| layout | title | nav_order |
|---|---|---|
default |
Resource scans |
1 |
| Id | Type | Entity | Policy | IaC | |
|---|---|---|---|---|---|
| 0 | CKV_AWS_1 | data | aws_iam_policy_document | Ensure IAM policies that allow full "-" administrative privileges are not created | Terraform |
| 1 | CKV_AWS_1 | resource | serverless_aws | Ensure IAM policies that allow full "-" administrative privileges are not created | serverless |
| 2 | CKV_AWS_2 | resource | aws_lb_listener | Ensure ALB protocol is HTTPS | Terraform |
| 3 | CKV_AWS_2 | resource | AWS::ElasticLoadBalancingV2::Listener | Ensure ALB protocol is HTTPS | Cloudformation |
| 4 | CKV_AWS_3 | resource | aws_ebs_volume | Ensure all data stored in the EBS is securely encrypted | Terraform |
| 5 | CKV_AWS_3 | resource | AWS::EC2::Volume | Ensure all data stored in the EBS is securely encrypted | Cloudformation |
| 6 | CKV_AWS_5 | resource | aws_elasticsearch_domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Terraform |
| 7 | CKV_AWS_5 | resource | AWS::Elasticsearch::Domain | Ensure all data stored in the Elasticsearch is securely encrypted at rest | Cloudformation |
| 8 | CKV_AWS_6 | resource | aws_elasticsearch_domain | Ensure all Elasticsearch has node-to-node encryption enabled | Terraform |
| 9 | CKV_AWS_6 | resource | AWS::Elasticsearch::Domain | Ensure all Elasticsearch has node-to-node encryption enabled | Cloudformation |
| 10 | CKV_AWS_7 | resource | aws_kms_key | Ensure rotation for customer created CMKs is enabled | Terraform |
| 11 | CKV_AWS_7 | resource | AWS::KMS::Key | Ensure rotation for customer created CMKs is enabled | Cloudformation |
| 12 | CKV_AWS_8 | resource | aws_instance | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform |
| 13 | CKV_AWS_8 | resource | aws_launch_configuration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Terraform |
| 14 | CKV_AWS_8 | resource | AWS::AutoScaling::LaunchConfiguration | Ensure all data stored in the Launch configuration EBS is securely encrypted | Cloudformation |
| 15 | CKV_AWS_9 | resource | aws_iam_account_password_policy | Ensure IAM password policy expires passwords within 90 days or less | Terraform |
| 16 | CKV_AWS_10 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires minimum length of 14 or greater | Terraform |
| 17 | CKV_AWS_11 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one lowercase letter | Terraform |
| 18 | CKV_AWS_12 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one number | Terraform |
| 19 | CKV_AWS_13 | resource | aws_iam_account_password_policy | Ensure IAM password policy prevents password reuse | Terraform |
| 20 | CKV_AWS_14 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one symbol | Terraform |
| 21 | CKV_AWS_15 | resource | aws_iam_account_password_policy | Ensure IAM password policy requires at least one uppercase letter | Terraform |
| 22 | CKV_AWS_16 | resource | aws_db_instance | Ensure all data stored in the RDS is securely encrypted at rest | Terraform |
| 23 | CKV_AWS_16 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS is securely encrypted at rest | Cloudformation |
| 24 | CKV_AWS_17 | resource | aws_db_instance | Ensure all data stored in the RDS bucket is not public accessible | Terraform |
| 25 | CKV_AWS_17 | resource | aws_rds_cluster_instance | Ensure all data stored in the RDS bucket is not public accessible | Terraform |
| 26 | CKV_AWS_17 | resource | AWS::RDS::DBInstance | Ensure all data stored in the RDS bucket is not public accessible | Cloudformation |
| 27 | CKV_AWS_18 | resource | aws_s3_bucket | Ensure the S3 bucket has access logging enabled | Terraform |
| 28 | CKV_AWS_18 | resource | AWS::S3::Bucket | Ensure the S3 bucket has access logging enabled | Cloudformation |
| 29 | CKV_AWS_19 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | Terraform |
| 30 | CKV_AWS_19 | resource | AWS::S3::Bucket | Ensure the S3 bucket has server-side-encryption enabled | Cloudformation |
| 31 | CKV_AWS_20 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public READ access. | Terraform |
| 32 | CKV_AWS_20 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow READ permissions to everyone | Cloudformation |
| 33 | CKV_AWS_21 | resource | aws_s3_bucket | Ensure all data stored in the S3 bucket have versioning enabled | Terraform |
| 34 | CKV_AWS_21 | resource | AWS::S3::Bucket | Ensure the S3 bucket has versioning enabled | Cloudformation |
| 35 | CKV_AWS_22 | resource | aws_sagemaker_notebook_instance | Ensure all data stored in the Sagemaker Notebook is securely encrypted at rest | Terraform |
| 36 | CKV_AWS_23 | resource | aws_security_group | Ensure every security groups rule has a description | Terraform |
| 37 | CKV_AWS_23 | resource | aws_security_group_rule | Ensure every security groups rule has a description | Terraform |
| 38 | CKV_AWS_23 | resource | aws_db_security_group | Ensure every security groups rule has a description | Terraform |
| 39 | CKV_AWS_23 | resource | aws_elasticache_security_group | Ensure every security groups rule has a description | Terraform |
| 40 | CKV_AWS_23 | resource | aws_redshift_security_group | Ensure every security groups rule has a description | Terraform |
| 41 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroup | Ensure every security groups rule has a description | Cloudformation |
| 42 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupIngress | Ensure every security groups rule has a description | Cloudformation |
| 43 | CKV_AWS_23 | resource | AWS::EC2::SecurityGroupEgress | Ensure every security groups rule has a description | Cloudformation |
| 44 | CKV_AWS_24 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform |
| 45 | CKV_AWS_24 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Terraform |
| 46 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation |
| 47 | CKV_AWS_24 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | Cloudformation |
| 48 | CKV_AWS_25 | resource | aws_security_group | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform |
| 49 | CKV_AWS_25 | resource | aws_security_group_rule | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Terraform |
| 50 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroup | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation |
| 51 | CKV_AWS_25 | resource | AWS::EC2::SecurityGroupIngress | Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389 | Cloudformation |
| 52 | CKV_AWS_26 | resource | aws_sns_topic | Ensure all data stored in the SNS topic is encrypted | Terraform |
| 53 | CKV_AWS_26 | resource | AWS::SNS::Topic | Ensure all data stored in the SNS topic is encrypted | Cloudformation |
| 54 | CKV_AWS_27 | resource | aws_sqs_queue | Ensure all data stored in the SQS queue is encrypted | Terraform |
| 55 | CKV_AWS_27 | resource | AWS::SQS::Queue | Ensure all data stored in the SQS queue is encrypted | Cloudformation |
| 56 | CKV_AWS_28 | resource | aws_dynamodb_table | Ensure Dynamodb point in time recovery (backup) is enabled | Terraform |
| 57 | CKV_AWS_28 | resource | AWS::DynamoDB::Table | Ensure Dynamodb point in time recovery (backup) is enabled | Cloudformation |
| 58 | CKV_AWS_29 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Terraform |
| 59 | CKV_AWS_29 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest | Cloudformation |
| 60 | CKV_AWS_30 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Terraform |
| 61 | CKV_AWS_30 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit | Cloudformation |
| 62 | CKV_AWS_31 | resource | aws_elasticache_replication_group | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Terraform |
| 63 | CKV_AWS_31 | resource | AWS::ElastiCache::ReplicationGroup | Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token | Cloudformation |
| 64 | CKV_AWS_32 | resource | aws_ecr_repository_policy | Ensure ECR policy is not set to public | Terraform |
| 65 | CKV_AWS_32 | resource | AWS::ECR::Repository | Ensure ECR policy is not set to public | Cloudformation |
