws-cloudfront-logging-disabled\> CloudFront viewer protocol policy allows HTTPcloudformation-aws-cloudfront-viewer-protocol-policy-allows-http\> CloudFront without minimum protocol TLS 1.2cloudformation-aws-cloudfront-without-minimum-protocol-tls-1-2\> CloudFront without WAFcloudformation-aws-cloudfront-without-waf\> CloudTrail log file validation disabledcloudformation-aws-cloudtrail-log-file-validation-disabled\> CloudTrail log files not encrypted with KMScloudformation-aws-cloudtrail-log-files-not-encrypted-with-kms\> CloudTrail logging disabledcloudformation-aws-cloudtrail-logging-disabled\> CloudTrail multi-region disabledcloudformation-aws-cloudtrail-multi-region-disabled\> CloudTrail not integrated with CloudWatchcloudformation-aws-cloudtrail-not-integrated-with-cloudwatch\> CloudTrail SNS topic name undefinedcloudformation-aws-cloudtrail-sns-topic-name-undefined\> CloudWatch logging disabledcloudformation-aws-cloudwatch-logging-disabled\> CloudWatch metrics disabledcloudformation-aws-cloudwatch-metrics-disabled\> CMK is unusablecloudformation-aws-cmk-is-unusable\> CMK rotation disabledcloudformation-aws-cmk-rotation-disabled\> CMK unencrypted storagecloudformation-aws-cmk-unencrypted-storage\> CodeBuild not encryptedcloudformation-aws-codebuild-not-encrypted\> Cognito user pool without MFAcloudformation-aws-cognito-userpool-without-mfa\> Config rule for encrypted volumes disabledcloudformation-aws-config-rule-for-encryption-volumes-disabled\> Configuration aggregator to all regions disabledcloudformation-aws-config-configuration-aggregator-to-all-regions-disabled\> Connection between CloudFront origin not encryptedcloudformation-aws-connection-between-cloudfront-origin-not-encrypted\> Cross-account IAM assume role policy without external ID or MFAcloudformation-aws-cross-account-iam-assume-role-policy-without-external-id-or-mfa\> DB security group open to large scopecloudformation-aws-db-security-group-open-to-large-scope\> DB security group with public scopecloudformation-aws-db-security-group-with-public-scope\> Default KMS key usagecloudformation-aws-default-kms-key-usage\> Default security groups with unrestricted trafficcloudformation-aws-default-security-groups-with-unrestricted-traffic\> Directory service Microsoft AD password set to plaintext or default refcloudformation-aws-directory-service-microsoft-ad-password-set-to-plaintext-or-default-ref\> Directory service simple AD password exposedcloudformation-aws-directory-service-simple-ad-password-exposed\> DMS endpoint MongoDB settings password exposedcloudformation-aws-dms-endpoint-mongo-db-settings-password-exposed\> DMS endpoint password exposedcloudformation-aws-dms-endpoint-password-exposed\> DocDB cluster master password in plaintextcloudformation-aws-docdb-cluster-master-password-in-plaintext\> DocDB logging is disabledcloudformation-aws-docdb-logging-disabled\> DynamoDB table not encryptedcloudformation-aws-dynamodb-table-not-encrypted\> DynamoDB table point-in-time recovery disabledcloudformation-aws-dynamodb-table-point-in-time-recovery-disabled\> DynamoDB with AWS-owned CMKcloudformation-aws-dynamodb-with-aws-owned-cmk\> DynamoDB with non-recommended table billing modecloudformation-aws-dynamodb-with-table-billing-mode-not-recommended\> EBS volume encryption disabledcloudformation-aws-ebs-volume-encryption-disabled\> EBS volume not attached to instancescloudformation-aws-ebs-volume-not-attached-to-instances\> EBS volume without KmsKeyIdcloudformation-aws-ebs-volume-without-kms-key-id\> EC2 instance has no IAM rolecloudformation-aws-ec2-instance-has-no-iam-role\> EC2 instance monitoring disabledcloudformation-aws-ec2-instance-monitoring-disabled\> EC2 instance subnet has public IP mapping on launchcloudformation-aws-ec2-instance-subnet-has-public-ip-mapping-on-launch\> EC2 instance using default security groupcloudformation-aws-ec2-instance-using-default-security-group\> EC2 instance using default VPCcloudformation-aws-ec2-instance-using-default-vpc\> EC2 Network ACL Deny rule not blocking all trafficcloudformation-aws-ec2-network-acl-ineffective-denied-traffic\> EC2 network ACL duplicate rulecloudformation-aws-ec2-network-acl-duplicate-rule\> EC2 network ACL overlapping portscloudformation-aws-ec2-network-acl-overlapping-ports\> EC2 not EBS optimizedcloudformation-aws-ec2-not-ebs-optimized\> EC2 permissive network ACL protocolscloudformation-aws-ec2-permissive-network-acl-protocols\> EC2 public instance exposed through subnetcloudformation-aws-ec2-public-instance-exposed-through-subnet\> EC2 sensitive port is publicly exposedcloudformation-aws-ec2-sensitive-port-is-publicly-exposed\> ECR image tag not immutablecloudformation-aws-ecr-image-tag-not-immutable\> ECR repository is publicly accessiblecloudformation-aws-ecr-repository-is-publicly-accessible\> ECS cluster not encrypted at restcloudformation-aws-ecs-cluster-not-encrypted-at-rest\> ECS cluster with Container Insights disabledcloudformation-aws-ecs-cluster-container-insights-disabled\> ECS no load balancer attachedcloudformation-aws-ecs-no-load-balancer-attached\> ECS service admin role is presentcloudformation-aws-ecs-service-admin-role-is-present\> ECS service without running taskscloudformation-aws-ecs-service-without-running-tasks\> ECS task definition health check missingcloudformation-aws-ecs-task-definition-healthcheck-missing\> ECS task definition invalid CPU or memorycloudformation-aws-ecs-task-definition-invalid-cpu-or-memory\> ECS task definition network mode not recommendedcloudformation-aws-ecs-task-definition-network-mode-not-recommended\> EFS not encryptedcloudformation-aws-efs-not-encrypted\> EFS volume with disabled transit encryptioncloudformation-aws-efs-volume-with-disabled-transit-encryption\> EFS without KMScloudformation-aws-efs-without-kms\> EFS without tagscloudformation-aws-efs-without-tags\> EKS node group remote accesscloudformation-aws-eks-node-group-remote-access\> ElastiCache nodes not created across multi-AZcloudformation-aws-elasticache-nodes-not-created-across-multi-az\> ElastiCache using default portcloudformation-aws-elasticache-using-default-port\> ElastiCache with disabled at-rest encryptioncloudformation-aws-elasticache-with-disabled-at-rest-encryption\> ElastiCache with disabled transit encryptioncloudformation-aws-elasticache-with-disabled-transit-encryption\> ElastiCache without VPCcloudformation-aws-elasticache-without-vpc\> Elasticsearch encryption with KMS disabledcloudformation-aws-elasticsearch-domain-encryption-with-kms-disabled\> Elasticsearch logs disabledcloudformation-aws-elasticsearch-logs-disabled\> Elasticsearch not encrypted at restcloudformation-aws-elasticsearch-not-encrypted-at-rest\> Elasticsearch with HTTPS disabledcloudformation-aws-elasticsearch-with-https-disabled\> Elasticsearch without IAM authenticationcloudformation-aws-elasticsearch-without-iam-authentication\> Elasticsearch without slow logscloudformation-aws-elasticsearch-without-slow-logs\> ELB access log disabledcloudformation-aws-elb-access-log-disabled\> ELB sensitive port is exposed to entire networkcloudformation-aws-elb-sensitive-port-is-exposed-to-entire-network\> ELB using insecure protocolscloudformation-aws-elb-using-insecure-protocols\> ELB using weak cipherscloudformation-aws-elb-using-weak-ciphers\> ELB with security group without inbound rulescloudformation-aws-elb-with-security-group-without-inbound-rules\> ELB with security group without outbound rulescloudformation-aws-elb-with-security-group-without-outbound-rules\> ELB without secure protocolcloudformation-aws-elb-without-secure-protocol\> ELBv2 ALB access log disabledcloudformation-aws-elb-v2-alb-access-log-disabled\> Empty roles for ECS cluster task definitionscloudformation-aws-empty-roles-for-ecs-cluster-task-definitions\> EMR cluster without security configurationcloudformation-aws-emr-cluster-without-security-configuration\> EMR security configuration encryption disabledcloudformation-aws-emr-security-configuration-encryptions-enabled\> EMR without VPCcloudformation-aws-emr-wihout-vpc\> Fully open ingresscloudformation-aws-fully-open-ingress\> GameLift fleet EC2 inbound permissions with port rangecloudformation-aws-gamelift-fleet-ec2-inbound-permissions-with-port-range\> Geo restriction disabledcloudformation-aws-geo-restriction-disabled\> GitHub repository set to publiccloudformation-aws-github-repository-set-to-public\> GuardDuty detector disabledcloudformation-aws-guardduty-detector-disabled\> Hardcoded AWS access key in Lambdacloudformation-aws-hardcoded-aws-access-key-in-lambda\> High access key rotation periodcloudformation-aws-access-key-not-rotated-within-90-days\> HTTP port open to internetcloudformation-aws-http-port-open\> IAM Access Analyzer not enabledcloudformation-aws-iam-access-analyzer-not-enabled\> IAM database auth not enabledcloudformation-aws-iam-database-auth-not-enabled\> IAM group inline policiescloudformation-aws-iam-groups-inline-policies\> IAM group without userscloudformation-aws-iam-group-without-users\> IAM managed policy applied to a usercloudformation-aws-iam-managed-policy-applied-to-a-user\> IAM password without minimum lengthcloudformation-aws-iam-password-without-minimum-length\> IAM policies attached to a usercloudformation-aws-iam-policies-attached-to-user\> IAM policies with full privilegescloudformation-aws-iam-policies-with-full-privileges\> IAM policies without groupscloudformation-aws-iam-policies-without-groups\> IAM policy grants AssumeRole permission across all servicescloudformation-aws-iam-policy-grants-assumerole-permission-across-all-services\> IAM policy grants full permissionscloudformation-aws-iam-policy-grants-full-permissions\> IAM policy on usercloudformation-aws-iam-policy-on-user\> IAM role allows all principals to assumecloudformation-aws-iam-role-allows-all-principals-to-assume\> IAM user has too many access keyscloudformation-aws-iam-user-too-many-access-keys\> IAM user LoginProfile password is in plaintextcloudformation-aws-iam-user-login-profile-password-is-in-plaintext\> IAM user with no groupcloudformation-aws-iam-user-with-no-group\> IAM user without password resetcloudformation-aws-user-iam-missing-password-reset-required\> Inline policies are attached to an ECS servicecloudformation-aws-inline-policies-are-attached-to-ecs-service\> Instance with no VPCcloudformation-aws-instance-with-no-vpc\> IoT policy allows a wildcard resourcecloudformation-aws-iot-policy-allows-wildcard-resource\> IoT policy allows action as a wildcardcloudformation-aws-iot-policy-allows-action-as-wildcard\> Kinesis SSE not configuredcloudformation-aws-kinesis-sse-not-configured\> KMS allows a wildcard principalcloudformation-aws-kms-allows-wildcard-principal\> KMS key rotation disabledcloudformation-aws-kms-enable-key-rotation-disabled\> KMS key with a vulnerable policycloudformation-aws-kms-key-with-full-permissions\> Lambda function without dead-letter queuecloudformation-aws-lambda-function-without-dead-letter-queue\> Lambda function without tagscloudformation-aws-lambda-function-without-tags\> Lambda functions with full privilegescloudformation-aws-lambda-functions-with-full-privileges\> Lambda functions without unique IAM rolescloudformation-aws-lambda-functions-without-unique-iam-roles\> Lambda functions without X-Ray tracingcloudformation-aws-lambda-functions-without-x-ray-tracing\> Lambda permission misconfiguredcloudformation-aws-lambda-permission-misconfigured\> Lambda permission principal is a wildcardcloudformation-aws-lambda-permission-principal-is-wildcard\> Low RDS backup retention periodcloudformation-aws-low-rds-backup-retention-period\> MSK broker is publicly accessiblecloudformation-aws-msk-broker-is-publicly-accessible\> MSK cluster encryption disabledcloudformation-aws-msk-cluster-encryption-disabled\> MSK cluster logging disabledcloudformation-aws-msk-cluster-logging-disabled\> Neptune cluster with IAM database authentication disabledcloudformation-aws-neptune-cluster-with-iam-database-authentication-disabled\> Neptune database cluster encryption disabledcloudformation-aws-neptune-database-cluster-encryption-disabled\> Permissive Web ACL default actioncloudformation-aws-webacl-allow-defaultaction\> Public Lambda function via API Gatewaycloudformation-aws-public-lambda-via-api-gateway\> RDS associated with a public subnetcloudformation-aws-rds-associated-with-public-subnet\> RDS DB instance publicly accessiblecloudformation-aws-rds-db-instance-publicly-accessible\> RDS DB instance with deletion protection disabledcloudformation-aws-rds-db-instance-with-deletion-protection-disabled\> RDS Multi-AZ deployment disabledcloudformation-aws-rds-multi-az-deployment-disabled\> RDS storage encryption disabledcloudformation-aws-rds-storage-encryption-disabled\> RDS storage not encryptedcloudformation-aws-rds-storage-not-encrypted\> RDS using default portcloudformation-aws-rds-using-default-port\> RDS with backup disabledcloudformation-aws-rds-with-backup-disabled\> Redshift cluster logging disabledcloudformation-aws-redshift-cluster-logging-disabled\> Redshift cluster without a KMS CMKcloudformation-aws-redshift-cluster-without-kms-cmk\> Redshift not encryptedcloudformation-aws-redshift-not-encrypted\> Redshift publicly accessiblecloudformation-aws-redshift-publicly-accessible\> Redshift using default portcloudformation-aws-redshift-using-default-port\> Refresh token is