| ID | Provider | Service | Description|
|-|-|-|-|
| aws-s3-no-public-access-with-acl | aws | s3 | S3 Bucket has an ACL defined which allows public access. |
| aws-s3-enable-bucket-logging | aws | s3 | S3 Bucket does not have logging enabled. |
| aws-rds-no-classic-resources | aws | rds | AWS Classic resource usage. |
| aws-elbv2-http-not-used | aws | elbv2 | Use of plain HTTP. |
| aws-elbv2-alb-not-public | aws | elbv2 | Load balancer is exposed to the internet. |
| aws-vpc-no-public-ingress-sgr | aws | vpc | An ingress security group rule allows traffic from /0. |
| aws-vpc-no-public-egress-sgr | aws | vpc | An egress security group rule allows traffic to /0. |
| aws-vpc-no-public-ingress-sg | aws | vpc | An inline ingress security group rule allows traffic from /0. |
| aws-vpc-no-public-egress-sg | aws | vpc | An inline egress security group rule allows traffic to /0. |
| aws-vpc-use-secure-tls-policy | aws | vpc | An outdated SSL policy is in use by a load balancer. |
| aws-rds-no-public-db-access | aws | rds | A database resource is marked as publicly accessible. |
| aws-autoscaling-no-public-ip | aws | autoscaling | A resource has a public IP address. |
| aws-ecs-no-plaintext-secrets | aws | ecs | Task definition defines sensitive environment variable(s). |
| aws-autoscaling-enable-at-rest-encryption | aws | autoscaling | Launch configuration with unencrypted block device. |
| aws-sqs-enable-queue-encryption | aws | sqs | Unencrypted SQS queue. |
| aws-sns-enable-topic-encryption | aws | sns | Unencrypted SNS topic. |
| aws-s3-enable-bucket-encryption | aws | s3 | Unencrypted S3 bucket. |
| aws-vpc-add-decription-to-security-group | aws | vpc | Missing description for security group/security group rule. |
| aws-kms-auto-rotate-keys | aws | kms | A KMS key is not configured to auto-rotate. |
| aws-cloudfront-enforce-https | aws | cloudfront | CloudFront distribution allows unencrypted (HTTP) communications. |
| aws-cloudfront-use-secure-tls-policy | aws | cloudfront | CloudFront distribution uses outdated SSL/TLS protocols. |
| aws-msk-enable-in-transit-encryption | aws | msk | A MSK cluster allows unencrypted data in transit. |
| aws-ecr-enable-image-scans | aws | ecr | ECR repository has image scans disabled. |
| aws-kinesis-enable-in-transit-encryption | aws | kinesis | Kinesis stream is unencrypted. |
| aws-api-gateway-use-secure-tls-policy | aws | api-gateway | API Gateway domain name uses outdated SSL/TLS protocols. |
| aws-elastic-service-enable-domain-encryption | aws | elastic-service | Elasticsearch domain isn't encrypted at rest. |
| aws-elastic-search-enable-in-transit-encryption | aws | elastic-search | Elasticsearch domain uses plaintext traffic for node to node communication. |
| aws-elastic-search-enforce-https | aws | elastic-search | Elasticsearch doesn't enforce HTTPS traffic. |
| aws-elastic-search-use-secure-tls-policy | aws | elastic-search | Elasticsearch domain endpoint is using outdated TLS policy. |
| aws-elastic-search-encrypt-replication-group | aws | elastic-search | Unencrypted Elasticache Replication Group. |
| aws-elasticache-enable-in-transit-encryption | aws | elasticache | Elasticache Replication Group uses unencrypted traffic. |
| aws-iam-no-password-reuse | aws | iam | IAM Password policy should prevent password reuse. |
| aws-iam-set-max-password-age | aws | iam | IAM Password policy should have expiry less than or equal to 90 days. |
| aws-iam-set-minimum-password-length | aws | iam | IAM Password policy should have minimum password length of 14 or more characters. |
| aws-iam-require-symbols-in-passwords | aws | iam | IAM Password policy should have requirement for at least one symbol in the password. |
| aws-iam-require-numbers-in-passwords | aws | iam | IAM Password policy should have requirement for at least one number in the password. |
| aws-iam-require-lowercase-in-passwords | aws | iam | IAM Password policy should have requirement for at least one lowercase character. |