| 66 | CKV_AWS_33 | resource | aws_ecr_repository | Ensure ECR image scanning on push is enabled | Terraform |
| 67 | CKV_AWS_33 | resource | AWS::KMS::Key | Ensure KMS key policy does not contain wildcard (*) principal | Cloudformation |
| 68 | CKV_AWS_34 | resource | aws_cloudfront_distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Terraform |
| 69 | CKV_AWS_34 | resource | AWS::CloudFront::Distribution | Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS | Cloudformation |
| 70 | CKV_AWS_35 | resource | aws_cloudtrail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Terraform |
| 71 | CKV_AWS_35 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail logs are encrypted at rest using KMS CMKs | Cloudformation |
| 72 | CKV_AWS_36 | resource | aws_cloudtrail | Ensure CloudTrail log file validation is enabled | Terraform |
| 73 | CKV_AWS_36 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail log file validation is enabled | Cloudformation |
| 74 | CKV_AWS_37 | resource | aws_eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | Terraform |
| 75 | CKV_AWS_38 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | Terraform |
| 76 | CKV_AWS_39 | resource | aws_eks_cluster | Ensure Amazon EKS public endpoint disabled | Terraform |
| 77 | CKV_AWS_40 | resource | aws_iam_user_policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform |
| 78 | CKV_AWS_40 | resource | aws_iam_user_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform |
| 79 | CKV_AWS_40 | resource | aws_iam_policy_attachment | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Terraform |
| 80 | CKV_AWS_40 | resource | AWS::IAM::Policy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | Cloudformation |
| 81 | CKV_AWS_41 | provider | aws | Ensure no hard coded AWS access key and secret key exists in provider | Terraform |
| 82 | CKV_AWS_41 | resource | serverless_aws | Ensure no hard coded AWS access key and secret key exists in provider | serverless |
| 83 | CKV_AWS_42 | resource | aws_efs_file_system | Ensure EFS is securely encrypted | Terraform |
| 84 | CKV_AWS_42 | resource | AWS::EFS::FileSystem | Ensure EFS is securely encrypted | Cloudformation |
| 85 | CKV_AWS_43 | resource | aws_kinesis_stream | Ensure Kinesis Stream is securely encrypted | Terraform |
| 86 | CKV_AWS_43 | resource | AWS::Kinesis::Stream | Ensure Kinesis Stream is securely encrypted | Cloudformation |
| 87 | CKV_AWS_44 | resource | aws_neptune_cluster | Ensure Neptune storage is securely encrypted | Terraform |
| 88 | CKV_AWS_44 | resource | AWS::Neptune::DBCluster | Ensure Neptune storage is securely encrypted | Cloudformation |
| 89 | CKV_AWS_45 | resource | aws_lambda_function | Ensure no hard-coded secrets exist in lambda environment | Terraform |
| 90 | CKV_AWS_45 | resource | AWS::Lambda::Function | Ensure no hard-coded secrets exist in lambda environment | Cloudformation |
| 91 | CKV_AWS_46 | resource | aws_instance | Ensure no hard-coded secrets exist in EC2 user data | Terraform |
| 92 | CKV_AWS_46 | resource | AWS::EC2::Instance | Ensure no hard-coded secrets exist in EC2 user data | Cloudformation |
| 93 | CKV_AWS_47 | resource | aws_dax_cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Terraform |
| 94 | CKV_AWS_47 | resource | AWS::DAX::Cluster | Ensure DAX is encrypted at rest (default is unencrypted) | Cloudformation |
| 95 | CKV_AWS_48 | resource | aws_mq_broker | Ensure MQ Broker logging is enabled | Terraform |
| 96 | CKV_AWS_49 | data | aws_iam_policy_document | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 97 | CKV_AWS_49 | resource | serverless_aws | Ensure no IAM policies documents allow "*" as a statement's actions | serverless |
| 98 | CKV_AWS_50 | resource | aws_lambda_function | X-ray tracing is enabled for Lambda | Terraform |
| 99 | CKV_AWS_51 | resource | aws_ecr_repository | Ensure ECR Image Tags are immutable | Terraform |
| 100 | CKV_AWS_51 | resource | AWS::ECR::Repository | Ensure ECR Image Tags are immutable | Cloudformation |
| 101 | CKV_AWS_52 | resource | aws_s3_bucket | Ensure S3 bucket has MFA delete enabled | Terraform |
| 102 | CKV_AWS_53 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public ACLS enabled | Terraform |
| 103 | CKV_AWS_53 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public ACLS enabled | Cloudformation |
| 104 | CKV_AWS_54 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has block public policy enabled | Terraform |
| 105 | CKV_AWS_54 | resource | AWS::S3::Bucket | Ensure S3 bucket has block public policy enabled | Cloudformation |
| 106 | CKV_AWS_55 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has ignore public ACLs enabled | Terraform |
| 107 | CKV_AWS_55 | resource | AWS::S3::Bucket | Ensure S3 bucket has ignore public ACLs enabled | Cloudformation |
| 108 | CKV_AWS_56 | resource | aws_s3_bucket_public_access_block | Ensure S3 bucket has 'restrict_public_bucket' enabled | Terraform |
| 109 | CKV_AWS_56 | resource | AWS::S3::Bucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | Cloudformation |
| 110 | CKV_AWS_57 | resource | aws_s3_bucket | S3 Bucket has an ACL defined which allows public WRITE access. | Terraform |
| 111 | CKV_AWS_57 | resource | AWS::S3::Bucket | Ensure the S3 bucket does not allow WRITE permissions to everyone | Cloudformation |
| 112 | CKV_AWS_58 | resource | aws_eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Terraform |
| 113 | CKV_AWS_58 | resource | AWS::EKS::Cluster | Ensure EKS Cluster has Secrets Encryption Enabled | Cloudformation |
| 114 | CKV_AWS_59 | resource | aws_api_gateway_method | Ensure there is no open access to back-end resources through API | Terraform |
| 115 | CKV_AWS_59 | resource | AWS::ApiGateway::Method | Ensure there is no open access to back-end resources through API | Cloudformation |
| 116 | CKV_AWS_60 | resource | aws_iam_role | Ensure IAM role allows only specific services or principals to assume it | Terraform |
| 117 | CKV_AWS_61 | resource | aws_iam_role | Ensure IAM role allows only specific principals in account to assume it | Terraform |
| 118 | CKV_AWS_61 | resource | AWS::IAM::Role | Ensure IAM role allows only specific principals in account to assume it | Cloudformation |
| 119 | CKV_AWS_62 | resource | aws_iam_role_policy | Ensure IAM policies that allow full "-" administrative privileges are not created | Terraform |
| 120 | CKV_AWS_62 | resource | aws_iam_user_policy | Ensure IAM policies that allow full "-" administrative privileges are not created | Terraform |
| 121 | CKV_AWS_62 | resource | aws_iam_group_policy | Ensure IAM policies that allow full "-" administrative privileges are not created | Terraform |
| 122 | CKV_AWS_62 | resource | aws_iam_policy | Ensure IAM policies that allow full "-" administrative privileges are not created | Terraform |
| 123 | CKV_AWS_63 | resource | aws_iam_role_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 124 | CKV_AWS_63 | resource | aws_iam_user_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 125 | CKV_AWS_63 | resource | aws_iam_group_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 126 | CKV_AWS_63 | resource | aws_iam_policy | Ensure no IAM policies documents allow "*" as a statement's actions | Terraform |
| 127 | CKV_AWS_64 | resource | aws_redshift_cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Terraform |
| 128 | CKV_AWS_64 | resource | AWS::Redshift::Cluster | Ensure all data stored in the Redshift cluster is securely encrypted at rest | Cloudformation |
| 129 | CKV_AWS_65 | resource | aws_ecs_cluster | Ensure container insights are enabled on ECS cluster | Terraform |
| 130 | CKV_AWS_65 | resource | AWS::ECS::Cluster | Ensure container insights are enabled on ECS cluster | Cloudformation |
| 131 | CKV_AWS_66 | resource | aws_cloudwatch_log_group | Ensure cloudwatch log groups specify retention days | Terraform |
| 132 | CKV_AWS_66 | resource | AWS::Logs::LogGroup | Ensure cloudwatch log groups specify retention days | Cloudformation |