exposedcloudformation-aws-refresh-token-is-exposed\> Remote Desktop port open to the internetcloudformation-aws-remote-desktop-port-open-to-internet\> Root account has active access keyscloudformation-aws-root-account-has-active-access-keys\> Route table with default routingcloudformation-aws-routertable-with-default-routing\> Route53 record undefinedcloudformation-aws-route53-record-undefined\> S3 bucket access to any principalcloudformation-aws-s3-bucket-access-to-any-principal\> S3 bucket ACL allows read or write to all userscloudformation-aws-s3-bucket-acl-allows-read-or-write-to-all-users\> S3 bucket ACL allows read to all userscloudformation-aws-s3-bucket-acl-allows-read-to-all-users\> S3 bucket ACL allows read to any authenticated usercloudformation-aws-s3-bucket-acl-allows-read-to-any-authenticated-user\> S3 bucket allows delete action from all principalscloudformation-aws-s3-bucket-allows-delete-actions-from-all-principals\> S3 bucket allows get action from all principalscloudformation-aws-s3-bucket-allows-get-actions-from-all-principals\> S3 bucket allows list action from all principalscloudformation-aws-s3-bucket-allows-list-actions-from-all-principals\> S3 bucket allows public ACLcloudformation-aws-s3-bucket-allows-public-acl\> S3 bucket allows public policycloudformation-aws-s3-bucket-with-public-policy\> S3 bucket allows put action from all principalscloudformation-aws-s3-bucket-allows-put-actions-from-all-principals\> S3 bucket allows restore actions from all principalscloudformation-aws-s3-bucket-allows-restore-actions-from-all-principals\> S3 bucket CloudTrail logging disabledcloudformation-aws-s3-bucket-cloudtrail-logging-disabled\> S3 bucket logging disabledcloudformation-aws-s3-bucket-logging-disabled\> S3 bucket should have bucket policycloudformation-aws-s3-bucket-should-have-bucket-policy\> S3 bucket with all permissionscloudformation-aws-s3-bucket-with-all-permissions\> S3 bucket with unsecured CORS rulecloudformation-aws-s3-bucket-with-unsecured-cors-rule\> S3 bucket without ignore public ACLcloudformation-aws-s3-bucket-without-ignore-public-acl\> S3 bucket without restriction of public bucketcloudformation-aws-s3-bucket-without-restriction-of-public-bucket\> S3 bucket without server-side encryptioncloudformation-aws-s3-bucket-without-server-side-encryption\> S3 bucket without SSL in write actionscloudformation-aws-s3-bucket-without-ssl-in-write-actions\> S3 bucket without versioningcloudformation-aws-s3-bucket-without-versioning\> S3 static website host enabledcloudformation-aws-s3-static-website-host-enabled\> SageMaker data encryption disabledcloudformation-aws-sagemaker-data-encryption-disabled\> SageMaker enabling internet accesscloudformation-aws-sagemaker-enabling-internet-access\> SageMaker endpoint config should specify KmsKeyId attributecloudformation-aws-sagemaker-endpoint-config-should-specify-kms-key-id-attribute\> SageMaker notebook not placed in VPCcloudformation-aws-sagemaker-notebook-not-placed-in-vpc\> SDB domain declared as a resourcecloudformation-aws-sdb-domain-declared-as-a-resource\> Secrets manager should specify KmsKeyIdcloudformation-aws-secrets-manager-should-specify-kms-key-id\> Secure ciphers disabledcloudformation-aws-secure-ciphers-disabled\> Security group egress CIDR open to worldcloudformation-aws-security-group-egress-cidr-open-to-world\> Security group egress with all protocolscloudformation-aws-security-group-egress-with-all-protocols\> Security group egress with port rangecloudformation-aws-security-group-egress-with-port-range\> Security group ingress has CIDR not recommendedcloudformation-aws-security-group-ingress-has-cidr-not-recommended\> Security group ingress with all protocolscloudformation-aws-security-group-ingress-with-all-protocols\> Security group ingress with port rangecloudformation-aws-security-group-ingress-with-port-range\> Security group rule without descriptioncloudformation-aws-security-group-rule-without-description\> Security group unrestricted access to RDPcloudformation-aws-security-groups-unrestricted-access-to-rdp\> Security group with unrestricted access to SSHcloudformation-aws-security-groups-with-unrestricted-access-to-ssh\> Security groups allows unrestricted outbound trafficcloudformation-aws-security-groups-allows-unrestricted-outbound-traffic\> Security groups with exposed admin portscloudformation-aws-security-groups-with-exhibited-admin-ports\> Security groups with meta IPcloudformation-aws-security-groups-with-meta-ip\> Security groups without VPC attachedcloudformation-aws-security-groups-without-vpc-attached\> Serverless API access logging setting undefinedcloudformation-aws-serverless-api-access-logging-setting-undefined\> Serverless API cache cluster disabledcloudformation-aws-serverless-api-cache-cluster-disabled\> Serverless API endpoint config not privatecloudformation-aws-serverless-api-endpoint-config-not-private\> Serverless API without content encodingcloudformation-aws-serverless-api-without-content-encoding\> Serverless API X-Ray tracing disabledcloudformation-aws-serverless-api-xray-tracing-disabled\> Serverless function environment variables not encryptedcloudformation-aws-serverless-function-environment-variables-not-encrypted\> Serverless function without dead-letter queuecloudformation-aws-serverless-function-without-dead-letter-queue\> Serverless function without tagscloudformation-aws-serverless-function-without-tags\> Serverless function without unique IAM rolecloudformation-aws-serverless-function-without-unique-iam-role\> Serverless function without X-Ray tracingcloudformation-aws-serverless-function-without-x-ray-tracing\> Shield Advanced not in usecloudformation-aws-shield-advanced-not-in-use\> SNS topic is publicly accessiblecloudformation-aws-sns-topic-is-publicly-accessible\> SNS topic publicity has Allow and NotAction simultaneouslycloudformation-aws-sns-topic-publicity-has-allow-and-not-action-simultaneously\> SNS topic without KmsMasterKeyIdcloudformation-aws-sns-topic-without-kms-master-key-id\> SQS policy with public accesscloudformation-aws-sqs-policy-with-public-access\> SQS with SSE disabledcloudformation-aws-sqs-with-sse-disabled\> Stack notifications disabledcloudformation-aws-stack-notifications-disabled\> Stack retention disabledcloudformation-aws-stack-retention-disabled\> Support has no role associatedcloudformation-aws-support-has-no-role-associated\> TCP UDP protocol network ACL entry allows all portscloudformation-aws-tcp-or-udp-protocol-network-acl-entry-allows-all-ports\> Unknown port exposed to internetcloudformation-aws-unknown-port-exposed-to-internet\> Unrestricted security group ingresscloudformation-aws-unrestricted-security-group-ingress\> Unscanned ECR imagecloudformation-aws-unscanned-ecr-image\> User data contains encoded private keycloudformation-aws-user-data-contains-encoded-private-key\> VPC attached with too many gatewayscloudformation-aws-vpc-attached-with-too-many-gateways\> VPC Flow Logs disabledcloudformation-aws-vpc-flowlogs-disabled\> VPC without attached subnetcloudformation-aws-vpc-without-attached-subnet\> VPC without Network Firewallcloudformation-aws-vpc-without-network-firewall\> Vulnerable default SSL certificatecloudformation-aws-vulnerable-default-ssl-certificate\> Wildcard in ACM certificate domain namecloudformation-aws-wildcard-in-acm-certificate-domain-name\> Workspace without encryptioncloudformation-aws-workspace-without-encryption\> ADD instead of COPYdockerfile-add-instead-of-copy\> apk add using local cache pathdockerfile-apk-add-using-local-cache-path\> apt-get install lists were not deleteddockerfile-apt-get-install-lists-were-not-deleted\> apt-get install pin version not defineddockerfile-apt-get-install-pin-version-not-defined\> apt-get missing flags to avoid manual inputdockerfile-apt-get-missing-flags-to-avoid-manual-input\> apt-get not avoiding additional packagesdockerfile-apt-get-not-avoiding-additional-packages\> Avoid chmod 777dockerfile-avoid-chmod-777\> Avoid HTTPdockerfile-avoid-http\> Changing default shell using RUN commanddockerfile-changing-default-shell-using-run-command\> chown flag existsdockerfile-chown-flag-exists\> COPY --from references current FROM aliasdockerfile-copy-from-references-current-from-alias\> COPY with more than two arguments not ending with a slashdockerfile-copy-with-more-than-two-arguments-not-ending-with-slash\> curl or wget instead of ADDdockerfile-curl-or-wget-instead-of-add\> Dockerfile should specify base imagedockerfile-should-specify-base-image\> ENV refers to itselfdockerfile-env-no-refer-envvar\> Exposing port 22 (SSH)dockerfile-exposing-port-22\> First instruction must be ARG or FROMdockerfile-first-instruction-should-be-arg-or-from\> gem install without versiondockerfile-gem-install-without-version\> Healthcheck instruction missingdockerfile-healthcheck-instruction-missing\> Image version not explicitdockerfile-image-version-not-explicit\> Image version using latestdockerfile-image-version-using-latest\> Last user is rootdockerfile-last-user-is-root\> MAINTAINER instruction being useddockerfile-maintainer-instruction-being-used\> Missing dnf clean alldockerfile-missing-dnf-clean-all\> Missing flag from dnf installdockerfile-missing-flag-from-dnf-install\> Missing user instructiondockerfile-missing-user-instruction\> Missing version specification in dnf installdockerfile-missing-version-specification-in-dnf-install\> Missing zypper cleandockerfile-missing-zypper-clean\> Missing Zypper non-interactive switchdockerfile-missing-zypper-non-interactive-switch\> Multiple CMD instructions listeddockerfile-multiple-cmd-instructions-listed\> Multiple ENTRYPOINT instructions listeddockerfile-multiple-entrypoint-instructions-listed\> Multiple HEALTHCHECK instructionsdockerfile-do-not-use-multiple-healthcheck\> Multiple RUN, ADD, COPY instructions listeddockerfile-multiple-run-add-copy-instructions-listed\> Not using JSON for CMD and ENTRYPOINT argumentsdockerfile-not-using-json-in-cmd-and-entrypoint-arguments\> npm install command without pinned versiondockerfile-npm-install-without-pinned-version\> ONBUILD cannot trigger FROM or MAINTAINERdockerfile-from-or-maintainer-cannot-be-triggered-within-onbuild\> Package update without install in same RUNdockerfile-update-instruction-alone\> pip install keeping cached packagesdockerfile-pip-install-keeping-cached-packages\> RUN instruction using cd instead of WORKDIRdockerfile-run-command-cd-instead-of-workdir\> Run using aptdockerfile-run-using-apt\> Run using sudodockerfile-run-using-sudo\> Run using wget and curldockerfile-run-using-wget-and-curl\> Run utilities and POSIX commandsdockerfile-run-utilities-and-posix-commands\> Run yarn clean after yarn installdockerfile-run-yarn-clean-after-yarn-install\> Same alias in different FROM statementsdockerfile-same-alias-in-different-froms\> Shell running a pipe without the pipefail flagdockerfile-shell-running-a-pipe-without-pipefail-flag\> UNIX ports out of rangedockerfile-unix-ports-out-of-range\> Unpinned package version in apk adddockerfile-unpinned-package-version-in-apk-add\> Unpinned package version in pip installdockerfile-unpinned-package-version-in-pip-install\> Use only allowed registry in FROMdockerfile-use-only-an-allowed-registry-in-the-from-image\> Use recommended flags with useradddockerfile-use-recommended-flags-with-useradd\> Using --platform flag with FROM commanddockerfile-using-platform-with-from\> Using unnamed build stagesdockerfile-using-unnamed-build-stages\> WORKDIR path not absolutedockerfile-workdir-path-not-absolute\> yum clean all missingdockerfile-yum-clean-all-missing\> yum install allows manual inputdockerfile-yum-install-allows-manual-input\> yum install without versiondockerfile-yum-install-without-version\> Zypper install without explicit package versiondockerfile-zypper-install-without-version\> Always admit admission control plugin setkubernetes-always-admit-admission-control-plugin-set\> Always pull images admission control plugin not setkubernetes-always-pull-images-admission-control-plugin-not-set\> Anonymous auth is not set to falsekubernetes-anonymous-auth-is-not-set-to-false\> Audit log maxage not properly setkubernetes-audit-log-maxage-not-properly-set\> Audit log maxbackup not properly setkubernetes-audit-log-maxbackup-not-properly-set\> Audit log maxsize not properly setkubernetes-audit-log-maxsize-not-properly-set\> Audit log path not setkubernetes-audit-log-path-not-set\> Audit policy does not cover key security concernskubernetes-audit-policy-not-cover-key-security-concerns\> Audit policy file not definedkubernetes-audit-policy-file-not-defined\> Authorization mode node not setkubernetes-authorization-mode-node-not-set\> Authorization mode RBAC not setkubernetes-authorization-mode-rbac-not-set\> Authorization mode set to always allowkubernetes-authorization-mode-set-to-always-allow\> Auto TLS set to truekubernetes-auto-tls-set-to-true\> Basic auth file is setkubernetes-basic-auth-file-is-set\> Bind address not properly setkubernetes-bind-address-not-properly-set\> Certificate authority is not uniquekubernetes-not-unique-certificate-authority\> Client certificate authentication not set up properlykubernetes-client-certificate-authentication-not-setup-properly\> Cluster admin rolebinding with superuser permissionskubernetes-cluster-admin-role-binding-with-super-user-permissions\> Cluster allows unsafe