| aws-iam-require-uppercase-in-passwords | aws | iam | IAM Password policy should have requirement for at least one uppercase character. |
| aws-misc-no-exposing-plaintext-credentials | aws | misc | AWS provider has access credentials specified. |
| aws-cloudfront-enable-waf | aws | cloudfront | CloudFront distribution does not have a WAF in front. |
| aws-sqs-no-wildcards-in-policy-documents | aws | sqs | AWS SQS policy document has wildcard action statement. |
| aws-efs-enable-at-rest-encryption | aws | efs | EFS Encryption has not been enabled |
| aws-vpc-no-public-ingress | aws | vpc | An ingress Network ACL rule allows specific ports from /0. |
| aws-vpc-no-excessive-port-access | aws | vpc | An ingress Network ACL rule allows ALL ports. |
| aws-rds-encrypt-cluster-storage-data | aws | rds | There is no encryption specified or encryption is disabled on the RDS Cluster. |
| aws-rds-encrypt-instance-storage-data | aws | rds | RDS encryption has not been enabled at a DB Instance level. |
| aws-rds-enable-performance-insights | aws | rds | Encryption for RDS Performance Insights should be enabled. |
| aws-elastic-search-enable-domain-logging | aws | elastic-search | Domain logging should be enabled for Elastic Search domains |
| aws-lambda-restrict-source-arn | aws | lambda | Ensure that lambda function permission has a source arn specified |
| aws-athena-enable-at-rest-encryption | aws | athena | Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted |
| aws-athena-no-encryption-override | aws | athena | Athena workgroups should enforce configuration to prevent client disabling encryption |
| aws-api-gateway-enable-access-logging | aws | api-gateway | API Gateway stages for V1 and V2 should have access logging enabled |
| aws-ec2-no-secrets-in-user-data | aws | ec2 | User data for EC2 instances must not contain sensitive AWS keys |
| aws-cloudtrail-enable-all-regions | aws | cloudtrail | Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed |
| aws-cloudtrail-enable-log-validation | aws | cloudtrail | Cloudtrail log validation should be enabled to prevent tampering of log data |
| aws-cloudtrail-enable-at-rest-encryption | aws | cloudtrail | Cloudtrail should be encrypted at rest to secure access to sensitive trail data |
| aws-eks-encrypt-secrets | aws | eks | EKS should have the encryption of secrets enabled |
| aws-eks-enable-control-plane-logging | aws | eks | EKS Clusters should have cluster control plane logging turned on |
| aws-eks-no-public-cluster-access-to-cidr | aws | eks | EKS cluster should not have open CIDR range for public access |
| aws-eks-no-public-cluster-access | aws | eks | EKS Clusters should have the public access disabled |
| aws-elastic-search-enable-logging | aws | elastic-search | AWS ES Domain should have logging enabled |
| aws-cloudfront-enable-logging | aws | cloudfront | Cloudfront distribution should have Access Logging configured |
| aws-s3-ignore-public-acls | aws | s3 | S3 Access Block should Ignore Public Acl |
| aws-s3-block-public-acls | aws | s3 | S3 Access block should block public ACL |
| aws-s3-no-public-buckets | aws | s3 | S3 Access block should restrict public bucket to limit access |
| aws-s3-block-public-policy | aws | s3 | S3 Access block should block public policy |
| aws-s3-enable-versioning | aws | s3 | S3 Data should be versioned |
| aws-ecr-enforce-immutable-repository | aws | ecr | ECR images tags shouldn't be mutable. |
| aws-ec2-enforce-http-token-imds | aws | ec2 | aws_instance should activate session tokens for Instance Metadata Service. |
| aws-codebuild-enable-encryption | aws | codebuild | CodeBuild Project artifacts encryption should not be disabled |
| aws-dynamodb-enable-at-rest-encryption | aws | dynamodb | DAX Cluster should always encrypt data at rest |
| aws-vpc-no-default-vpc | aws | vpc | AWS best practice to not use the default VPC for workflows |
| aws-elb-drop-invalid-headers | aws | elb | Load balancers should drop invalid headers |
| aws-workspace-enable-disk-encryption | aws | workspace | Root and user volumes on Workspaces should be encrypted |