| 133 | CKV_AWS_67 | resource | aws_cloudtrail | Ensure CloudTrail is enabled in all Regions | Terraform |
| 134 | CKV_AWS_67 | resource | AWS::CloudTrail::Trail | Ensure CloudTrail is enabled in all Regions | Cloudformation |
| 135 | CKV_AWS_68 | resource | aws_cloudfront_distribution | CloudFront Distribution should have WAF enabled | Terraform |
| 136 | CKV_AWS_68 | resource | AWS::CloudFront::Distribution | CloudFront Distribution should have WAF enabled | Cloudformation |
| 137 | CKV_AWS_69 | resource | aws_mq_broker | Ensure MQ Broker is not publicly exposed | Terraform |
| 138 | CKV_AWS_70 | resource | aws_s3_bucket | Ensure S3 bucket does not allow an action with any Principal | Terraform |
| 139 | CKV_AWS_70 | resource | aws_s3_bucket_policy | Ensure S3 bucket does not allow an action with any Principal | Terraform |
| 140 | CKV_AWS_71 | resource | aws_redshift_cluster | Ensure Redshift Cluster logging is enabled | Terraform |
| 141 | CKV_AWS_72 | resource | aws_sqs_queue_policy | Ensure SQS policy does not allow ALL (*) actions. | Terraform |
| 142 | CKV_AWS_73 | resource | aws_api_gateway_stage | Ensure API Gateway has X-Ray Tracing enabled | Terraform |
| 143 | CKV_AWS_73 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has X-Ray Tracing enabled | Cloudformation |
| 144 | CKV_AWS_74 | resource | aws_docdb_cluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Terraform |
| 145 | CKV_AWS_74 | resource | AWS::DocDB::DBCluster | Ensure DocDB is encrypted at rest (default is unencrypted) | Cloudformation |
| 146 | CKV_AWS_75 | resource | aws_globalaccelerator_accelerator | Ensure Global Accelerator accelerator has flow logs enabled | Terraform |
| 147 | CKV_AWS_76 | resource | aws_api_gateway_stage | Ensure API Gateway has Access Logging enabled | Terraform |
| 148 | CKV_AWS_76 | resource | aws_apigatewayv2_stage | Ensure API Gateway has Access Logging enabled | Terraform |
| 149 | CKV_AWS_76 | resource | AWS::ApiGateway::Stage | Ensure API Gateway has Access Logging enabled | Cloudformation |
| 150 | CKV_AWS_77 | resource | aws_athena_database | Ensure Athena Database is encrypted at rest (default is unencrypted) | Terraform |
| 151 | CKV_AWS_78 | resource | aws_codebuild_project | Ensure that CodeBuild Project encryption is not disabled | Terraform |
| 152 | CKV_AWS_78 | resource | AWS::CodeBuild::Project | Ensure that CodeBuild Project encryption is not disabled | Cloudformation |
| 153 | CKV_AWS_79 | resource | aws_instance | Ensure Instance Metadata Service Version 1 is not enabled | Terraform |
| 154 | CKV_AWS_79 | resource | aws_launch_template | Ensure Instance Metadata Service Version 1 is not enabled | Terraform |
| 155 | CKV_AWS_80 | resource | aws_msk_cluster | Ensure MSK Cluster logging is enabled | Terraform |
| 156 | CKV_AWS_81 | resource | aws_msk_cluster | Ensure MSK Cluster encryption in rest and transit is enabled | Terraform |
| 157 | CKV_AWS_82 | resource | aws_athena_workgroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Terraform |
| 158 | CKV_AWS_82 | resource | AWS::Athena::WorkGroup | Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption | Cloudformation |
| 159 | CKV_AWS_83 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain enforces HTTPS | Terraform |
| 160 | CKV_AWS_84 | resource | aws_elasticsearch_domain | Ensure Elasticsearch Domain Logging is enabled | Terraform |
| 161 | CKV_AWS_85 | resource | aws_docdb_cluster | Ensure DocDB Logging is enabled | Terraform |
| 162 | CKV_AWS_85 | resource | AWS::DocDB::DBCluster | Ensure DocDB Logging is enabled | Cloudformation |
| 163 | CKV_AWS_86 | resource | aws_cloudfront_distribution | Ensure Cloudfront distribution has Access Logging enabled | Terraform |
| 164 | CKV_AWS_86 | resource | AWS::CloudFront::Distribution | Ensure Cloudfront distribution has Access Logging enabled | Cloudformation |
| 165 | CKV_AWS_87 | resource | aws_redshift_cluster | Redshift cluster should not be publicly accessible | Terraform |
| 166 | CKV_AWS_88 | resource | aws_instance | EC2 instance should not have public IP. | Terraform |
| 167 | CKV_AWS_88 | resource | aws_launch_template | EC2 instance should not have public IP. | Terraform |
| 168 | CKV_AWS_88 | resource | AWS::EC2::Instance | EC2 instance should not have public IP. | Cloudformation |
| 169 | CKV_AWS_88 | resource | AWS::EC2::LaunchTemplate | EC2 instance should not have public IP. | Cloudformation |
| 170 | CKV_AWS_89 | resource | aws_dms_replication_instance | DMS replication instance should not be publicly accessible | Terraform |
| 171 | CKV_AWS_89 | resource | AWS::DMS::ReplicationInstance | DMS replication instance should not be publicly accessible | Cloudformation |
| 172 | CKV_AWS_90 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB TLS is not disabled | Terraform |
| 173 | CKV_AWS_90 | resource | AWS::DocDB::DBClusterParameterGroup | Ensure DocDB TLS is not disabled | Cloudformation |
| 174 | CKV_AWS_91 | resource | aws_lb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform |
| 175 | CKV_AWS_91 | resource | aws_alb | Ensure the ELBv2 (Application/Network) has access logging enabled | Terraform |
| 176 | CKV_AWS_91 | resource | AWS::ElasticLoadBalancingV2::LoadBalancer | Ensure the ELBv2 (Application/Network) has access logging enabled | Cloudformation |
| 177 | CKV_AWS_92 | resource | aws_elb | Ensure the ELB has access logging enabled | Terraform |
| 178 | CKV_AWS_92 | resource | AWS::ElasticLoadBalancing::LoadBalancer | Ensure the ELB has access logging enabled | Cloudformation |
| 179 | CKV_AWS_93 | resource | aws_s3_bucket | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform |
| 180 | CKV_AWS_93 | resource | aws_s3_bucket_policy | Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes) | Terraform |
| 181 | CKV_AWS_94 | resource | aws_glue_data_catalog_encryption_settings | Ensure Glue Data Catalog Encryption is enabled | Terraform |
| 182 | CKV_AWS_95 | resource | AWS::ApiGatewayV2::Stage | Ensure API Gateway V2 has Access Logging enabled | Cloudformation |
| 183 | CKV_AWS_96 | resource | aws_rds_cluster | Ensure all data stored in Aurora is securely encrypted at rest | Terraform |
| 184 | CKV_AWS_96 | resource | AWS::RDS::DBCluster | Ensure all data stored in Aurrora is securely encrypted at rest | Cloudformation |
| 185 | CKV_AWS_97 | resource | aws_ecs_task_definition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Terraform |
| 186 | CKV_AWS_97 | resource | AWS::ECS::TaskDefinition | Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions | Cloudformation |
| 187 | CKV_AWS_98 | resource | aws_sagemaker_endpoint_configuration | Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest | Terraform |
| 188 | CKV_AWS_99 | resource | aws_glue_security_configuration | Ensure Glue Security Configuration Encryption is enabled | Terraform |
| 189 | CKV_AWS_100 | resource | aws_eks_node_group | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Terraform |
| 190 | CKV_AWS_100 | resource | AWS::EKS::Nodegroup | Ensure Amazon EKS Node group has implict SSH access from 0.0.0.0/0 | Cloudformation |
| 191 | CKV_AWS_101 | resource | aws_neptune_cluster | Ensure Neptune logging is enabled | Terraform |
| 192 | CKV_AWS_102 | resource | aws_neptune_cluster_instance | Ensure Neptune Cluster instance is not publicly available | Terraform |
| 193 | CKV_AWS_103 | resource | aws_lb_listener | Ensure that load balancer is using TLS 1.2 | Terraform |
| 194 | CKV_AWS_104 | resource | aws_docdb_cluster_parameter_group | Ensure DocDB has audit logs enabled | Terraform |
| 195 | CKV_AZURE_1 | resource | azurerm_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform |
| 196 | CKV_AZURE_1 | resource | azurerm_linux_virtual_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | Terraform |
| 197 | CKV_AZURE_1 | resource | Microsoft.Compute/virtualMachines | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | arm |
| 198 | CKV_AZURE_2 | resource | azurerm_managed_disk | Ensure Azure managed disk have encryption enabled | Terraform |