sysctlskubernetes-cluster-allows-unsafe-sysctls\> CNI plugin does not support network policieskubernetes-cni-plugin-does-not-support-network-policies\> Container is privilegedkubernetes-container-is-privileged\> Container running as rootkubernetes-containers-running-as-root\> Container with low UIDkubernetes-containers-run-with-low-uid\> Container with unmasked /proc accesskubernetes-container-runs-unmasked\> Containers missing drop capabilitieskubernetes-no-drop-capabilities-for-containers\> Containers with added capabilitieskubernetes-containers-with-added-capabilities\> Containers with sys admin capabilitieskubernetes-containers-with-sys-admin-capabilities\> CPU limits not setkubernetes-cpu-limits-not-set\> CPU requests not setkubernetes-cpu-requests-not-set\> CronJob deadline not configuredkubernetes-cronjob-deadline-not-configured\> Dashboard is enabledkubernetes-dashboard-is-enabled\> Deployment without podAntiAffinitykubernetes-deployment-has-no-pod-anti-affinity\> Deployment without PodDisruptionBudgetkubernetes-deployment-without-pod-disruption-budget\> Docker daemon socket is exposed to containerskubernetes-docker-daemon-socket-is-exposed-to-containers\> Encryption provider config is not definedkubernetes-encryption-provider-config-is-not-defined\> Encryption provider not properly configuredkubernetes-encryption-provider-not-properly-configured\> Ensure administrative boundaries between resourceskubernetes-ensure-administrative-boundaries-between-resources\> etcd client certificate authentication set to falsekubernetes-etcd-client-certificate-authentication-set-to-false\> etcd client certificate file not definedkubernetes-etcd-client-certificate-file-not-defined\> etcd peer client certificate authentication set to falsekubernetes-etcd-peer-client-certificate-authentication-set-to-false\> etcd peer TLS certificate files not properly setkubernetes-etcd-peer-tls-certificate-files-not-properly-set\> etcd TLS certificate files not properly setkubernetes-etcd-tls-certificate-files-not-properly-set\> etcd TLS certificate not properly configuredkubernetes-etcd-tls-certificate-not-properly-configured\> Event rate limit admission control plugin not setkubernetes-event-rate-limit-admission-control-plugin-not-set\> HPA targeted deployments with configured replica countkubernetes-hpa-targeted-deployments-with-configured-replica-count\> HPA targets invalid objectkubernetes-hpa-targets-invalid-object\> Image policy webhook admission control plugin not setkubernetes-image-policy-webhook-admission-control-plugin-not-set\> Image pull policy of the container is not set to alwayskubernetes-image-pull-policy-of-container-is-not-always\> Image without digestkubernetes-image-without-digest\> Incorrect volume claim access mode ReadWriteOncekubernetes-incorrect-volume-claim-access-mode-read-write-once\> Ingress controller exposes workloadkubernetes-ingress-controller-exposes-workload\> Insecure bind address setkubernetes-insecure-bind-address-set\> Insecure port not properly setkubernetes-insecure-port-not-properly-set\> Invalid image tagkubernetes-invalid-image\> Invalid metadata labelkubernetes-metadata-label-is-invalid\> Kubelet certificate authority not setkubernetes-kubelet-certificate-authority-not-set\> Kubelet client certificate or key not setkubernetes-kubelet-client-certificate-or-key-not-set\> Kubelet client periodic certificate switch disabledkubernetes-kubelet-client-periodic-certificate-switch-disabled\> Kubelet event QPS not properly setkubernetes-kubelet-event-qps-not-properly-set\> Kubelet hostname override is setkubernetes-kubelet-hostname-override-is-set\> Kubelet HTTPS set to falsekubernetes-kubelet-https-set-to-false\> Kubelet not managing IP tableskubernetes-kubelet-not-managing-ip-tables\> Kubelet protect-kernel-defaults set to falsekubernetes-kubelet-protect-kernel-defaults-set-to-false\> Kubelet read-only port is not set to zerokubernetes-kubelet-read-only-port-is-not-set-to-zero\> Kubelet streaming connection timeout disabledkubernetes-kubelet-streaming-connection-timeout-disabled\> Liveness probe is not definedkubernetes-liveness-probe-is-not-defined\> Memory limits not definedkubernetes-memory-limits-not-defined\> Memory requests not definedkubernetes-memory-requests-not-defined\> Missing AppArmor profilekubernetes-missing-app-armor-config\> Namespace lifecycle admission control plugin disabledkubernetes-namespace-lifecycle-admission-control-plugin-disabled\> NET_RAW capabilities disabled for PSPkubernetes-net-raw-capabilities-disabled-for-psp\> NET_RAW capabilities not droppedkubernetes-net-raw-capabilities-not-being-dropped\> Network policy without Pod targetkubernetes-network-policy-is-not-targeting-any-pod\> Node restriction admission control plugin not setkubernetes-node-restriction-admission-control-plugin-not-set\> Non kube-system pod with host mountkubernetes-non-kube-system-pod-with-host-mount\> Object is using a deprecated API versionkubernetes-object-is-using-a-deprecated-api-version\> Peer auto TLS set to truekubernetes-peer-auto-tls-set-to-true\> Permissive access to create podskubernetes-permissive-access-to-create-pods\> Pod misconfigured network policykubernetes-pod-misconfigured-network-policy\> Pod or container without LimitRangekubernetes-pod-or-container-without-limit-range\> Pod or container without ResourceQuotakubernetes-pod-or-container-without-resource-quota\> Pod or container without security contextkubernetes-pod-or-container-without-security-context\> Pod security policy admission control plugin not setkubernetes-pod-security-policy-admission-control-plugin-not-set\> PodSecurityPolicy allows host network sharingkubernetes-psp-containers-share-host-network-namespace\> Privilege escalation allowedkubernetes-privilege-escalation-allowed\> Profiling not set to falsekubernetes-profiling-not-set-to-false\> PSP allows privilege escalationkubernetes-psp-allows-privilege-escalation\> PSP allows sharing host IPCkubernetes-psp-allows-sharing-host-ipc\> PSP allows sharing host PIDkubernetes-psp-allows-sharing-host-pid\> PSP set to privilegedkubernetes-psp-set-to-privileged\> PSP with added capabilitieskubernetes-psp-with-added-capabilities\> PSP with unrestricted access to host pathkubernetes-psp-with-unrestricted-access-to-host-path\> RBAC roles allow privilege escalationkubernetes-rbac-roles-allow-privilege-escalation\> RBAC roles with attach permissionkubernetes-rbac-roles-with-attach-permission\> RBAC roles with exec permissionkubernetes-rbac-roles-with-exec-permission\> RBAC roles with impersonate permissionkubernetes-rbac-roles-with-impersonate-permission\> RBAC roles with port-forwarding permissionkubernetes-rbac-roles-with-portforwarding-permissions\> RBAC roles with read secrets permissionskubernetes-rbac-roles-with-read-secrets-permissions\> RBAC wildcard in rulekubernetes-rbac-wildcard-in-rule\> Readiness probe is not configuredkubernetes-readiness-probe-is-not-configured\> Request timeout not properly setkubernetes-request-timeout-not-properly-set\> Role binding to default service accountkubernetes-role-binding-to-default-service-account\> Root CA file not definedkubernetes-root-ca-file-not-defined\> Root container not mounted as read-onlykubernetes-root-container-not-mounted-as-read-only\> Root containers admittedkubernetes-root-containers-admitted\> Rotate Kubelet server certificate not activekubernetes-rotate-kubelet-server-certificate-not-active\> Seccomp profile is not configuredkubernetes-seccomp-profile-is-not-configured\> Secrets used as environment variableskubernetes-secrets-as-environment-variables\> Secure port set to zerokubernetes-secure-port-set-to-zero\> Security context deny admission control plugin not setkubernetes-security-context-deny-admission-control-plugin-not-set\> Service account admission control plugin disabledkubernetes-service-account-admission-control-plugin-disabled\> Service account key file not properly setkubernetes-service-account-key-file-not-properly-set\> Service account lookup set to falsekubernetes-service-account-lookup-set-to-false\> Service account name undefined or emptykubernetes-service-account-name-undefined-or-empty\> Service account private key file not definedkubernetes-service-account-private-key-file-not-defined\> Service account token auto-mount not disabledkubernetes-service-account-token-automount-not-disabled\> Service does not target a Podkubernetes-service-does-not-target-pod\> Service type is NodePortkubernetes-service-type-is-nodeport\> Service with external load balancerkubernetes-service-with-external-load-balancer\> ServiceAccount allows access to secretskubernetes-service-account-allows-access-secrets\> Shared host IPC namespacekubernetes-shared-host-ipc-namespace\> Shared host network namespacekubernetes-shared-host-network-namespace\> Shared host PID namespacekubernetes-shared-host-pid-namespace\> Shared service accountkubernetes-shared-service-account\> StatefulSet requests storagekubernetes-statefulset-requests-storage\> StatefulSet without podAntiAffinitykubernetes-statefulset-has-no-pod-anti-affinity\> StatefulSet without PodDisruptionBudgetkubernetes-statefulset-without-pod-disruption-budget\> StatefulSet without service namekubernetes-statefulset-without-service-name\> Terminated pod garbage collector threshold not properly setkubernetes-terminated-pod-garbage-collector-threshold-not-properly-set\> Tiller (Helm v2) deployedkubernetes-tiller-is-deployed\> Tiller Deployment accessible within clusterkubernetes-tiller-deployment-is-accessible-from-within-the-cluster\> Tiller Service presentkubernetes-tiller-service-is-not-deleted\> TLS connection certificate not set upkubernetes-tls-connection-certificate-not-setup\> Token auth file is setkubernetes-token-auth-file-is-set\> Unrestricted capabilities in PodSecurityPolicykubernetes-not-limited-capabilities-for-pod-security-policy\> Use service account credentials not set to truekubernetes-use-service-account-credentials-not-set-to-true\> Using Kubernetes native secret managementkubernetes-using-kubernetes-native-secret-management\> Using unrecommended namespacekubernetes-using-unrecommended-namespace\> Volume mount with OS directory write permissionskubernetes-volume-mount-with-os-directory-write-permissions\> Weak TLS cipher suiteskubernetes-weak-tls-cipher-suites\> Workload host port not specifiedkubernetes-workload-host-port-not-specified\> Workload mounting with sensitive OS directorykubernetes-workload-mounting-with-sensitive-os-directory\> Generic Git module without revisionterraform-generic-git-module-without-revision\> Output without descriptionterraform-output-without-description\> Variable without descriptionterraform-variable-without-description\> Variable without typeterraform-variable-without-type\>
{% icon name="icon-cloud-thicc" /%}
 Action trail logging for all regions disabledterraform-alicloud-action-trail-logging-all-regions-disabled\>
{% icon name="icon-cloud-thicc" /%}
 ActionTrail trail OSS bucket is publicly accessibleterraform-alicloud-actiontrail-trail-oss-bucket-is-publicly-accessible\>
{% icon name="icon-cloud-thicc" /%}
 ALB listening on HTTPterraform-alicloud-alb-listening-on-http\>
{% icon name="icon-cloud-thicc" /%}
 API Gateway API protocol not HTTPSterraform-alicloud-api-gateway-api-protocol-not-https\>
{% icon name="icon-cloud-thicc" /%}
 CMK is unusableterraform-alicloud-cmk-is-unusable\>
{% icon name="icon-cloud-thicc" /%}
 CS Kubernetes node pool auto repair disabledterraform-alicloud-cs-kubernetes-node-pool-auto-repair-disabled\>
{% icon name="icon-cloud-thicc" /%}
 Disk encryption disabledterraform-alicloud-disk-encryption-disabled\>
{% icon name="icon-cloud-thicc" /%}
 ECS data disk KMS key ID undefinedterraform-alicloud-ecs-data-disk-kms-key-id-undefined\>
{% icon name="icon-cloud-thicc" /%}
 High KMS key rotation periodterraform-alicloud-high-kms-key-rotation-period\>
{% icon name="icon-cloud-thicc" /%}
 Kubernetes cluster without Terway as CNI network pluginterraform-alicloud-kubernetes-cluster-without-terway-as-cni-network-plugin\>
{% icon name="icon-cloud-thicc" /%}
 Launch template is not encryptedterraform-alicloud-launch-template-is-not-encrypted\>
{% icon name="icon-cloud-thicc" /%}
 Log retention is not greater than 90 daysterraform-alicloud-log-retention-is-not-greater-than-90-days\>
{% icon name="icon-cloud-thicc" /%}
 NAS file system not encryptedterraform-alicloud-nas-file-system-not-encrypted\>
{% icon name="icon-cloud-thicc" /%}
 NAS file system without KMSterraform-alicloud-nas-file-system-without-kms\>
{% icon name="icon-cloud-thicc" /%}
 No ROS stack policyterraform-alicloud-no-ros-stack-policy\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows all actions from all principalsterraform-alicloud-oss-bucket-allows-all-actions-from-all-principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows delete action from all principalsterraform-alicloud-oss-bucket-allows-delete-from-all-principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows list action from all principalsterraform-alicloud-oss-bucket-allows-list-action-from-all-principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket allows put action from all principalsterraform-alicloud-oss-bucket-allows-put-action-from-all-principals\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket encryption using CMK disabledterraform-alicloud-oss-bucket-cmk-encryption-disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket has static websiteterraform-alicloud-oss-bucket-has-static-website\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket IP restriction disabledterraform-alicloud-oss-bucket-ip-restriction-disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket lifecycle rule disabledterraform-alicloud-oss-bucket-lifecycle-disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket logging disabledterraform-alicloud-oss-bucket-logging-disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket public access enabledterraform-alicloud-oss-bucket-public-access-enabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket transfer acceleration disabledterraform-alicloud-oss-bucket-transfer-acceleration-disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS bucket versioning disabledterraform-alicloud-oss-bucket-versioning-disabled\>