| aws-config-aggregate-all-regions | aws | config | Config configuration aggregator should be using all regions for source |
| aws-dynamodb-enable-recovery | aws | dynamodb | Point in time recovery should be enabled to protect DynamoDB table |
| aws-redshift-non-default-vpc-deployment | aws | redshift | Redshift cluster should be deployed into a specific VPC |
| aws-elasticache-enable-backup-retention | aws | elasticache | Redis cluster should have backup retention turned on |
| aws-cloudwatch-log-group-customer-key | aws | cloudwatch | CloudWatch log groups should be encrypted using CMK |
| aws-ecs-enable-container-insight | aws | ecs | ECS clusters should have container insights enabled |
| aws-rds-backup-retention-specified | aws | rds | RDS Cluster and RDS instance should have backup retention longer than default 1 day |
| aws-dynamodb-table-customer-key | aws | dynamodb | DynamoDB tables should use at rest encryption with a Customer Managed Key |
| aws-ecr-repository-customer-key | aws | ecr | ECR Repository should use customer managed keys to allow more control |
| aws-redshift-encryption-customer-key | aws | redshift | Redshift clusters should use at rest encryption |
| aws-ssm-secret-use-customer-key | aws | ssm | Secrets Manager should use customer managed keys |
| aws-ecs-enable-in-transit-encryption | aws | ecs | ECS Task Definitions with EFS volumes should use in-transit encryption |
| aws-iam-block-kms-policy-wildcard | aws | iam | IAM customer managed policies should not allow decryption actions on all KMS keys |
| aws-s3-specify-public-access-block | aws | s3 | S3 buckets should each define an aws_s3_bucket_public_access_block |
| aws-iam-no-policy-wildcards | aws | iam | IAM policy should avoid use of wildcards and instead apply the principle of least privilege |
| azure-network-no-public-ingress | azure | network | An inbound network security rule allows traffic from /0. |
| azure-network-no-public-egress | azure | network | An outbound network security rule allows traffic to /0. |
| azure-compute-enable-disk-encryption | azure | compute | Unencrypted managed disk. |
| azure-datalake-enable-at-rest-encryption | azure | datalake | Unencrypted data lake storage. |
| azure-compute-ssh-authentication | azure | compute | Password authentication in use instead of SSH keys. |
| azure-container-configured-network-policy | azure | container | Ensure AKS cluster has Network Policy configured |
| azure-container-use-rbac-permissions | azure | container | Ensure RBAC is enabled on AKS clusters |
| azure-container-limit-authorized-ips | azure | container | Ensure AKS has an API Server Authorized IP Ranges enabled |
| azure-container-logging | azure | container | Ensure AKS logging to Azure Monitoring is Configured |
| azure-storage-ensure-https | azure | storage | Ensure HTTPS is enabled on Azure Storage Account |
| azure-storage-no-public-access | azure | storage | Storage containers in blob storage mode should not have public access |
| azure-storage-default-action-deny | azure | storage | The default action on Storage account network rules should be set to deny |
| azure-storage-allow-microsoft-service-bypass | azure | storage | Trusted Microsoft Services should have bypass access to Storage accounts |
| azure-storage-enforce-https | azure | storage | Storage accounts should be configured to only accept transfers that are over secure connections |
| azure-storage-use-secure-tls-policy | azure | storage | The minimum TLS version for Storage Accounts should be TLS1_2 |
| azure-storage-queue-services-logging-enabled | azure | storage | When using Queue Services for a storage account, logging should be enabled. |
| azure-network-ssh-blocked-from-internet | azure | network | SSH access should not be accessible from the Internet, should be blocked on port 22 |
| azure-database-enable-audit | azure | database | Auditing should be enabled on Azure SQL Databases |
| azure-database-retention-period-set | azure | database | Database auditing rentention period should be longer than 90 days |