| 199 | CKV_AZURE_2 | resource | Microsoft.Compute/disks | Ensure Azure managed disk have encryption enabled | arm |
| 200 | CKV_AZURE_3 | resource | azurerm_storage_account | Ensure that 'Secure transfer required' is set to 'Enabled' | Terraform |
| 201 | CKV_AZURE_3 | resource | Microsoft.Storage/storageAccounts | Ensure that 'supportsHttpsTrafficOnly' is set to 'true' | arm |
| 202 | CKV_AZURE_4 | resource | azurerm_kubernetes_cluster | Ensure AKS logging to Azure Monitoring is Configured | Terraform |
| 203 | CKV_AZURE_4 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS logging to Azure Monitoring is Configured | arm |
| 204 | CKV_AZURE_5 | resource | azurerm_kubernetes_cluster | Ensure RBAC is enabled on AKS clusters | Terraform |
| 205 | CKV_AZURE_5 | resource | Microsoft.ContainerService/managedClusters | Ensure RBAC is enabled on AKS clusters | arm |
| 206 | CKV_AZURE_6 | resource | azurerm_kubernetes_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | Terraform |
| 207 | CKV_AZURE_6 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS has an API Server Authorized IP Ranges enabled | arm |
| 208 | CKV_AZURE_7 | resource | azurerm_kubernetes_cluster | Ensure AKS cluster has Network Policy configured | Terraform |
| 209 | CKV_AZURE_7 | resource | Microsoft.ContainerService/managedClusters | Ensure AKS cluster has Network Policy configured | arm |
| 210 | CKV_AZURE_8 | resource | azurerm_kubernetes_cluster | Ensure Kube Dashboard is disabled | Terraform |
| 211 | CKV_AZURE_8 | resource | Microsoft.ContainerService/managedClusters | Ensure Kubernetes Dashboard is disabled | arm |
| 212 | CKV_AZURE_9 | resource | azurerm_network_security_rule | Ensure that RDP access is restricted from the internet | Terraform |
| 213 | CKV_AZURE_9 | resource | azurerm_network_security_group | Ensure that RDP access is restricted from the internet | Terraform |
| 214 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups | Ensure that RDP access is restricted from the internet | arm |
| 215 | CKV_AZURE_9 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that RDP access is restricted from the internet | arm |
| 216 | CKV_AZURE_10 | resource | azurerm_network_security_rule | Ensure that SSH access is restricted from the internet | Terraform |
| 217 | CKV_AZURE_10 | resource | azurerm_network_security_group | Ensure that SSH access is restricted from the internet | Terraform |
| 218 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups | Ensure that SSH access is restricted from the internet | arm |
| 219 | CKV_AZURE_10 | resource | Microsoft.Network/networkSecurityGroups/securityRules | Ensure that SSH access is restricted from the internet | arm |
| 220 | CKV_AZURE_11 | resource | azurerm_mariadb_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 221 | CKV_AZURE_11 | resource | azurerm_sql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 222 | CKV_AZURE_11 | resource | azurerm_postgresql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 223 | CKV_AZURE_11 | resource | azurerm_mysql_firewall_rule | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | Terraform |
| 224 | CKV_AZURE_11 | resource | Microsoft.Sql/servers | Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) | arm |
| 225 | CKV_AZURE_12 | resource | azurerm_network_watcher_flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | Terraform |
| 226 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 227 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 228 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/flowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 229 | CKV_AZURE_12 | resource | Microsoft.Network/networkWatchers/FlowLogs/ | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | arm |
| 230 | CKV_AZURE_13 | resource | azurerm_app_service | Ensure App Service Authentication is set on Azure App Service | Terraform |
| 231 | CKV_AZURE_13 | resource | Microsoft.Web/sites/config | Ensure App Service Authentication is set on Azure App Service | arm |
| 232 | CKV_AZURE_13 | resource | config | Ensure App Service Authentication is set on Azure App Service | arm |
| 233 | CKV_AZURE_14 | resource | azurerm_app_service | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | Terraform |
| 234 | CKV_AZURE_14 | resource | Microsoft.Web/sites | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | arm |
| 235 | CKV_AZURE_15 | resource | azurerm_app_service | Ensure web app is using the latest version of TLS encryption | Terraform |
| 236 | CKV_AZURE_15 | resource | Microsoft.Web/sites | Ensure web app is using the latest version of TLS encryption | arm |
| 237 | CKV_AZURE_16 | resource | azurerm_app_service | Ensure that Register with Azure Active Directory is enabled on App Service | Terraform |
| 238 | CKV_AZURE_16 | resource | Microsoft.Web/sites | Ensure that Register with Azure Active Directory is enabled on App Service | arm |
| 239 | CKV_AZURE_17 | resource | azurerm_app_service | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | Terraform |
| 240 | CKV_AZURE_17 | resource | Microsoft.Web/sites | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | arm |
| 241 | CKV_AZURE_18 | resource | azurerm_app_service | Ensure that 'HTTP Version' is the latest if used to run the web app | Terraform |
| 242 | CKV_AZURE_18 | resource | Microsoft.Web/sites | Ensure that 'HTTP Version' is the latest if used to run the web app | arm |
| 243 | CKV_AZURE_19 | resource | azurerm_security_center_subscription_pricing | Ensure that standard pricing tier is selected | Terraform |
| 244 | CKV_AZURE_19 | resource | Microsoft.Security/pricings | Ensure that standard pricing tier is selected | arm |
| 245 | CKV_AZURE_20 | resource | azurerm_security_center_contact | Ensure that security contact 'Phone number' is set | Terraform |
| 246 | CKV_AZURE_20 | resource | Microsoft.Security/securityContacts | Ensure that security contact 'Phone number' is set | arm |
| 247 | CKV_AZURE_21 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform |
| 248 | CKV_AZURE_21 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm |
| 249 | CKV_AZURE_22 | resource | azurerm_security_center_contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | Terraform |
| 250 | CKV_AZURE_22 | resource | Microsoft.Security/securityContacts | Ensure that 'Send email notification for high severity alerts' is set to 'On' | arm |
| 251 | CKV_AZURE_23 | resource | azurerm_sql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform |
| 252 | CKV_AZURE_23 | resource | azurerm_mssql_server | Ensure that 'Auditing' is set to 'On' for SQL servers | Terraform |
| 253 | CKV_AZURE_23 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' is set to 'Enabled' for SQL servers | arm |
| 254 | CKV_AZURE_24 | resource | azurerm_sql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform |
| 255 | CKV_AZURE_24 | resource | azurerm_mssql_server | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | Terraform |
| 256 | CKV_AZURE_24 | resource | Microsoft.Sql/servers | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | arm |
| 257 | CKV_AZURE_25 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Threat Detection types' is set to 'All' | Terraform |
| 258 | CKV_AZURE_25 | resource | Microsoft.Sql/servers/databases | Ensure that 'Threat Detection types' is set to 'All' | arm |
| 259 | CKV_AZURE_26 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Send Alerts To' is enabled for MSSQL servers | Terraform |
| 260 | CKV_AZURE_26 | resource | Microsoft.Sql/servers/databases | Ensure that 'Send Alerts To' is enabled for MSSQL servers | arm |
| 261 | CKV_AZURE_27 | resource | azurerm_mssql_server_security_alert_policy | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | Terraform |
| 262 | CKV_AZURE_27 | resource | Microsoft.Sql/servers/databases | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | arm |
| 263 | CKV_AZURE_28 | resource | azurerm_mysql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | Terraform |