{% icon name="icon-cloud-thicc" /%}
 OSS buckets secure transport disabledterraform-alicloud-oss-buckets-securetransport-disabled\>
{% icon name="icon-cloud-thicc" /%}
 Public security group rule all ports or protocolsterraform-alicloud-public-security-group-rule-all-ports-or-protocols\>
{% icon name="icon-cloud-thicc" /%}
 Public security group rule sensitive portterraform-alicloud-public-security-group-rule-sensitive-port\>
{% icon name="icon-cloud-thicc" /%}
 Public security group rule unknown portterraform-alicloud-public-security-group-rule-unknown-port\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy does not enforce minimum password lengthterraform-alicloud-ram-account-password-policy-not-required-minimum-length\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy does not require numbersterraform-alicloud-ram-account-password-policy-not-required-numbers\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy does not require symbolsterraform-alicloud-ram-account-password-policy-not-required-symbols\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy max login attempts not recommendedterraform-alicloud-ram-account-password-policy-max-login-attempts-unrecommended\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy max password age not recommendedterraform-alicloud-ram-account-password-policy-max-password-age-unrecommended\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy not require at least one lowercase characterterraform-alicloud-ram-password-security-policy-not-require-at-least-one-lowercase-character\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy not require at least one uppercase characterterraform-alicloud-ram-password-security-policy-not-require-at-least-one-uppercase-character\>
{% icon name="icon-cloud-thicc" /%}
 RAM account password policy without reuse preventionterraform-alicloud-ram-account-password-policy-without-reuse-prevention\>
{% icon name="icon-cloud-thicc" /%}
 RAM policy admin access not attached to users groups rolesterraform-alicloud-ram-policy-admin-access-not-attached-to-users-groups-roles\>
{% icon name="icon-cloud-thicc" /%}
 RAM policy attached to userterraform-alicloud-ram-policy-attached-to-user\>
{% icon name="icon-cloud-thicc" /%}
 RAM security preference does not enforce MFA loginterraform-alicloud-ram-security-preference-not-enforce-mfa\>
{% icon name="icon-cloud-thicc" /%}
 RDS DB instance publicly accessibleterraform-alicloud-rds-instance-address-publicly-accessible\>
{% icon name="icon-cloud-thicc" /%}
 RDS DB instance publicly accessibleterraform-alicloud-rds-instance-publicly-accessible\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance events not loggedterraform-alicloud-rds-instance-events-not-logged\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance log connections disabledterraform-alicloud-rds-instance-log-connections-disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance log disconnections disabledterraform-alicloud-rds-instance-log-disconnections-disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance log duration disabledterraform-alicloud-rds-instance-log-duration-disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance retention period not recommendedterraform-alicloud-rds-instance-retention-not-recommended\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance SSL action disabledterraform-alicloud-rds-instance-ssl-action-disabled\>
{% icon name="icon-cloud-thicc" /%}
 RDS instance TDE status disabledterraform-alicloud-rds-instance-tde-status-disabled\>
{% icon name="icon-cloud-thicc" /%}
 ROS stack notifications disabledterraform-alicloud-ros-stack-notifications-disabled\>
{% icon name="icon-cloud-thicc" /%}
 ROS stack retention disabledterraform-alicloud-ros-stack-retention-disabled\>
{% icon name="icon-cloud-thicc" /%}
 ROS stack without templateterraform-alicloud-ros-stack-without-template\>
{% icon name="icon-cloud-thicc" /%}
 SLB policy with insecure TLS version in useterraform-alicloud-slb-policy-with-insecure-tls-version-in-use\>
{% icon name="icon-cloud-thicc" /%}
 VPC flow logs disabledterraform-alicloud-vpc-flow-logs-disabled\> ALB deletion protection disabledterraform-aws-alb-deletion-protection-disabled\> ALB is not integrated with WAFterraform-aws-alb-is-not-integrated-with-waf\> ALB listening on HTTPterraform-aws-alb-listening-on-http\> ALB not dropping invalid headersterraform-aws-alb-not-dropping-invalid-headers\> Amazon DMS replication instance is publicly accessibleterraform-aws-amazon-dms-replication-instance-is-publicly-accessible\> AmazonMQ broker encryption disabledterraform-aws-amazon-mq-broker-encryption-disabled\> AMI most recent without owner or filterterraform-aws-ami-owner-missing\> AMI not encryptedterraform-aws-ami-not-encrypted\> AMI shared with multiple accountsterraform-aws-ami-shared-with-multiple-accounts\> API Gateway access logging disabledterraform-aws-api-gateway-access-logging-disabled\> API Gateway deployment without access log settingterraform-aws-api-gateway-deployment-without-access-log-setting\> API Gateway deployment without API Gateway usage plan associatedterraform-aws-api-gateway-deployment-without-api-gateway-usage-plan-associated\> API Gateway endpoint config is not privateterraform-aws-api-gateway-endpoint-config-is-not-private\> API Gateway method does not contain an API keyterraform-aws-api-gateway-method-does-not-contain-an-api-key\> API Gateway method settings cache not encryptedterraform-aws-api-gateway-method-settings-cache-not-encrypted\> API Gateway stage without API Gateway usage plan associatedterraform-aws-api-gateway-stage-without-api-gateway-usage-plan-associated\> API Gateway with CloudWatch logging disabledterraform-aws-api-gateway-with-cloudwatch-logging-disabled\> API Gateway with invalid compressionterraform-aws-api-gateway-with-invalid-compression\> API Gateway with open accessterraform-aws-api-gateway-with-open-access\> API Gateway without configured authorizerterraform-aws-api-gateway-without-configured-authorizer\> API Gateway without security policyterraform-aws-api-gateway-without-security-policy\> API Gateway without SSL certificateterraform-aws-api-gateway-without-ssl-certificate\> API Gateway without WAFterraform-aws-api-gateway-without-waf\> API Gateway X-Ray disabledterraform-aws-api-gateway-xray-disabled\> Athena database not encryptedterraform-aws-athena-database-not-encrypted\> Athena workgroup not encryptedterraform-aws-athena-workgroup-not-encrypted\> Authentication without MFAterraform-aws-authentication-without-mfa\> Auto scaling group with no associated ELBterraform-aws-auto-scaling-group-with-no-associated-elb\> Automatic minor upgrades disabledterraform-aws-automatic-minor-upgrades-disabled\> Autoscaling groups supply tagsterraform-aws-autoscaling-groups-supply-tags\> AWS password policy with unchangeable passwordsterraform-aws-aws-password-policy-with-unchangeable-passwords\> Batch job definition with privileged container propertiesterraform-aws-batch-job-definition-with-privileged-container-properties\> CA certificate identifier is outdatedterraform-aws-ca-certificate-identifier-is-outdated\> CDN configuration is missingterraform-aws-cdn-configuration-is-missing\> Certificate has expiredterraform-aws-certificate-has-expired\> Certificate RSA key bytes lower than 256terraform-aws-certificate-rsa-key-bytes-lower-than-256\> CloudFront logging disabledterraform-aws-cloudfront-logging-disabled\> Cloudfront viewer protocol policy allows HTTPterraform-aws-cloudfront-viewer-protocol-policy-allows-http\> CloudFront without minimum protocol TLS 1.2terraform-aws-cloudfront-without-minimum-protocol-tls-1-2\> CloudFront without WAFterraform-aws-cloudfront-without-waf\> CloudTrail log file validation disabledterraform-aws-cloudtrail-log-file-validation-disabled\> CloudTrail log files not encrypted with KMSterraform-aws-cloudtrail-log-files-not-encrypted-with-kms\> CloudTrail log files S3 bucket is publicly accessibleterraform-aws-cloudtrail-log-files-s3-bucket-is-publicly-accessible\> CloudTrail log files S3 bucket with logging disabledterraform-aws-cloudtrail-log-files-s3-bucket-with-logging-disabled\> CloudTrail logging disabledterraform-aws-cloudtrail-logging-disabled\> CloudTrail multi region disabledterraform-aws-cloudtrail-multi-region-disabled\> CloudTrail not integrated with CloudWatchterraform-aws-cloudtrail-not-integrated-with-cloudwatch\> CloudTrail SNS topic name undefinedterraform-aws-cloudtrail-sns-topic-name-undefined\> CloudWatch AWS Config configuration changes alarm missingterraform-aws-cloudwatch-aws-config-configuration-changes-alarm-missing\> CloudWatch changes to NACL alarm missingterraform-aws-cloudwatch-changes-to-nacl-alarm-missing\> Cloudwatch CloudTrail configuration changes alarm missingterraform-aws-cloudwatch-cloudtrail-configuration-changes-alarm-missing\> CloudWatch console sign-in without MFA alarm missingterraform-aws-cloudwatch-management-console-sign-in-without-mfa-alarm-missing\> CloudWatch disabling or scheduled deletion of customer created CMK alarm missingterraform-aws-cloudwatch-disabling-or-scheduled-deletion-of-customer-created-cmk-alarm-missing\> CloudWatch IAM policy changes alarm missingterraform-aws-cloudwatch-iam-policy-changes-alarm-missing\> CloudWatch log group without KMSterraform-aws-cloudwatch-log-group-not-encrypted\> CloudWatch logging disabledterraform-aws-cloudwatch-logging-disabled\> CloudWatch logs destination with vulnerable policyterraform-aws-cloudwatch-logs-destination-with-vulnerable-policy\> CloudWatch management console auth failed alarm missingterraform-aws-cloudwatch-management-console-auth-failed-alarm-missing\> CloudWatch metrics disabledterraform-aws-cloudwatch-metrics-disabled\> CloudWatch network gateways changes alarm missingterraform-aws-cloudwatch-network-gateways-changes-alarm-missing\> CloudWatch root account use missingterraform-aws-cloudwatch-root-account-use-alarm-missing\> CloudWatch route table changes alarm missingterraform-aws-cloudwatch-route-table-changes-alarm-missing\> CloudWatch S3 policy change alarm missingterraform-aws-cloudwatch-s3-policy-change-alarm-missing\> Cloudwatch security group changes alarm missingterraform-aws-cloudwatch-security-group-changes-alarm-missing\> CloudWatch unauthorized access alarm missingterraform-aws-cloudwatch-unauthorized-access-defined-alarm-missing\> CloudWatch VPC changes alarm missingterraform-aws-cloudwatch-vpc-changes-alarm-missing\> CloudWatch without retention period specifiedterraform-aws-cloudwatch-without-retention-period-specified\> CMK is unusableterraform-aws-cmk-is-unusable\> CMK rotation disabledterraform-aws-cmk-rotation-disabled\> CodeBuild project encrypted with AWS managed keyterraform-aws-codebuild-project-encrypted-with-aws-managed-key\> Cognito user pool without MFAterraform-aws-cognito-userpool-without-mfa\> Config rule for encrypted volumes disabledterraform-aws-config-rule-for-encrypted-volumes-is-disabled\> Configuration aggregator to all regions disabledterraform-aws-config-configuration-aggregator-to-all-regions-disabled\> Cross-account IAM assume role policy without external id or MFAterraform-aws-cross-account-iam-assume-role-policy-without-external-id-or-mfa\> DAX cluster not encryptedterraform-aws-dax-cluster-not-encrypted\> DB instance storage not encryptedterraform-aws-db-instance-storage-not-encrypted\> DB security group has public interfaceterraform-aws-db-security-group-has-public-interface\> DB security group open to large scopeterraform-aws-db-security-group-open-to-large-scope\> DB security group with public scopeterraform-aws-db-security-group-with-public-scope\> DB snapshot is publicterraform-aws-db-snapshot-public\> Default security groups with unrestricted trafficterraform-aws-default-security-groups-with-unrestricted-traffic\> Default VPC existsterraform-aws-default-vpc-exists\> DMS endpoints without SSLterraform-aws-dms-endpoint-no-ssl-configured\> DocumentDB cluster encrypted with AWS managed keyterraform-aws-docdb-cluster-encrypted-with-aws-managed-key\> DocumentDB cluster not encryptedterraform-aws-docdb-cluster-not-encrypted\> DocumentDB cluster without KMSterraform-aws-docdb-cluster-without-kms\> DocumentDB logging is disabledterraform-aws-docdb-logging-disabled\> DynamoDB table not encryptedterraform-aws-dynamodb-table-not-encrypted\> DynamoDB table Point-in-Time Recovery disabledterraform-aws-dynamodb-table-point-in-time-recovery-disabled\> Dynamodb VPC endpoint without route table associationterraform-aws-dynamodb-vpc-endpoint-without-route-table-association\> EBS