| azure-keyvault-specify-network-acl | azure | keyvault | Key vault should have the network acl block specified |
| azure-keyvault-no-purge | azure | keyvault | Key vault should have purge protection enabled |
| azure-keyvault-content-type-for-secret | azure | keyvault | Key vault Secret should have a content type set |
| azure-keyvault-ensure-secret-expiry | azure | keyvault | Key Vault Secret should have an expiration date set |
| azure-network-disable-rdp-from-internet | azure | network | RDP access should not be accessible from the Internet, should be blocked on port 3389 |
| azure-datafactory-no-public-access | azure | datafactory | Data Factory should have public access disabled, the default is enabled. |
| azure-keyvault-ensure-key-expiry | azure | keyvault | Ensure that the expiration date is set on all keys |
| azure-synapse-virtual-network-enabled | azure | synapse | Synapse Workspace should have managed virtual network enabled, the default is disabled. |
| azure-appservice-enforce-https | azure | appservice | Ensure the Function App can only be accessed via HTTPS. The default is false. |
| digitalocean-compute-no-public-ingress | digitalocean | compute | The firewall has an inbound rule with open access |
| digitalocean-compute-no-public-egress | digitalocean | compute | The firewall has an outbound rule with open access |
| digitalocean-droplet-use-ssh-keys | digitalocean | droplet | SSH Keys are the preferred way to connect to your droplet, no keys are supplied |
| digitalocean-loadbalancing-enforce-https | digitalocean | loadbalancing | The load balancer forwarding rule is using an insecure protocol as an entrypoint |
| digitalocean-spaces-acl-no-public-read | digitalocean | spaces | Spaces bucket or bucket object has public read acl set |
| digitalocean-spaces-versioning-enabled | digitalocean | spaces | Spaces buckets should have versioning enabled |
| digitalocean-spaces-disable-force-destroy | digitalocean | spaces | Force destroy is enabled on Spaces bucket which is dangerous |
| google-compute-disk-encryption-customer-keys | google | compute | Encrypted compute disk with unmanaged keys. |
| google-compute-no-public-ingres | google | compute | An inbound firewall rule allows traffic from /0. |
| google-compute-no-public-egress | google | compute | An outbound firewall rule allows traffic to /0. |
| google-gke-use-rbac-permissions | google | gke | Legacy ABAC permissions are enabled. |
| google-gke-node-metadata-security | google | gke | Node metadata value disables metadata concealment. |
| google-gke-metadata-endpoints-disabled | google | gke | Legacy metadata endpoints enabled. |
| google-gke-no-legacy-authentication | google | gke | Legacy client authentication methods utilized. |
| google-gke-enforce-pod-security-policy | google | gke | Pod security policy enforcement not defined. |
| google-gke-node-shielding-enabled | google | gke | Shielded GKE nodes not enabled. |
| google-iam-no-user-granted-permissions | google | iam | IAM granted directly to user. |
| google-gke-use-service-account | google | gke | Checks for service account defined for GKE nodes |
| google-compute-disk-encryption-required | google | compute | The encryption key used to encrypt a compute disk has been specified in plaintext. |
| general-secrets-sensitive-in-variable | general | secrets | Potentially sensitive data stored in "default" value of variable. |
| general-secrets-sensitive-in-local | general | secrets | Potentially sensitive data stored in local value. |
| general-secrets-sensitive-in-attribute | general | secrets | Potentially sensitive data stored in block attribute. |
| general-secrets-sensitive-in-attribute-value | general | secrets | The attribute has potentially sensitive data, passwords, tokens or keys in it |
| github-repositories-private | github | repositories | Github repository shouldn't be public. |
| oracle-compute-no-public-ip | oracle | compute | Compute instance requests an IP reservation from a public pool |