| 264 | CKV_AZURE_28 | resource | Microsoft.DBforMySQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | arm |
| 265 | CKV_AZURE_29 | resource | azurerm_postgresql_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | Terraform |
| 266 | CKV_AZURE_29 | resource | Microsoft.DBforPostgreSQL/servers | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | arm |
| 267 | CKV_AZURE_30 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | Terraform |
| 268 | CKV_AZURE_30 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm |
| 269 | CKV_AZURE_30 | resource | configurations | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | arm |
| 270 | CKV_AZURE_31 | resource | azurerm_postgresql_configuration | Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server | Terraform |
| 271 | CKV_AZURE_31 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm |
| 272 | CKV_AZURE_31 | resource | configurations | Ensure configuration 'log_connections' is set to 'ON' for PostgreSQL Database Server | arm |
| 273 | CKV_AZURE_32 | resource | azurerm_postgresql_configuration | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | Terraform |
| 274 | CKV_AZURE_32 | resource | Microsoft.DBforPostgreSQL/servers/configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm |
| 275 | CKV_AZURE_32 | resource | configurations | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | arm |
| 276 | CKV_AZURE_33 | resource | azurerm_storage_account | Ensure Storage logging is enabled for Queue service for read, write and delete requests | Terraform |
| 277 | CKV_AZURE_33 | resource | Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings | Ensure Storage logging is enabled for Queue service for read, write and delete requests | arm |
| 278 | CKV_AZURE_34 | resource | azurerm_storage_container | Ensure that 'Public access level' is set to Private for blob containers | Terraform |
| 279 | CKV_AZURE_34 | resource | Microsoft.Storage/storageAccounts/blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm |
| 280 | CKV_AZURE_34 | resource | containers | Ensure that 'Public access level' is set to Private for blob containers | arm |
| 281 | CKV_AZURE_34 | resource | blobServices/containers | Ensure that 'Public access level' is set to Private for blob containers | arm |
| 282 | CKV_AZURE_35 | resource | azurerm_storage_account | Ensure default network access rule for Storage Accounts is set to deny | Terraform |
| 283 | CKV_AZURE_35 | resource | azurerm_storage_account_network_rules | Ensure default network access rule for Storage Accounts is set to deny | Terraform |
| 284 | CKV_AZURE_35 | resource | Microsoft.Storage/storageAccounts | Ensure default network access rule for Storage Accounts is set to deny | arm |
| 285 | CKV_AZURE_36 | resource | azurerm_storage_account | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform |
| 286 | CKV_AZURE_36 | resource | azurerm_storage_account_network_rules | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | Terraform |
| 287 | CKV_AZURE_36 | resource | Microsoft.Storage/storageAccounts | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | arm |
| 288 | CKV_AZURE_37 | resource | azurerm_monitor_log_profile | Ensure that Activity Log Retention is set 365 days or greater | Terraform |
| 289 | CKV_AZURE_37 | resource | microsoft.insights/logprofiles | Ensure that Activity Log Retention is set 365 days or greater | arm |
| 290 | CKV_AZURE_38 | resource | azurerm_monitor_log_profile | Ensure audit profile captures all the activities | Terraform |
| 291 | CKV_AZURE_38 | resource | microsoft.insights/logprofiles | Ensure audit profile captures all the activities | arm |
| 292 | CKV_AZURE_39 | resource | azurerm_role_definition | Ensure that no custom subscription owner roles are created | Terraform |
| 293 | CKV_AZURE_39 | resource | Microsoft.Authorization/roleDefinitions | Ensure that no custom subscription owner roles are created | arm |
| 294 | CKV_AZURE_40 | resource | azurerm_key_vault_key | Ensure that the expiration date is set on all keys | Terraform |
| 295 | CKV_AZURE_41 | resource | azurerm_key_vault_secret | Ensure that the expiration date is set on all secrets | Terraform |
| 296 | CKV_AZURE_41 | resource | Microsoft.KeyVault/vaults/secrets | Ensure that the expiration date is set on all secrets | arm |
| 297 | CKV_AZURE_42 | resource | azurerm_key_vault | Ensure the key vault is recoverable | Terraform |
| 298 | CKV_AZURE_42 | resource | Microsoft.KeyVault/vaults | Ensure the key vault is recoverable | arm |
| 299 | CKV_AZURE_43 | resource | azurerm_storage_account | Ensure the Storage Account naming rules | Terraform |
| 300 | CKV_AZURE_44 | resource | azurerm_storage_account | Ensure Storage Account is using the latest version of TLS encryption | Terraform |
| 301 | CKV_AZURE_45 | resource | azurerm_virtual_machine | Ensure that no sensitive credentials are exposed in VM custom_data | Terraform |
| 302 | CKV_AZURE_46 | resource | azurerm_mssql_database_extended_auditing_policy | Specifies a retention period of less than 90 days. | Terraform |
| 303 | CKV_AZURE_47 | resource | azurerm_mariadb_server | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MariaDB servers | Terraform |
| 304 | CKV_AZURE_48 | resource | azurerm_mariadb_server | Ensure 'public network access enabled' is set to 'False' for MariaDB servers | Terraform |
| 305 | CKV_AZURE_49 | resource | azurerm_linux_virtual_machine_scale_set | Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) | Terraform |
| 306 | CKV_AZURE_50 | resource | azurerm_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform |
| 307 | CKV_AZURE_50 | resource | azurerm_linux_virtual_machine | Ensure Virtual Machine Extensions are not Installed | Terraform |
| 308 | CKV_AZURE_51 | resource | azurerm_managed_disk | Ensure Disks are encrypted at rest | Terraform |
| 309 | CKV_AZURE_52 | resource | azurerm_mssql_server | Ensure MSSQL is using the latest version of TLS encryption | Terraform |
| 310 | CKV_AZURE_53 | resource | azurerm_mysql_server | Ensure 'public network access enabled' is set to 'False' for mySQL servers | Terraform |
| 311 | CKV_AZURE_54 | resource | azurerm_mysql_server | Ensure MySQL is using the latest version of TLS encryption | Terraform |
| 312 | CKV_GCP_1 | resource | google_container_cluster | Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters | Terraform |
| 313 | CKV_GCP_2 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted ssh access | Terraform |
| 314 | CKV_GCP_3 | resource | google_compute_firewall | Ensure Google compute firewall ingress does not allow unrestricted rdp access | Terraform |
| 315 | CKV_GCP_4 | resource | google_compute_ssl_policy | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites | Terraform |
| 316 | CKV_GCP_6 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance requires all incoming connections to use SSL | Terraform |
| 317 | CKV_GCP_7 | resource | google_container_cluster | Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters | Terraform |
| 318 | CKV_GCP_8 | resource | google_container_cluster | Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters | Terraform |
| 319 | CKV_GCP_9 | resource | google_container_node_pool | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters | Terraform |
| 320 | CKV_GCP_10 | resource | google_container_node_pool | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters | Terraform |
| 321 | CKV_GCP_11 | resource | google_sql_database_instance | Ensure that Cloud SQL database Instances are not open to the world | Terraform |
| 322 | CKV_GCP_12 | resource | google_container_cluster | Ensure Network Policy is enabled on Kubernetes Engine Clusters | Terraform |
| 323 | CKV_GCP_13 | resource | google_container_cluster | Ensure a client certificate is used by clients to authenticate to Kubernetes Engine Clusters | Terraform |
| 324 | CKV_GCP_14 | resource | google_sql_database_instance | Ensure all Cloud SQL database instance have backup configuration enabled | Terraform |