default encryption disabledterraform-aws-ebs-default-encryption-disabled\> EBS volume encryption disabledterraform-aws-ebs-volume-encryption-disabled\> EBS volume snapshot not encryptedterraform-aws-ebs-volume-snapshot-not-encrypted\> EC2 instance has public IPterraform-aws-ec2-instance-has-public-ip\> EC2 instance monitoring disabledterraform-aws-ec2-instance-monitoring-disabled\> EC2 instance using API keysterraform-aws-ec2-instance-using-api-keys\> EC2 instance using default security groupterraform-aws-ec2-instance-using-default-security-group\> EC2 instance using default VPCterraform-aws-ec2-instance-using-default-vpc\> EC2 not EBS optimizedterraform-aws-ec2-not-ebs-optimized\> ECR image tag not immutableterraform-aws-ecr-image-tag-not-immutable\> ECR repository is publicly accessibleterraform-aws-ecr-repository-is-publicly-accessible\> ECR repository not encrypted with CMKterraform-aws-ecr-repository-not-encrypted\> ECR repository without policyterraform-aws-ecr-repository-without-policy\> ECS cluster with container insights disabledterraform-aws-ecs-cluster-container-insights-disabled\> ECS service admin role is presentterraform-aws-ecs-service-admin-role-is-present\> ECS service without running tasksterraform-aws-ecs-service-without-running-tasks\> ECS task definition network mode not recommendedterraform-aws-ecs-task-definition-network-mode-not-recommended\> ECS task definition volume not encryptedterraform-aws-ecs-task-definition-volume-not-encrypted\> EFS not encryptedterraform-aws-efs-not-encrypted\> EFS with vulnerable policyterraform-aws-efs-with-vulnerable-policy\> EFS without KMSterraform-aws-efs-without-kms\> EKS cluster encryption disabledterraform-aws-eks-cluster-encryption-disabled\> EKS cluster has public accessterraform-aws-eks-cluster-has-public-access\> EKS cluster has public access CIDRsterraform-aws-eks-cluster-has-public-access-cidrs\> EKS cluster logging is not enabledterraform-aws-eks-cluster-log-disabled\> EKS node group remote access disabledterraform-aws-eks-node-group-remote-access-disabled\> ElastiCache nodes not created across multi AZterraform-aws-elasticache-nodes-not-created-across-multi-az\> ElastiCache Redis cluster without backupterraform-aws-elasticache-redis-cluster-without-backup\> ElastiCache replication group not encrypted at restterraform-aws-elasticache-replication-group-not-encrypted-at-rest\> ElastiCache replication group not encrypted at transitterraform-aws-elasticache-replication-group-not-encrypted-at-transit\> ElastiCache using default portterraform-aws-elasticache-using-default-port\> ElastiCache without VPCterraform-aws-elasticache-without-vpc\> Elasticsearch domain not encrypted node to nodeterraform-aws-elasticsearch-domain-not-encrypted-node-to-node\> Elasticsearch domain with vulnerable policyterraform-aws-elasticsearch-domain-with-vulnerable-policy\> Elasticsearch encryption with KMS disabledterraform-aws-elasticsearch-encryption-with-kms-is-disabled\> Elasticsearch log disabledterraform-aws-elasticsearch-logs-disabled\> Elasticsearch not encrypted at restterraform-aws-elasticsearch-not-encrypted-at-rest\> Elasticsearch uses default security groupterraform-aws-elasticsearch-using-default-security-group\> Elasticsearch with HTTPS disabledterraform-aws-elasticsearch-with-https-disabled\> Elasticsearch without IAM authenticationterraform-aws-elasticsearch-without-iam-authentication\> Elasticsearch without slow logsterraform-aws-elasticsearch-without-slow-logs\> ELB access log disabledterraform-aws-elb-access-logging-disabled\> ELB using insecure protocolsterraform-aws-elb-using-insecure-protocols\> ELB using weak ciphersterraform-aws-elb-using-weak-ciphers\> EMR without VPCterraform-aws-emr-without-vpc\> Fine-grained access control disabled for OpenSearch/Elasticsearchterraform-aws-elasticsearch-no-finegrain-access-control\> Global Accelerator flow logs disabledterraform-aws-global-accelerator-flow-logs-disabled\> Glue Data Catalog encryption disabledterraform-aws-glue-data-catalog-encryption-disabled\> Glue security configuration encryption disabledterraform-aws-glue-security-configuration-encryption-disabled\> Glue with vulnerable policyterraform-aws-glue-with-vulnerable-policy\> Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'terraform-aws-group-with-privilege-escalation-by-actions-iam-passrole-and-cloudformation-createstack\> Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'terraform-aws-group-with-privilege-escalation-by-actions-iam-passrole-and-ec2-runinstances\> Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'terraform-aws-group-with-privilege-escalation-by-actions-iam-passrole-and-glue-createdevendpoint\> Group with privilege escalation by actions 'glue:UpdateDevEndpoint'terraform-aws-group-with-privilege-escalation-by-actions-glue-updatedevendpoint\> Group with privilege escalation by actions 'iam:AddUserToGroup'terraform-aws-group-with-privilege-escalation-by-actions-iam-addusertogroup\> Group with privilege escalation by actions 'iam:AttachGroupPolicy'terraform-aws-group-with-privilege-escalation-by-actions-iam-attachgrouppolicy\> Group with privilege escalation by actions 'iam:AttachRolePolicy'terraform-aws-group-with-privilege-escalation-by-actions-iam-attachrolepolicy\> Group with privilege escalation by actions 'iam:AttachUserPolicy'terraform-aws-group-with-privilege-escalation-by-actions-iam-attachuserpolicy\> Group with privilege escalation by actions 'iam:CreateAccessKey'terraform-aws-group-with-privilege-escalation-by-actions-iam-createaccesskey\> Group with privilege escalation by actions 'iam:CreateLoginProfile'terraform-aws-group-with-privilege-escalation-by-actions-iam-createloginprofile\> Group with privilege escalation by actions 'iam:CreatePolicyVersion'terraform-aws-group-with-privilege-escalation-by-actions-iam-createpolicyversion\> Group with privilege escalation by actions 'iam:PutGroupPolicy'terraform-aws-group-with-privilege-escalation-by-actions-iam-putgrouppolicy\> Group with privilege escalation by actions 'iam:PutRolePolicy'terraform-aws-group-with-privilege-escalation-by-actions-iam-putrolepolicy\> Group with privilege escalation by actions 'iam:PutUserPolicy'terraform-aws-group-with-privilege-escalation-by-actions-iam-putuserpolicy\> Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion'terraform-aws-group-with-privilege-escalation-by-actions-iam-setdefaultpolicyversion\> Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'terraform-aws-group-with-privilege-escalation-by-actions-iam-updateassumerolepolicy-and-sts-assumerole\> Group with privilege escalation by actions 'iam:UpdateLoginProfile'terraform-aws-group-with-privilege-escalation-by-actions-iam-updateloginprofile\> Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'terraform-aws-group-with-privilege-escalation-by-actions-iam-passrole-and-lambda-createfunction-and-lambda-invokefunction\> Group with privilege escalation by actions 'lambda:UpdateFunctionCode'terraform-aws-group-with-privilege-escalation-by-actions-lambda-updatefunctioncode\> GuardDuty detector disabledterraform-aws-guardduty-detector-disabled\> HTTP port open to internetterraform-aws-http-port-open\> IAM access key is exposedterraform-aws-iam-access-key-is-exposed\> IAM database auth not enabledterraform-aws-iam-database-auth-not-enabled\> IAM group without usersterraform-aws-iam-group-without-users\> IAM password policy does not require lowercase letterterraform-aws-iam-password-does-not-require-lowercase\> IAM password policy does not require numbersterraform-aws-iam-password-does-not-require-number\> IAM password policy does not require symbolterraform-aws-iam-password-does-not-require-symbol\> IAM password policy does not require uppercase letterterraform-aws-iam-password-does-not-require-uppercase\> IAM password without minimum lengthterraform-aws-iam-password-without-minimum-length\> IAM policies attached to userterraform-aws-iam-policies-attached-to-user\> IAM policies with full privilegesterraform-aws-iam-policies-with-full-privileges\> IAM policy grants 'AssumeRole' permission across all servicesterraform-aws-iam-policy-grants-assumerole-permission-across-all-services\> IAM policy grants full permissionsterraform-aws-iam-policy-grants-full-permissions\> IAM role allows all principals to assumeterraform-aws-iam-role-allows-all-principals-to-assume\> IAM role policy passrole allows allterraform-aws-iam-role-policy-passrole-allows-all\> IAM role with full privilegesterraform-aws-iam-role-with-full-privileges\> IAM user has too many access keysterraform-aws-iam-user-too-many-access-keys\> IAM user policy without MFAterraform-aws-iam-user-policy-without-mfa\> IAM user with access to consoleterraform-aws-iam-user-with-access-to-console\> IMDSv1 enabledterraform-aws-imdsv1-is-enabled\> Instance with no VPCterraform-aws-instance-with-no-vpc\> Kinesis not encrypted with KMSterraform-aws-kinesis-not-encrypted-with-kms\> Kinesis SSE not configuredterraform-aws-kinesis-sse-not-configured\> KMS key with no deletion windowterraform-aws-kms-key-with-no-deletion-window\> KMS key with vulnerable policyterraform-aws-kms-key-with-full-permissions\> Lambda function publicly accessibleterraform-aws-lambda-function-publicly-accessible\> Lambda function with privileged roleterraform-aws-lambda-function-with-privileged-role\> Lambda functions without X-Ray tracingterraform-aws-lambda-functions-without-x-ray-tracing\> Lambda IAM InvokeFunction misconfiguredterraform-aws-lambda-iam-invokefunction-misconfigured\> Lambda permission misconfiguredterraform-aws-lambda-permission-misconfigured\> Lambda permission principal is wildcardterraform-aws-lambda-permission-principal-is-wildcard\> Lambda with vulnerable policyterraform-aws-lambda-with-vulnerable-policy\> Launch configuration is not encryptedterraform-aws-launch-configuration-is-not-encrypted\> Misconfigured password policy expirationterraform-aws-misconfigured-password-policy-expiration\> Missing CloudWatch alarm for AWS Organizations changesterraform-aws-cloudwatch-aws-organizations-changes-missing-alarm\> Missing cluster log typesterraform-aws-missing-cluster-log-types\> MQ broker is publicly accessibleterraform-aws-mq-broker-is-publicly-accessible\> MQ broker logging disabledterraform-aws-mq-broker-logging-disabled\> MSK broker is publicly accessibleterraform-aws-msk-broker-is-publicly-accessible\> MSK cluster encryption disabledterraform-aws-msk-cluster-encryption-disabled\> MSK cluster logging disabledterraform-aws-msk-cluster-logging-disabled\> Neptune cluster instance is publicly accessibleterraform-aws-neptune-cluster-instance-is-publicly-accessible\> Neptune cluster snapshot not encryptedterraform-aws-neptune-snapshots-not-encrypted\> Neptune cluster with IAM database authentication disabledterraform-aws-neptune-cluster-with-iam-database-authentication-disabled\> Neptune database cluster encryption disabledterraform-aws-neptune-database-cluster-encryption-disabled\> Neptune logging is disabledterraform-aws-neptune-logging-disabled\> Network ACL with unrestricted access to RDPterraform-aws-network-acl-with-unrestricted-access-to-rdp\> Network ACL with unrestricted access to SSHterraform-aws-network-acl-with-unrestricted-access-to-ssh\> No password policy enabledterraform-aws-no-password-policy-enabled\> No stack policyterraform-aws-no-stack-policy\> Password without reuse preventionterraform-aws-password-without-reuse-prevention\> Policy without principalterraform-aws-policy-without-principal\> Public and private EC2 share roleterraform-aws-public-and-private-ec2-share-role\> Public Lambda via API Gatewayterraform-aws-public-lambda-via-api-gateway\> RDS associated with public subnetterraform-aws-rds-associated-with-public-subnet\> RDS cluster with backup disabledterraform-aws-rds-cluster-with-backup-disabled\> RDS database cluster not encryptedterraform-aws-rds-database-cluster-not-encrypted\> RDS DB instance publicly accessibleterraform-aws-rds-db-instance-publicly-accessible\> RDS storage not encryptedterraform-aws-rds-storage-not-encrypted\> RDS using default portterraform-aws-rds-using-default-port\> RDS with backup disabledterraform-aws-rds-with-backup-disabled\> RDS without loggingterraform-aws-rds-without-logging\> Redis disabledterraform-aws-redis-disabled\> Redis not compliantterraform-aws-redis-not-compliant\> Redshift cluster logging disabledterraform-aws-redshift-cluster-logging-disabled\> Redshift cluster without VPCterraform-aws-redshift-cluster-without-vpc\> Redshift not encryptedterraform-aws-redshift-not-encrypted\> Redshift publicly accessibleterraform-aws-redshift-publicly-accessible\> Redshift using default portterraform-aws-redshift-using-default-port\> Remote Desktop port open to internetterraform-aws-remote-desktop-port-open-to-internet\> Resource not using tagsterraform-aws-resource-not-using-tags\> REST API with vulnerable policyterraform-aws-rest-api-with-vulnerable-policy\> Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'terraform-aws-role-with-privilege-escalation-by-actions-iam-passrole-and-cloudformation-createstack\> Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'terraform-aws-role-with-privilege-escalation-by-actions-iam-passrole-and-ec2-runinstances\> Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'terraform-aws-role-with-privilege-escalation-by-actions-iam-passrole-and-glue-createdevendpoint\> Role with privilege escalation by actions 