| 325 | CKV_GCP_15 | resource | google_bigquery_dataset | Ensure that BigQuery datasets are not anonymously or publicly accessible | Terraform |
| 326 | CKV_GCP_16 | resource | google_dns_managed_zone | Ensure that DNSSEC is enabled for Cloud DNS | Terraform |
| 327 | CKV_GCP_17 | resource | google_dns_managed_zone | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC | Terraform |
| 328 | CKV_GCP_18 | resource | google_container_cluster | Ensure GKE Control Plane is not public | Terraform |
| 329 | CKV_GCP_19 | resource | google_container_cluster | Ensure GKE basic auth is disabled | Terraform |
| 330 | CKV_GCP_20 | resource | google_container_cluster | Ensure master authorized networks is set to enabled in GKE clusters | Terraform |
| 331 | CKV_GCP_21 | resource | google_container_cluster | Ensure Kubernetes Clusters are configured with Labels | Terraform |
| 332 | CKV_GCP_22 | resource | google_container_node_pool | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | Terraform |
| 333 | CKV_GCP_23 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | Terraform |
| 334 | CKV_GCP_24 | resource | google_container_cluster | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters | Terraform |
| 335 | CKV_GCP_25 | resource | google_container_cluster | Ensure Kubernetes Cluster is created with Private cluster enabled | Terraform |
| 336 | CKV_GCP_26 | resource | google_compute_subnetwork | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network | Terraform |
| 337 | CKV_GCP_27 | resource | google_project | Ensure that the default network does not exist in a project | Terraform |
| 338 | CKV_GCP_28 | resource | google_storage_bucket_iam_member | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform |
| 339 | CKV_GCP_28 | resource | google_storage_bucket_iam_binding | Ensure that Cloud Storage bucket is not anonymously or publicly accessible | Terraform |
| 340 | CKV_GCP_29 | resource | google_storage_bucket | Ensure that Cloud Storage buckets have uniform bucket-level access enabled | Terraform |
| 341 | CKV_GCP_30 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account | Terraform |
| 342 | CKV_GCP_31 | resource | google_compute_instance | Ensure that instances are not configured to use the default service account with full access to all Cloud APIs | Terraform |
| 343 | CKV_GCP_32 | resource | google_compute_instance | Ensure 'Block Project-wide SSH keys' is enabled for VM instances | Terraform |
| 344 | CKV_GCP_33 | resource | google_compute_project_metadata | Ensure oslogin is enabled for a Project | Terraform |
| 345 | CKV_GCP_34 | resource | google_compute_instance | Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances) | Terraform |
| 346 | CKV_GCP_35 | resource | google_compute_instance | Ensure 'Enable connecting to serial ports' is not enabled for VM Instance | Terraform |
| 347 | CKV_GCP_36 | resource | google_compute_instance | Ensure that IP forwarding is not enabled on Instances | Terraform |
| 348 | CKV_GCP_37 | resource | google_compute_disk | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 349 | CKV_GCP_38 | resource | google_compute_instance | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) | Terraform |
| 350 | CKV_GCP_39 | resource | google_compute_instance | Ensure Compute instances are launched with Shielded VM enabled | Terraform |
| 351 | CKV_GCP_40 | resource | google_compute_instance | Ensure that Compute instances do not have public IP addresses | Terraform |
| 352 | CKV_GCP_41 | resource | google_project_iam_binding | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform |
| 353 | CKV_GCP_41 | resource | google_project_iam_member | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level | Terraform |
| 354 | CKV_GCP_42 | resource | google_project_iam_member | Ensure that Service Account has no Admin privileges | Terraform |
| 355 | CKV_GCP_43 | resource | google_kms_crypto_key | Ensure KMS encryption keys are rotated within a period of 90 days | Terraform |
| 356 | CKV_GCP_44 | resource | google_folder_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform |
| 357 | CKV_GCP_44 | resource | google_folder_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a folder level | Terraform |
| 358 | CKV_GCP_45 | resource | google_organization_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform |
| 359 | CKV_GCP_45 | resource | google_organization_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at an organization level | Terraform |
| 360 | CKV_GCP_46 | resource | google_project_iam_binding | Ensure Default Service account is not used at a project level | Terraform |
| 361 | CKV_GCP_46 | resource | google_project_iam_member | Ensure Default Service account is not used at a project level | Terraform |
| 362 | CKV_GCP_47 | resource | google_organization_iam_member | Ensure default service account is not used at an organization level | Terraform |
| 363 | CKV_GCP_47 | resource | google_organization_iam_binding | Ensure default service account is not used at an organization level | Terraform |
| 364 | CKV_GCP_48 | resource | google_folder_iam_member | Ensure Default Service account is not used at a folder level | Terraform |
| 365 | CKV_GCP_48 | resource | google_folder_iam_binding | Ensure Default Service account is not used at a folder level | Terraform |
| 366 | CKV_GCP_49 | resource | google_project_iam_binding | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform |
| 367 | CKV_GCP_49 | resource | google_project_iam_member | Ensure no roles that enable to impersonate and manage all service accounts are used at a project level | Terraform |
| 368 | CKV_GCP_50 | resource | google_sql_database_instance | Ensure MySQL database 'local_infile' flag is set to 'off' | Terraform |
| 369 | CKV_GCP_51 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_checkpoints' flag is set to 'on' | Terraform |
| 370 | CKV_GCP_52 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_connections' flag is set to 'on' | Terraform |
| 371 | CKV_GCP_53 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_disconnections' flag is set to 'on' | Terraform |
| 372 | CKV_GCP_54 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on' | Terraform |
| 373 | CKV_GCP_55 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value | Terraform |
| 374 | CKV_GCP_56 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_temp_files flag is set to '0' | Terraform |
| 375 | CKV_GCP_57 | resource | google_sql_database_instance | Ensure PostgreSQL database 'log_min_duration_statement' flag is set to '-1' | Terraform |
| 376 | CKV_GCP_58 | resource | google_sql_database_instance | Ensure SQL database 'cross db ownership chaining' flag is set to 'off' | Terraform |
| 377 | CKV_GCP_59 | resource | google_sql_database_instance | Ensure SQL database 'contained database authentication' flag is set to 'off' | Terraform |
| 378 | CKV_GCP_60 | resource | google_sql_database_instance | Ensure SQL database do not have public IP | Terraform |
| 379 | CKV_GCP_62 | resource | google_storage_bucket | Bucket should log access | Terraform |
| 380 | CKV_GCP_63 | resource | google_storage_bucket | Bucket should not log to itself | Terraform |
| 381 | CKV_GIT_1 | resource | github_repository | Ensure Repository is Private | Terraform |
| 382 | CKV_K8S_1 | PodSecurityPolicy | PodSecurityPolicy | Do not admit containers wishing to share the host process ID namespace | Kubernetes |
| 383 | CKV_K8S_2 | PodSecurityPolicy | PodSecurityPolicy | Do not admit privileged containers | Kubernetes |
| 384 | CKV_K8S_3 | PodSecurityPolicy | PodSecurityPolicy | Do not admit containers wishing to share the host IPC namespace | Kubernetes |
| 385 | CKV_K8S_4 | PodSecurityPolicy | PodSecurityPolicy | Do not admit containers wishing to share the host network namespace | Kubernetes |
| 386 | CKV_K8S_5 | PodSecurityPolicy | PodSecurityPolicy | Containers should not run with allowPrivilegeEscalation | Kubernetes |
| 387 | CKV_K8S_6 | PodSecurityPolicy | PodSecurityPolicy | Do not admit root containers | Kubernetes |
| 388 | CKV_K8S_7 | PodSecurityPolicy | PodSecurityPolicy | Do not admit containers with the NET_RAW capability | Kubernetes |
| 389 | CKV_K8S_8 | PodSecurityPolicy | containers | Liveness Probe Should be Configured | Kubernetes |
| 390 | CKV_K8S_9 | PodSecurityPolicy | containers | Readiness Probe Should be Configured | Kubernetes |
| 391 | CKV_K8S_10 | PodSecurityPolicy | containers | CPU requests should be set | Kubernetes |
| 392 | CKV_K8S_10 | PodSecurityPolicy | initContainers | CPU requests should be set | Kubernetes |
| 393 | CKV_K8S_11 | PodSecurityPolicy | containers | CPU limits should be set | Kubernetes |
| 394 | CKV_K8S_11 | PodSecurityPolicy | initContainers | CPU limits should be set | Kubernetes |
| 395 | CKV_K8S_12 | PodSecurityPolicy | containers | Memory requests should be set | Kubernetes |
| 396 | CKV_K8S_12 | PodSecurityPolicy | initContainers | Memory requests should be set | Kubernetes |
| 397 | CKV_K8S_13 | PodSecurityPolicy | containers | Memory limits should be set | Kubernetes |
| 398 | CKV_K8S_13 | PodSecurityPolicy | initContainers | Memory limits should be set | Kubernetes |
| 399 | CKV_K8S_14 | PodSecurityPolicy | containers | Image Tag should be fixed - not latest or blank | Kubernetes |
| 400 | CKV_K8S_14 | PodSecurityPolicy | initContainers | Image Tag should be fixed - not latest or blank | Kubernetes |
| 401 | CKV_K8S_15 | PodSecurityPolicy | containers | Image Pull Policy should be Always | Kubernetes |
| 402 | CKV_K8S_15 | PodSecurityPolicy | initContainers | Image Pull Policy should be Always | Kubernetes |
| 403 | CKV_K8S_16 | PodSecurityPolicy | containers | Container should not be privileged | Kubernetes |
| 404 | CKV_K8S_16 | PodSecurityPolicy | initContainers | Container should not be privileged | Kubernetes |
| 405 | CKV_K8S_17 | PodSecurityPolicy | Pod | Containers should not share the host process ID namespace | Kubernetes |
| 406 | CKV_K8S_17 | PodSecurityPolicy | Deployment | Containers should not share the host process ID namespace | Kubernetes |
| 407 | CKV_K8S_17 | PodSecurityPolicy | DaemonSet | Containers should not share the host process ID namespace | Kubernetes |
| 408 | CKV_K8S_17 | PodSecurityPolicy | StatefulSet | Containers should not share the host process ID namespace | Kubernetes |
| 409 | CKV_K8S_17 | PodSecurityPolicy | ReplicaSet | Containers should not share the host process ID namespace | Kubernetes |
| 410 | CKV_K8S_17 | PodSecurityPolicy | ReplicationController | Containers should not share the host process ID namespace | Kubernetes |
| 411 | CKV_K8S_17 | PodSecurityPolicy | Job | Containers should not share the host process ID namespace | Kubernetes |
| 412 | CKV_K8S_17 | PodSecurityPolicy | CronJob | Containers should not share the host process ID namespace | Kubernetes |
| 413 | CKV_K8S_18 | PodSecurityPolicy | Pod | Containers should not share the host IPC namespace | Kubernetes |
| 414 | CKV_K8S_18 | PodSecurityPolicy | Deployment | Containers should not share the host IPC namespace | Kubernetes |
| 415 | CKV_K8S_18 | PodSecurityPolicy | DaemonSet | Containers should not share the host IPC namespace | Kubernetes |
| 416 | CKV_K8S_18 | PodSecurityPolicy | StatefulSet | Containers should not share the host IPC namespace | Kubernetes |
| 417 | CKV_K8S_18 | PodSecurityPolicy | ReplicaSet | Containers should not share the host IPC namespace | Kubernetes |
| 418 | CKV_K8S_18 | PodSecurityPolicy | ReplicationController | Containers should not share the host IPC namespace | Kubernetes |
| 419 | CKV_K8S_18 | PodSecurityPolicy | Job | Containers should not share the host IPC namespace | Kubernetes |
| 420 | CKV_K8S_18 | PodSecurityPolicy | CronJob | Containers should not share the host IPC namespace | Kubernetes |
| 421 | CKV_K8S_19 | PodSecurityPolicy | Pod | Containers should not share the host network namespace | Kubernetes |
| 422 | CKV_K8S_19 | PodSecurityPolicy | Deployment | Containers should not share the host network namespace | Kubernetes |
| 423 | CKV_K8S_19 | PodSecurityPolicy | DaemonSet | Containers should not share the host network namespace | Kubernetes |
| 424 | CKV_K8S_19 | PodSecurityPolicy | StatefulSet | Containers should not share the host network namespace | Kubernetes |
| 425 | CKV_K8S_19 | PodSecurityPolicy | ReplicaSet | Containers should not share the host network namespace | Kubernetes |
| 426 | CKV_K8S_19 | PodSecurityPolicy | ReplicationController | Containers should not share the host network namespace | Kubernetes |
| 427 | CKV_K8S_19 | PodSecurityPolicy | Job | Containers should not share the host network namespace | Kubernetes |
| 428 | CKV_K8S_19 | PodSecurityPolicy | CronJob | Containers should not share the host network namespace | Kubernetes |
| 429 | CKV_K8S_20 | PodSecurityPolicy | containers | Containers should not run with allowPrivilegeEscalation | Kubernetes |
| 430 | CKV_K8S_20 | PodSecurityPolicy | initContainers | Containers should not run with allowPrivilegeEscalation | Kubernetes |
| 431 | CKV_K8S_21 | PodSecurityPolicy | Service | The default namespace should not be used | Kubernetes |
| 432 | CKV_K8S_21 | PodSecurityPolicy | Pod | The default namespace should not be used | Kubernetes |
| 433 | CKV_K8S_21 | PodSecurityPolicy | Deployment | The default namespace should not be used | Kubernetes |
| 434 | CKV_K8S_21 | PodSecurityPolicy | DaemonSet | The default namespace should not be used | Kubernetes |
| 435 | CKV_K8S_21 | PodSecurityPolicy | StatefulSet | The default namespace should not be used | Kubernetes |
| 436 | CKV_K8S_21 | PodSecurityPolicy | ReplicaSet | The default namespace should not be used | Kubernetes |
| 437 | CKV_K8S_21 | PodSecurityPolicy | ReplicationController | The default namespace should not be used | Kubernetes |
| 438 | CKV_K8S_21 | PodSecurityPolicy | Job | The default namespace should not be used | Kubernetes |
| 439 | CKV_K8S_21 | PodSecurityPolicy | CronJob | The default namespace should not be used | Kubernetes |
| 440 | CKV_K8S_21 | PodSecurityPolicy | ServiceAccount | The default namespace should not be used | Kubernetes |
| 441 | CKV_K8S_21 | PodSecurityPolicy | Secret | The default namespace should not be used | Kubernetes |
| 442 | CKV_K8S_21 | PodSecurityPolicy | Role | The default namespace should not be used | Kubernetes |
| 443 | CKV_K8S_21 | PodSecurityPolicy | RoleBinding | The default namespace should not be used | Kubernetes |
| 444 | CKV_K8S_21 | PodSecurityPolicy | ConfigMap | The default namespace should not be used | Kubernetes |
| 445 | CKV_K8S_21 | PodSecurityPolicy | Ingress | The default namespace should not be used | Kubernetes |
| 446 | CKV_K8S_22 | PodSecurityPolicy | containers | Use read-only filesystem for containers where possible | Kubernetes |
| 447 | CKV_K8S_22 | PodSecurityPolicy | initContainers | Use read-only filesystem for containers where possible | Kubernetes |
| 448 | CKV_K8S_23 | PodSecurityPolicy | Pod | Minimize the admission of root containers | Kubernetes |
| 449 | CKV_K8S_23 | PodSecurityPolicy | Deployment | Minimize the admission of root containers | Kubernetes |
| 450 | CKV_K8S_23 | PodSecurityPolicy | DaemonSet | Minimize the admission of root containers | Kubernetes |
| 451 | CKV_K8S_23 | PodSecurityPolicy | StatefulSet | Minimize the admission of root containers | Kubernetes |
| 452 | CKV_K8S_23 | PodSecurityPolicy | ReplicaSet | Minimize the admission of root containers | Kubernetes |
| 453 | CKV_K8S_23 | PodSecurityPolicy | ReplicationController | Minimize the admission of root containers | Kubernetes |
| 454 | CKV_K8S_23 | PodSecurityPolicy | Job | Minimize the admission of root containers | Kubernetes |
| 455 | CKV_K8S_23 | PodSecurityPolicy | CronJob | Minimize the admission of root containers | Kubernetes |
| 456 | CKV_K8S_24 | PodSecurityPolicy | PodSecurityPolicy | Do not allow containers with added capability | Kubernetes |