'glue:UpdateDevEndpoint'terraform-aws-role-with-privilege-escalation-by-actions-glue-updatedevendpoint\> Role with privilege escalation by actions 'iam:AddUserToGroup'terraform-aws-role-with-privilege-escalation-by-actions-iam-addusertogroup\> Role with privilege escalation by actions 'iam:AttachGroupPolicy'terraform-aws-role-with-privilege-escalation-by-actions-iam-attachgrouppolicy\> Role with privilege escalation by actions 'iam:AttachRolePolicy'terraform-aws-role-with-privilege-escalation-by-actions-iam-attachrolepolicy\> Role with privilege escalation by actions 'iam:AttachUserPolicy'terraform-aws-role-with-privilege-escalation-by-actions-iam-attachuserpolicy\> Role with privilege escalation by actions 'iam:CreateAccessKey'terraform-aws-role-with-privilege-escalation-by-actions-iam-createaccesskey\> Role with privilege escalation by actions 'iam:CreateLoginProfile'terraform-aws-role-with-privilege-escalation-by-actions-iam-createloginprofile\> Role with privilege escalation by actions 'iam:CreatePolicyVersion'terraform-aws-role-with-privilege-escalation-by-actions-iam-createpolicyversion\> Role with privilege escalation by actions 'iam:PutGroupPolicy'terraform-aws-role-with-privilege-escalation-by-actions-iam-putgrouppolicy\> Role with privilege escalation by actions 'iam:PutRolePolicy'terraform-aws-role-with-privilege-escalation-by-actions-iam-putrolepolicy\> Role with privilege escalation by actions 'iam:PutUserPolicy'terraform-aws-role-with-privilege-escalation-by-actions-iam-putuserpolicy\> Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion'terraform-aws-role-with-privilege-escalation-by-actions-iam-setdefaultpolicyversion\> Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'terraform-aws-role-with-privilege-escalation-by-actions-iam-updateassumerolepolicy-and-sts-assumerole\> Role with privilege escalation by actions 'iam:UpdateLoginProfile'terraform-aws-role-with-privilege-escalation-by-actions-iam-updateloginprofile\> Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'terraform-aws-role-with-privilege-escalation-by-actions-iam-passrole-and-lambda-createfunction-lambda-invokefunction\> Role with privilege escalation by actions 'lambda:UpdateFunctionCode'terraform-aws-role-with-privilege-escalation-by-actions-lambda-updatefunctioncode\> Root account has active access keysterraform-aws-root-account-has-active-access-keys\> Route53 record undefinedterraform-aws-route53-record-undefined\> S3 bucket access to any principalterraform-aws-s3-bucket-access-to-any-principal\> S3 bucket ACL allows read or write to all usersterraform-aws-s3-bucket-acl-allows-read-or-write-to-all-users\> S3 bucket ACL allows read to any authenticated userterraform-aws-s3-bucket-acl-allows-read-to-any-authenticated-user\> S3 bucket ACL grants WRITE_ACP permissionterraform-aws-s3-bucket-acl-grants-write-acp-permission\> S3 bucket allows authenticated users accessterraform-aws-s3-bucket-allows-access-to-all-authenticated-users\> S3 bucket allows delete action from all principalsterraform-aws-s3-bucket-allows-delete-action-from-all-principals\> S3 bucket allows get action from all principalsterraform-aws-s3-bucket-allows-get-action-from-all-principals\> S3 bucket allows list action from all principalsterraform-aws-s3-bucket-allows-list-action-from-all-principals\> S3 bucket allows public ACLterraform-aws-s3-bucket-allows-public-acl\> S3 bucket allows public policyterraform-aws-s3-bucket-with-public-policy\> S3 bucket allows put action from all principalsterraform-aws-s3-bucket-allows-put-action-from-all-principals\> S3 bucket logging disabledterraform-aws-s3-bucket-logging-disabled\> S3 bucket object not encryptedterraform-aws-s3-bucket-object-not-encrypted\> S3 bucket object-level CloudTrail logging disabledterraform-aws-s3-bucket-object-level-cloudtrail-logging-disabled\> S3 bucket policy accepts HTTP requeststerraform-aws-s3-bucket-policy-accepts-http-requests\> S3 bucket public ACL overridden by public access blockterraform-aws-s3-bucket-public-acl-overridden-by-public-access-block\> S3 bucket with all permissionsterraform-aws-s3-bucket-with-all-permissions\> S3 bucket with unsecured CORS ruleterraform-aws-s3-bucket-with-unsecured-cors-rule\> S3 bucket without enabled MFA deleteterraform-aws-s3-bucket-without-enabled-mfa-delete\> S3 bucket without ignore public ACLterraform-aws-s3-bucket-without-ignore-public-acl\> S3 bucket without restriction of public bucketterraform-aws-s3-bucket-without-restriction-of-public-bucket\> S3 bucket without versioningterraform-aws-s3-bucket-without-versioning\> S3 static website host enabledterraform-aws-s3-static-website-host-enabled\> SageMaker endpoint configuration encryption disabledterraform-aws-sagemaker-endpoint-configuration-encryption-disabled\> SageMaker notebook instance without KMSterraform-aws-sagemaker-notebook-instance-without-kms\> SageMaker notebook internet access enabledterraform-aws-sagemaker-direct-internet-access-enabled\> Secrets Manager secret encrypted with AWS-managed keyterraform-aws-secretsmanager-secret-encrypted-with-aws-managed-key\> Secrets Manager secret without KMSterraform-aws-secretsmanager-secret-without-kms\> Secrets Manager with vulnerable policyterraform-aws-secrets-manager-with-vulnerable-policy\> Secure ciphers disabledterraform-aws-secure-ciphers-disabled\> Security group not usedterraform-aws-security-groups-not-used\> Security group rule without descriptionterraform-aws-security-group-rules-without-description\> Security group rule without descriptionterraform-aws-security-group-without-description\> Security group with unrestricted access to SSHterraform-aws-security-group-with-unrestricted-access-to-ssh\> Sensitive port is exposed to entire networkterraform-aws-sensitive-port-is-exposed-to-entire-network\> Sensitive port is exposed to small public networkterraform-aws-sensitive-port-is-exposed-to-small-public-network\> Sensitive port is exposed to wide private networkterraform-aws-sensitive-port-is-exposed-to-wide-private-network\> Service control policies disabledterraform-aws-service-control-policies-disabled\> SES policy with allowed IAM actionsterraform-aws-ses-policy-with-allowed-iam-actions\> Shield Advanced not in useterraform-aws-shield-advanced-not-in-use\> SNS topic encrypted with AWS managed keyterraform-aws-sns-topic-encrypted-with-aws-managed-key\> SNS topic is publicly accessibleterraform-aws-sns-topic-is-publicly-accessible\> SNS topic not encryptedterraform-aws-sns-topic-not-encrypted\> SNS topic publicity has allow and NotAction simultaneouslyterraform-aws-sns-topic-publicity-has-allow-and-not-action-simultaneously\> SQL analysis services port 2383 (TCP) is publicly accessibleterraform-aws-sql-analysis-services-port-2383-is-publicly-accessible\> SQS policy allows all actionsterraform-aws-sqs-policy-allows-all-actions\> SQS policy with public accessterraform-aws-sqs-policy-with-public-access\> SQS queue exposedterraform-aws-sqs-queue-exposed\> SQS VPC endpoint without DNS resolutionterraform-aws-sqs-vpc-endpoint-without-dns-resolution\> SQS with SSE disabledterraform-aws-sqs-with-sse-disabled\> SSM session transit encryption disabledterraform-aws-ssm-session-transit-encryption-disabled\> SSO identity user unsafe creationterraform-aws-sso-identity-user-unsafe-creation\> SSO permission with inadequate user session durationterraform-aws-sso-permission-with-inadequate-user-session-duration\> SSO policy with full privilegesterraform-aws-sso-policy-with-full-privileges\> Stack notifications disabledterraform-aws-stack-notifications-disabled\> Stack retention disabledterraform-aws-stack-retention-disabled\> Stack without templateterraform-aws-stack-without-template\> Team tag missing on AWS resourceterraform-aws-team-tag-not-present\> Unknown port exposed to internetterraform-aws-unknown-port-exposed-to-internet\> Unrestricted security group ingressterraform-aws-unrestricted-security-group-ingress\> Unscanned ECR imageterraform-aws-unscanned-ecr-image\> User data contains encoded private keyterraform-aws-user-data-contains-encoded-private-key\> User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'terraform-aws-user-with-privilege-escalation-by-actions-iam-passrole-and-cloudformation-createstack\> User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'terraform-aws-user-with-privilege-escalation-by-actions-iam-passrole-and-ec2-runinstances\> User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'terraform-aws-user-with-privilege-escalation-by-actions-iam-passrole-and-glue-createdevendpoint\> User with privilege escalation by actions 'glue:UpdateDevEndpoint'terraform-aws-user-with-privilege-escalation-by-actions-glue-updatedevendpoint\> User with privilege escalation by actions 'iam:AddUserToGroup'terraform-aws-user-with-privilege-escalation-by-actions-iam-addusertogroup\> User with privilege escalation by actions 'iam:AttachGroupPolicy'terraform-aws-user-with-privilege-escalation-by-actions-iam-attachgrouppolicy\> User with privilege escalation by actions 'iam:AttachRolePolicy'terraform-aws-user-with-privilege-escalation-by-actions-iam-attachrolepolicy\> User with privilege escalation by actions 'iam:AttachUserPolicy'terraform-aws-user-with-privilege-escalation-by-actions-iam-attachuserpolicy\> User with privilege escalation by actions 'iam:CreateAccessKey'terraform-aws-user-with-privilege-escalation-by-actions-iam-createaccesskey\> User with privilege escalation by actions 'iam:CreateLoginProfile'terraform-aws-user-with-privilege-escalation-by-actions-iam-createloginprofile\> User with privilege escalation by actions 'iam:CreatePolicyVersion'terraform-aws-user-with-privilege-escalation-by-actions-iam-createpolicyversion\> User with privilege escalation by actions 'iam:PutGroupPolicy'terraform-aws-user-with-privilege-escalation-by-actions-iam-putgrouppolicy\> User with privilege escalation by actions 'iam:PutRolePolicy'terraform-aws-user-with-privilege-escalation-by-actions-iam-putrolepolicy\> User with privilege escalation by actions 'iam:PutUserPolicy'terraform-aws-user-with-privilege-escalation-by-actions-iam-putuserpolicy\> User with privilege escalation by actions 'iam:SetDefaultPolicyVersion'terraform-aws-user-with-privilege-escalation-by-actions-iam-setdefaultpolicyversion\> User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'terraform-aws-user-with-privilege-escalation-by-actions-iam-updateassumerolepolicy-and-sts-assumerole\> User with privilege escalation by actions 'iam:UpdateLoginProfile'terraform-aws-user-with-privilege-escalation-by-actions-iam-updateloginprofile\> User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'terraform-aws-user-with-privilege-escalation-by-actions-iam-passrole-and-lambda-createfunction-and-lambda-invokefunction\> User with privilege escalation by actions 'lambda:UpdateFunctionCode'terraform-aws-user-with-privilege-escalation-by-actions-lambda-updatefunctioncode\> VPC default security group accepts all trafficterraform-aws-vpc-default-security-group-accepts-all-traffic\> VPC Flow Logs disabledterraform-aws-vpc-flowlogs-disabled\> VPC peering route table with unrestricted CIDRterraform-aws-vpc-peering-route-table-with-unrestricted-cidr\> VPC subnet assigns public IPterraform-aws-vpc-subnet-assigns-public-ip\> VPC without Network Firewallterraform-aws-vpc-without-network-firewall\> Vulnerable default SSL certificateterraform-aws-vulnerable-default-ssl-certificate\> Workspaces workspace volume not encryptedterraform-aws-workspaces-workspace-volume-not-encrypted\> AD admin not configured for SQL serverterraform-azure-ad-admin-not-configured-for-sql-server\> Admin user enabled for container registryterraform-azure-admin-user-enabled-for-container-registry\> AKS disk encryption set ID undefinedterraform-azure-aks-disk-encryption-set-id-undefined\> AKS network policy misconfiguredterraform-azure-aks-network-policy-misconfigured\> AKS private cluster disabledterraform-azure-aks-private-cluster-disabled\> AKS RBAC disabledterraform-azure-aks-rbac-disabled\> App Service authentication disabledterraform-azure-app-service-authentication-disabled\> App Service FTPS enforce disabledterraform-azure-app-service-ftps-enforce-disabled\> App Service HTTP2 disabledterraform-azure-app-service-http2-disabled\> App Service managed identity disabledterraform-azure-app-service-managed-identity-disabled\> App Service not using latest TLS encryption versionterraform-azure-app-service-not-using-latest-tls-encryption-version\> App Service without latest PHP versionterraform-azure-app-service-without-latest-php-version\> App Service without latest Python versionterraform-azure-app-service-without-latest-python-version\> Azure Active Directory authenticationterraform-azure-azure-active-directory-authentication\> Azure App Service client certificate disabledterraform-azure-azure-app-service-client-certificate-disabled\> Azure Cognitive Search public network access enabledterraform-azure-azure-cognitive-search-public-network-access-enabled\> Azure Container Registry with no locksterraform-azure-azure-container-registry-with-no-locks\> Azure Front Door WAF disabledterraform-azure-azure-front-door-waf-disabled\> Azure instance using basic authenticationterraform-azure-azure-instance-using-basic-authentication\> Azure Policy Add-on Disabled in AKS Clusterterraform-azure-aks-uses-azure-policies-addon-disabled\> Cosmos DB account without tagsterraform-azure-cosmos-db-account-without-tags\> CosmosDB account IP range filter not setterraform-azure-cosmosdb-account-ip-range-filter-not-set\> Dashboard is enabledterraform-azure-dashboard-is-enabled\> Default Azure storage account network access is too permissiveterraform-azure-default-azure-storage-account-network-access-is-too-permissive\> Email alerts disabledterraform-azure-email-alerts-disabled\> Encryption on managed disk disabledterraform-azure-encryption-on-managed-disk-disabled\> Ensure Azure MariaDB server is using latest TLS (1.2)terraform-azure-mariadb-not-using-latest-tls\> Ensure MySQL is using the latest version of TLS encryptionterraform-azure-mysql-not-using-latest-tls\> Ensure that Azure cloud resource has a team tagterraform-azure-team-tag-not-present\> Ensure that PostgreSQL server disables public network accessterraform-azure-postgres-sql-server-enables-public-access\> Ensure that UDP services are restricted from the Internetterraform-azure-udp-services-not-restricted-from-internet\> Ensure web app is not remotely debuggableterraform-azure-remote-debugging-enabled-app-service\> Firewall rule allows too many hosts to access Redis Cacheterraform-azure-firewall-rule-allows-too-many-hosts-to-access-redis-cache\> Function App authentication disabledterraform-azure-function-app-authentication-disabled\> Function App client certificates not requiredterraform-azure-function-app-client-certificates-unrequired\> Function App FTPS enforce disabledterraform-azure-function-app-ftps-enforce-disabled\> Function App HTTP2 disabledterraform-azure-function-app-http2-disabled\> Function App managed identity disabledterraform-azure-function-app-managed-identity-disabled\> Function App not using latest TLS encryption versionterraform-azure-function-app-not-using-latest-tls-encryption-version\> Geo redundancy is disabledterraform-azure-geo-redundancy-is-disabled\> Key expiration not setterraform-azure-key-expiration-not-set\> Key Vault secrets content type undefinedterraform-azure-key-vault-secrets-content-type-undefined\> Log retention is not setterraform-azure-log-retention-is-not-set\> MariaDB server geo-redundant backup disabledterraform-azure-mariadb-server-georedundant-backup-disabled\> MariaDB server public network access enabledterraform-azure-mariadb-public-network-access-enabled\> MSSQL server auditing disabledterraform-azure-mssql-server-auditing-disabled\> MSSQL server public network access enabledterraform-azure-mssql-server-public-network-access-enabled\> MySQL server public access enabledterraform-azure-mysql-server-public-access-enabled\> MySQL SSL connection disabledterraform-azure-mysql-ssl-connection-disabled\> Network interfaces IP forwarding enabledterraform-azure-network-interfaces-ip-forwarding-enabled\> Network interfaces with public IPterraform-azure-network-interfaces-with-public-ip\> Network watcher flow disabledterraform-azure-network-watcher-flow-disabled\> PostgreSQL log checkpoints disabledterraform-azure-postgresql-log-checkpoints-disabled\> PostgreSQL log connections not setterraform-azure-postgresql-log-connections-not-set\> PostgreSQL log disconnections not setterraform-azure-postgresql-log-disconnections-not-set\> PostgreSQL log duration not setterraform-azure-postgresql-log-duration-not-set\> PostgreSQL server infrastructure encryption disabledterraform-azure-postgresql-server-infrastructure-encryption-disabled\> PostgreSQL Server threat detection policy disabledterraform-azure-postgresql-server-threat-detection-policy-disabled\> PostgreSQL server without connection throttlingterraform-azure-postgresql-server-without-connection-throttling\> Public storage accountterraform-azure-public-storage-account\> RDP is exposed to the internetterraform-azure-rdp-is-exposed-to-the-internet\> Redis cache allows non SSL connectionsterraform-azure-redis-cache-allows-non-ssl-connections\> Redis entirely accessibleterraform-azure-redis-entirely-accessible\> Redis not updated regularlyterraform-azure-redis-not-updated-regularly\> Redis publicly accessibleterraform-azure-redis-publicly-accessible\> Role assignment not limit guest user permissionsterraform-azure-role-assignment-not-limit-guest-users-permissions\> Role definition allows custom role creationterraform-azure-role-definition-allows-custom-role-creation\> Secret expiration not setterraform-azure-secret-expiration-not-set\> Security center pricing tier is not standardterraform-azure-security-center-pricing-tier-is-not-standard\> Security contact emailterraform-azure-security-contact-email\> Security group is not configuredterraform-azure-security-group-is-not-configured\> Sensitive port is exposed to entire networkterraform-azure-sensitive-port-is-exposed-to-entire-network\> Sensitive port is exposed to small public networkterraform-azure-sensitive-port-is-exposed-to-small-public-network\> Sensitive port is exposed to wide private networkterraform-azure-sensitive-port-is-exposed-to-wide-private-network\> Small activity log retention periodterraform-azure-small-activity-log-retention-period\> Small flow logs retention periodterraform-azure-small-flow-logs-retention-period\> Small MSSQL audit retention periodterraform-azure-small-mssql-audit-retention-period\> Small MSSQL server audit retentionterraform-azure-small-msql-server-audit-retention\> Small PostgreSQL DB server log retention periodterraform-azure-small-postgresql-db-server-log-retention-period\> SQL database audit disabledterraform-azure-sql-database-audit-disabled\> SQL server alert email disabledterraform-azure-sql-server-alert-email-disabled\> SQL server auditing disabledterraform-azure-sql-server-auditing-disabled\> SQL server predictable Active Directory admin account nameterraform-azure-sql-server-predictable-active-directory-admin-account-name\> SQL server predictable admin account nameterraform-azure-sql-server-predictable-admin-account-name\> Sqlserver ingress from any IPterraform-azure-sql-server-ingress-from-any-ip\> SSH is exposed to the Internetterraform-azure-ssh-is-exposed-to-the-internet\> SSL enforce disabledterraform-azure-ssl-enforce-is-disabled\> ssl_enforcement_enabled is not set to ENABLED for MySQL database serverterraform-azure-mysql-enforce-ssl-connection-disabled\> ssl_enforcement_enabled is not set to ENABLED for PostgreSQL database serverterraform-azure-postgres-enforce-ssl-connection-disabled\> Storage account not forcing HTTPSterraform-azure-storage-account-not-forcing-https\> Storage account not using latest TLS encryption versionterraform-azure-storage-account-not-using-latest-tls-encryption-version\> Storage container is publicly accessibleterraform-azure-storage-container-is-publicly-accessible\> Storage share file allows all ACL permissionsterraform-azure-storage-share-file-allows-all-acl-permissions\> Storage table allows all ACL permissionsterraform-azure-storage-table-allows-all-acl-permissions\> Trusted Microsoft services not enabledterraform-azure-trusted-microsoft-services-not-enabled\> Unrestricted SQL server accessterraform-azure-unrestricted-sql-server-access\> Vault auditing disabledterraform-azure-vault-auditing-disabled\> Virtual network with DDoS protection plan disabledterraform-azure-virtual-network-with-ddos-protection-plan-disabled\> VM not attached to networkterraform-azure-vm-not-attached-to-network\> WAF is disabled for Azure application gatewayterraform-azure-waf-is-disabled-for-azure-application-gateway\> Web app accepting traffic other than HTTPSterraform-azure-web-app-accepting-traffic-other-than-https\> Check Databricks cluster AWS attribute best practicesterraform-databricks-cluster-aws-attributes\> Check Databricks cluster Azure attribute best practicesterraform-databricks-cluster-azure-attributes\> Check Databricks cluster GCP attribute best practicesterraform-databricks-cluster-gcp-attributes\> Databricks autoscale configuration incompleteterraform-databricks-autoscale-badly-setup\> Databricks cluster or job with no or insecure permissionsterraform-databricks-databricks-permissions\> Databricks cluster uses non-LTS Spark versionterraform-databricks-use-lts-spark-version\> Databricks group without user or instance profileterraform-databricks-group-without-user-or-instance-profile\> Indefinitely Databricks OBO token lifetimeterraform-databricks-indefinitely-obo-token\> Indefinitely Databricks token lifetimeterraform-databricks-indefinitely-token\> Job's task is legacy (spark_submit_task)terraform-databricks-use-spark-submit-task\> Unrestricted Databricks ACLterraform-databricks-unrestricted-acl\> Artifact Registry repo is publicterraform-gcp-artifact-registry-repository-is-public\> BigQuery dataset is publicterraform-gcp-bigquery-dataset-is-public\> BigQuery table is publicterraform-gcp-bigquery-table-is-public\> Cloud DNS without DNSSECterraform-gcp-cloud-dns-without-dnssec\> Cloud KMS key ring is anonymously or publicly accessibleterraform-gcp-cloud-kms-key-rings-are-public\> Cloud Run service is publicterraform-gcp-cloud-run-service-is-public\> Cloud Storage bucket is publicly accessibleterraform-gcp-cloud-storage-bucket-is-publicly-accessible\> Cloud Storage bucket logging not enabledterraform-gcp-cloud-storage-bucket-logging-not-enabled\> Cloud Storage bucket versioning disabledterraform-gcp-cloud-storage-bucket-versioning-disabled\> Cloud Storage is anonymous or publicly accessibleterraform-gcp-cloud-storage-anonymous-or-publicly-accessible\> Cluster labels disabledterraform-gcp-cluster-labels-disabled\> Container Registry repo is publicterraform-gcp-container-registry-repository-is-public\> COS node image not usedterraform-gcp-cos-node-image-not-used\> Dataproc clusters has public IPsterraform-gcp-dataproc-cluster-has-public-ip\> Dataproc clusters publicly accessibleterraform-gcp-dataproc-clusters-is-public\> Disk encryption disabledterraform-gcp-disk-encryption-disabled\> DNSSEC using RSASHA1terraform-gcp-dnssec-using-rsasha1\> Ensure legacy networks do not exist for a projectterraform-gcp-legacy-networks-exist-for-project\> Ensure SQL database instance has skip show database flagterraform-gcp-sql-database-instance-does-not-have-skip-show-database\> GKE control plane is publicterraform-gcp-gke-control-plane-is-public\> GKE legacy authorization enabledterraform-gcp-gke-legacy-authorization-enabled\> GKE using default service accountterraform-gcp-gke-using-default-service-account\> Google Compute firewall ingress allows unrestricted FTP accessterraform-gcp-firewall-ingress-allows-unrestricted-ftp-access\> Google Compute firewall ingress allows unrestricted MySQL accessterraform-gcp-firewall-ingress-allows-unrestricted-mysql-access\> Google Compute network using default firewall ruleterraform-gcp-google-compute-network-using-default-firewall-rule\> Google Compute network using firewall rule that allows all portsterraform-gcp-google-compute-network-using-firewall-rule-allows-all-ports\> Google Compute network using firewall rule that allows port rangeterraform-gcp-google-compute-network-using-firewall-rule-allows-port-range\> Google Compute SSL policy weak cipher in useterraform-gcp-google-compute-ssl-policy-weak-cipher-in-use\> Google Compute subnetwork logging disabledterraform-gcp-google-compute-subnetwork-logging-disabled\> Google Compute subnetwork with private Google access disabledterraform-gcp-google-compute-subnetwork-with-private-google-access-disabled\> Google Container node pool auto repair disabledterraform-gcp-google-container-node-pool-auto-repair-disabled\> Google project auto create network disabledterraform-gcp-google-project-auto-create-network-disabled\> Google project IAM binding service account has token creator or account user roleterraform-gcp-google-project-iam-binding-service-account-has-token-creator-or-account-user-role\> Google project IAM member service account has admin roleterraform-gcp-google-project-iam-member-service-account-has-admin-role\> Google project IAM member service account has token creator or account user roleterraform-gcp-google-project-iam-member-service-account-has-token-creator-or-account-user-role\> Google Storage bucket level access disabledterraform-gcp-google-storage-bucket-level-access-disabled\> High Google KMS crypto key rotation periodterraform-gcp-high-google-kms-crypto-key-rotation-period\> IAM audit not properly configuredterraform-gcp-iam-audit-not-properly-configured\> IP aliasing disabledterraform-gcp-ip-aliasing-disabled\> IP forwarding enabledterraform-gcp-ip-forwarding-enabled\> KMS admin and CryptoKey roles in useterraform-gcp-kms-admin-and-crypto-key-roles-in-use\> KMS CryptoKey is publicly accessibleterraform-gcp-kms-crypto-key-publicly-accessible\> Legacy client certificate auth enabledterraform-gcp-legacy-client-certificate-auth-enabled\> Network policy disabledterraform-gcp-network-policy-disabled\> Node auto upgrade disabledterraform-gcp-node-auto-upgrade-disabled\> Not proper email account in useterraform-gcp-not-proper-email-account-in-use\> OSLogin disabledterraform-gcp-os-login-disabled\> OSLogin is disabled for VM instanceterraform-gcp-os-login-is-disabled-for-vm-instance\> Outdated GKE versionterraform-gcp-outdated-gke-version\> Pod security policy disabledterraform-gcp-pod-security-policy-disabled\> Private cluster disabledterraform-gcp-private-cluster-disabled\> Project-wide SSH keys are enabled in VM instancesterraform-gcp-project-wide-ssh-keys-are-enabled-in-vm-instances\> Pub/Sub Topics are anonymously or publicly accessibleterraform-gcp-pubsub-topic-is-public\> RDP access is not restrictedterraform-gcp-rdp-access-is-not-restricted\> Serial ports are enabled for VM instancesterraform-gcp-vm-serial-ports-are-enabled-for-vm-instances\> Service account with improper privilegesterraform-gcp-service-account-with-improper-privileges\> Shielded GKE nodes disabledterraform-gcp-shielded-gke-nodes-disabled\> Shielded VM disabledterraform-gcp-shielded-vm-disabled\> SQL DB instance backup disabledterraform-gcp-sql-db-instance-backup-disabled\> SQL DB instance publicly accessibleterraform-gcp-sql-db-instance-is-publicly-accessible\> SQL DB instance with SSL disabledterraform-gcp-sql-db-instance-with-ssl-disabled\> SQL Server cross DB ownership chaining enabledterraform-gcp-sql-database-has-cross-db-ownership-chaining\> SSH access is not restrictedterraform-gcp-ssh-access-is-not-restricted\> Stackdriver Logging disabledterraform-gcp-stackdriver-logging-disabled\> Stackdriver Monitoring disabledterraform-gcp-stackdriver-monitoring-disabled\> Team label missing on GCP resourceterraform-gcp-team-label-not-present\> There are non GCP-managed service account keys for a service accountterraform-gcp-service-has-non-gcp-managed-service-account-keys\> User with IAM roleterraform-gcp-user-with-iam-role\> Using default service accountterraform-gcp-using-default-service-account\> VM with full cloud accessterraform-gcp-vm-with-full-cloud-access\> Github organization webhook with SSL disabledterraform-github-organization-webhook-with-ssl-disabled\> GitHub repository set to publicterraform-github-repository-set-to-public\> Cluster admin rolebinding with superuser permissionsterraform-kubernetes-cluster-admin-role-binding-with-super-user-permissions\> Cluster allows unsafe sysctlsterraform-kubernetes-cluster-allows-unsafe-sysctls\> Container host PID is trueterraform-kubernetes-container-host-pid-is-true\> Container is privilegedterraform-kubernetes-container-is-privileged\> Container resources limits undefinedterraform-kubernetes-container-resources-limits-undefined\> Container runs unmaskedterraform-kubernetes-container-runs-unmasked\> Containers with added capabilitiesterraform-kubernetes-container-with-added-capabilities\> Containers with sys admin capabilitiesterraform-kubernetes-containers-with-sys-admin-capabilities\> CPU limits not setterraform-kubernetes-cpu-limits-not-set\> CPU requests not setterraform-kubernetes-cpu-requests-not-set\> CronJob deadline not configuredterraform-kubernetes-cronjob-deadline-not-configured\> Default service account in useterraform-kubernetes-default-service-account-in-use\> Deployment has no podAntiAffinityterraform-kubernetes-deployment-has-no-pod-anti-affinity\> Deployment without PodDisruptionBudgetterraform-kubernetes-deployment-without-pod-disruption-budget\> Docker daemon socket is exposed to containersterraform-kubernetes-docker-daemon-socket-is-exposed-to-containers\> HPA targets invalid objectterraform-kubernetes-hpa-targets-invalid-object\> Image pull policy of the container is not set to alwaysterraform-kubernetes-image-pull-policy-of-container-is-not-always\> Image without digestterraform-kubernetes-image-without-digest\> Incorrect volume claim access mode ReadWriteOnceterraform-kubernetes-incorrect-volume-claim-access-mode-read-write-once\> Ingress controller exposes workloadterraform-kubernetes-ingress-controller-exposes-workload\> Invalid imageterraform-kubernetes-invalid-image\> Liveness probe is not definedterraform-kubernetes-liveness-probe-is-not-defined\> Memory limits not definedterraform-kubernetes-memory-limits-not-defined\> Memory requests not definedterraform-kubernetes-memory-requests-not-defined\> Metadata label is invalidterraform-kubernetes-metadata-label-is-invalid\> Missing AppArmor configterraform-kubernetes-missing-app-armor-config\> NET_RAW capabilities disabled for PSPterraform-kubernetes-net-raw-capabilities-disabled-for-psp\> NET_RAW capabilities not being droppedterraform-kubernetes-net-raw-capabilities-not-being-dropped\> Network policy is not targeting any podterraform-kubernetes-network-policy-is-not-targeting-any-pod\> No drop capabilities for containersterraform-kubernetes-no-drop-capabilities-for-containers\> Non kube system pod with host mountterraform-kubernetes-non-kube-system-pod-with-host-mount\> Permissive access to create podsterraform-kubernetes-permissive-access-to-create-pods\> Pod or container without security contextterraform-kubernetes-pod-or-container-without-security-context\> Privilege escalation allowedterraform-kubernetes-privilege-escalation-allowed\> PSP allows containers to share the host network namespaceterraform-kubernetes-psp-allows-containers-to-share-the-host-network-namespace\> PSP allows privilege escalationterraform-kubernetes-psp-allows-privilege-escalation\> PSP allows sharing host IPCterraform-kubernetes-psp-allows-sharing-host-ipc\> PSP set to privilegedterraform-kubernetes-psp-set-to-privileged\> PSP with added capabilitiesterraform-kubernetes-psp-with-added-capabilities\> RBAC roles with read secrets permissionsterraform-kubernetes-rbac-roles-with-read-secrets-permissions\> Readiness probe is not configuredterraform-kubernetes-readiness-probe-is-not-configured\> Role binding to default service accountterraform-kubernetes-role-binding-to-default-service-account\> Root container not mounted as read-onlyterraform-kubernetes-root-container-not-mounted-as-read-only\> Root containers admittedterraform-kubernetes-root-containers-admitted\> Seccomp profile is not configuredterraform-kubernetes-seccomp-profile-is-not-configured\> Secrets as environment variablesterraform-kubernetes-secrets-as-environment-variables\> Service account allows access secretsterraform-kubernetes-service-account-allows-access-secrets\> Service account name undefined or emptyterraform-kubernetes-service-account-name-undefined-or-empty\> Service account token automount not disabledterraform-kubernetes-service-account-token-automount-not-disabled\> Service type is NodePortterraform-kubernetes-service-type-is-nodeport\> Service with external load balancerterraform-kubernetes-service-with-external-load-balancer\> Shared host IPC namespaceterraform-kubernetes-shared-host-ipc-namespace\> Shared host network namespaceterraform-kubernetes-shared-host-network-namespace\> Shared service accountterraform-kubernetes-shared-service-account\> StatefulSet requests storageterraform-kubernetes-statefulset-requests-storage\> StatefulSet without PodDisruptionBudgetterraform-kubernetes-statefulset-without-pod-disruption-budget\> StatefulSet without service nameterraform-kubernetes-statefulset-without-service-name\> Tiller (Helm v2) is deployedterraform-kubernetes-tiller-is-deployed\> Using default namespaceterraform-kubernetes-using-default-namespace\> Volume mount with OS directory write permissionsterraform-kubernetes-volume-mount-with-os-directory-write-permissions\> Workload host port not specifiedterraform-kubernetes-workload-host-port-not-specified\> Workload mounting with sensitive OS directoryterraform-kubernetes-workload-mounting-with-sensitive-os-directory\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD computing has common private networkterraform-nifcloud-computing-instance-has-common-private\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD computing has public ingress security group ruleterraform-nifcloud-computing-instance-has-public-ingress-sgr\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD computing undefined description to security groupterraform-nifcloud-computing-security-group-description-undefined\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD computing undefined description to security group ruleterraform-nifcloud-computing-security-group-rule-description-undefined\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD computing undefined security group to instanceterraform-nifcloud-computing-instance-security-group-undefined\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD DNS has verified recordterraform-nifcloud-dns-has-verified-record\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD ELB has common private networkterraform-nifcloud-elb-has-common-private\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD ELB listener using HTTP protocolterraform-nifcloud-elb-listener-use-http\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD ELB using HTTP protocolterraform-nifcloud-elb-use-http\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD LB listener using HTTP portterraform-nifcloud-load-balancer-listener-use-http\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD LB using HTTP portterraform-nifcloud-load-balancer-use-http\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD LB using insecure TLS policy IDterraform-nifcloud-load-balancer-use-insecure-tls-policy-id\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD LB using insecure TLS policy nameterraform-nifcloud-load-balancer-use-insecure-tls-policy-name\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD NAS has common private networkterraform-nifcloud-nas-instance-has-common-private\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD NAS has public ingress NAS security group ruleterraform-nifcloud-nas-security-group-has-public-ingress-sgr\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD NAS undefined description to NAS security groupterraform-nifcloud-nas-security-group-description-undefined\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD RDB backup retention period below 7 daysterraform-nifcloud-db-does-not-have-long-backup-retention\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD RDB has common private networkterraform-nifcloud-db-instance-has-common-private\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD RDB has public DB accessterraform-nifcloud-db-has-public-access\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD RDB has public DB ingress security group ruleterraform-nifcloud-db-security-group-has-public-ingress-sgr\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD RDB undefined description to DB security groupterraform-nifcloud-db-security-group-description-undefined\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD router has common private networkterraform-nifcloud-router-has-common-private\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD router undefined security groupterraform-nifcloud-router-security-group-undefined\>
{% icon name="icon-cloud-thicc" /%}
 NIFCLOUD VPN gateway undefined security groupterraform-nifcloud-vpn-gateway-security-group-undefined\>
{% icon name="icon-cloud-thicc" /%}
 CDB instance internet service enabledterraform-tencentcloud-cdb-instance-internet-service-enabled\>
{% icon name="icon-cloud-thicc" /%}
 CDB instance internet using default intranet portterraform-tencentcloud-cdb-instance-using-default-intranet-port\>
{% icon name="icon-cloud-thicc" /%}
 CDB instance without backup policyterraform-tencentcloud-cdb-instance-without-backup-policy\>
{% icon name="icon-cloud-thicc" /%}
 CLB instance log setting disabledterraform-tencentcloud-clb-instance-log-setting-disabled\>
{% icon name="icon-cloud-thicc" /%}
 CLB listener using insecure protocolsterraform-tencentcloud-clb-listener-using-insecure-protocols\>
{% icon name="icon-cloud-thicc" /%}
 CVM instance disable monitor serviceterraform-tencentcloud-cvm-instance-disable-monitor-service\>
{% icon name="icon-cloud-thicc" /%}
 CVM instance has public IPterraform-tencentcloud-cvm-instance-has-public-ip\>
{% icon name="icon-cloud-thicc" /%}
 CVM instance using default security groupterraform-tencentcloud-cvm-instance-using-default-security-group\>
{% icon name="icon-cloud-thicc" /%}
 CVM instance using default VPCterraform-tencentcloud-cvm-instance-using-default-vpc\>
{% icon name="icon-cloud-thicc" /%}
 CVM instance using user dataterraform-tencentcloud-cvm-instance-using-user-data\>
{% icon name="icon-cloud-thicc" /%}
 Disk encryption disabledterraform-tencentcloud-disk-encryption-disabled\>
{% icon name="icon-cloud-thicc" /%}
 Security group rule set accepts all trafficterraform-tencentcloud-security-group-rule-set-accepts-all-traffic\>
{% icon name="icon-cloud-thicc" /%}
 TKE cluster encryption protection disabledterraform-tencentcloud-tke-cluster-encryption-protection-disabled\>
{% icon name="icon-cloud-thicc" /%}
 TKE cluster has public accessterraform-tencentcloud-tke-cluster-has-public-access\>
{% icon name="icon-cloud-thicc" /%}
 TKE cluster log agent is not enabledterraform-tencentcloud-tke-cluster-log-disabled\>
{% icon name="icon-cloud-thicc" /%}
 VPC flow logs disabledterraform-tencentcloud-vpc-flow-log-disabled\>ProvidersAll  AWS  Azure  GCP  GitHub 
{% icon name="icon-cloud-thicc" /%}
 Alicloud  Databricks  Kubernetes 
{% icon name="icon-cloud-thicc" /%}
 Nifcloud 
{% icon name="icon-cloud-thicc" /%}
 TencentCloudPlatformsAll  Ansible  CICD  CloudFormation  Dockerfile  Kubernetes  TerraformCategoriesAll Insecure Configurations Best Practices Access Control Supply-Chain Networking and Firewall Encryption Observability Availability Build Process Secret Management Resource Management Backup Insecure DefaultsSeveritiesAll CRITICAL HIGH MEDIUM LOW
## Further Reading

- [Set up IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/setup.md)
- [Configure IaC Security](https://docs.datadoghq.com/security/code_security/iac_security/configuration.md)