| 457 | CKV_K8S_25 | PodSecurityPolicy | containers | Minimize the admission of containers with added capability | Kubernetes |
| 458 | CKV_K8S_25 | PodSecurityPolicy | initContainers | Minimize the admission of containers with added capability | Kubernetes |
| 459 | CKV_K8S_26 | PodSecurityPolicy | containers | Do not specify hostPort unless absolutely necessary | Kubernetes |
| 460 | CKV_K8S_26 | PodSecurityPolicy | initContainers | Do not specify hostPort unless absolutely necessary | Kubernetes |
| 461 | CKV_K8S_27 | PodSecurityPolicy | Pod | Do not expose the docker daemon socket to containers | Kubernetes |
| 462 | CKV_K8S_27 | PodSecurityPolicy | Deployment | Do not expose the docker daemon socket to containers | Kubernetes |
| 463 | CKV_K8S_27 | PodSecurityPolicy | DaemonSet | Do not expose the docker daemon socket to containers | Kubernetes |
| 464 | CKV_K8S_27 | PodSecurityPolicy | StatefulSet | Do not expose the docker daemon socket to containers | Kubernetes |
| 465 | CKV_K8S_27 | PodSecurityPolicy | ReplicaSet | Do not expose the docker daemon socket to containers | Kubernetes |
| 466 | CKV_K8S_27 | PodSecurityPolicy | ReplicationController | Do not expose the docker daemon socket to containers | Kubernetes |
| 467 | CKV_K8S_27 | PodSecurityPolicy | Job | Do not expose the docker daemon socket to containers | Kubernetes |
| 468 | CKV_K8S_27 | PodSecurityPolicy | CronJob | Do not expose the docker daemon socket to containers | Kubernetes |
| 469 | CKV_K8S_28 | PodSecurityPolicy | containers | Minimize the admission of containers with the NET_RAW capability | Kubernetes |
| 470 | CKV_K8S_28 | PodSecurityPolicy | initContainers | Minimize the admission of containers with the NET_RAW capability | Kubernetes |
| 471 | CKV_K8S_29 | PodSecurityPolicy | Pod | Apply security context to your pods and containers | Kubernetes |
| 472 | CKV_K8S_29 | PodSecurityPolicy | Deployment | Apply security context to your pods and containers | Kubernetes |
| 473 | CKV_K8S_29 | PodSecurityPolicy | DaemonSet | Apply security context to your pods and containers | Kubernetes |
| 474 | CKV_K8S_29 | PodSecurityPolicy | StatefulSet | Apply security context to your pods and containers | Kubernetes |
| 475 | CKV_K8S_29 | PodSecurityPolicy | ReplicaSet | Apply security context to your pods and containers | Kubernetes |
| 476 | CKV_K8S_29 | PodSecurityPolicy | ReplicationController | Apply security context to your pods and containers | Kubernetes |
| 477 | CKV_K8S_29 | PodSecurityPolicy | Job | Apply security context to your pods and containers | Kubernetes |
| 478 | CKV_K8S_29 | PodSecurityPolicy | CronJob | Apply security context to your pods and containers | Kubernetes |
| 479 | CKV_K8S_30 | PodSecurityPolicy | containers | Apply security context to your pods and containers | Kubernetes |
| 480 | CKV_K8S_30 | PodSecurityPolicy | initContainers | Apply security context to your pods and containers | Kubernetes |
| 481 | CKV_K8S_31 | PodSecurityPolicy | Pod | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 482 | CKV_K8S_31 | PodSecurityPolicy | Deployment | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 483 | CKV_K8S_31 | PodSecurityPolicy | DaemonSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 484 | CKV_K8S_31 | PodSecurityPolicy | StatefulSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 485 | CKV_K8S_31 | PodSecurityPolicy | ReplicaSet | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 486 | CKV_K8S_31 | PodSecurityPolicy | ReplicationController | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 487 | CKV_K8S_31 | PodSecurityPolicy | Job | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 488 | CKV_K8S_31 | PodSecurityPolicy | CronJob | Ensure that the seccomp profile is set to docker/default or runtime/default | Kubernetes |
| 489 | CKV_K8S_32 | PodSecurityPolicy | PodSecurityPolicy | Ensure default seccomp profile set to docker/default or runtime/default | Kubernetes |
| 490 | CKV_K8S_33 | PodSecurityPolicy | containers | Ensure the Kubernetes dashboard is not deployed | Kubernetes |
| 491 | CKV_K8S_33 | PodSecurityPolicy | initContainers | Ensure the Kubernetes dashboard is not deployed | Kubernetes |
| 492 | CKV_K8S_34 | PodSecurityPolicy | containers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes |
| 493 | CKV_K8S_34 | PodSecurityPolicy | initContainers | Ensure that Tiller (Helm v2) is not deployed | Kubernetes |
| 494 | CKV_K8S_35 | PodSecurityPolicy | containers | Prefer using secrets as files over secrets as environment variables | Kubernetes |
| 495 | CKV_K8S_35 | PodSecurityPolicy | initContainers | Prefer using secrets as files over secrets as environment variables | Kubernetes |
| 496 | CKV_K8S_36 | PodSecurityPolicy | PodSecurityPolicy | Minimize the admission of containers with capabilities assigned | Kubernetes |
| 497 | CKV_K8S_37 | PodSecurityPolicy | containers | Minimize the admission of containers with capabilities assigned | Kubernetes |
| 498 | CKV_K8S_37 | PodSecurityPolicy | initContainers | Minimize the admission of containers with capabilities assigned | Kubernetes |
| 499 | CKV_K8S_38 | PodSecurityPolicy | Pod | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 500 | CKV_K8S_38 | PodSecurityPolicy | Deployment | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 501 | CKV_K8S_38 | PodSecurityPolicy | DaemonSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 502 | CKV_K8S_38 | PodSecurityPolicy | StatefulSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 503 | CKV_K8S_38 | PodSecurityPolicy | ReplicaSet | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 504 | CKV_K8S_38 | PodSecurityPolicy | ReplicationController | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 505 | CKV_K8S_38 | PodSecurityPolicy | Job | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 506 | CKV_K8S_38 | PodSecurityPolicy | CronJob | Ensure that Service Account Tokens are only mounted where necessary | Kubernetes |
| 507 | CKV_K8S_39 | PodSecurityPolicy | containers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes |
| 508 | CKV_K8S_39 | PodSecurityPolicy | initContainers | Do not use the CAP_SYS_ADMIN linux capability | Kubernetes |
| 509 | CKV_K8S_40 | PodSecurityPolicy | Pod | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 510 | CKV_K8S_40 | PodSecurityPolicy | Deployment | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 511 | CKV_K8S_40 | PodSecurityPolicy | DaemonSet | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 512 | CKV_K8S_40 | PodSecurityPolicy | StatefulSet | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 513 | CKV_K8S_40 | PodSecurityPolicy | ReplicaSet | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 514 | CKV_K8S_40 | PodSecurityPolicy | ReplicationController | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 515 | CKV_K8S_40 | PodSecurityPolicy | Job | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 516 | CKV_K8S_40 | PodSecurityPolicy | CronJob | Containers should run as a high UID to avoid host conflict | Kubernetes |
| 517 | CKV_K8S_41 | PodSecurityPolicy | ServiceAccount | Ensure that default service accounts are not actively used | Kubernetes |
| 518 | CKV_K8S_42 | PodSecurityPolicy | RoleBinding | Ensure that default service accounts are not actively used | Kubernetes |
| 519 | CKV_K8S_42 | PodSecurityPolicy | ClusterRoleBinding | Ensure that default service accounts are not actively used | Kubernetes |
| 520 | CKV_K8S_43 | PodSecurityPolicy | containers | Image should use digest | Kubernetes |
| 521 | CKV_K8S_43 | PodSecurityPolicy | initContainers | Image should use digest | Kubernetes |
| 522 | CKV_K8S_44 | PodSecurityPolicy | Service | Ensure that the Tiller Service (Helm v2) is deleted | Kubernetes |
| 523 | CKV_K8S_45 | PodSecurityPolicy | containers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes |
| 524 | CKV_K8S_45 | PodSecurityPolicy | initContainers | Ensure the Tiller Deployment (Helm V2) is not accessible from within the cluster | Kubernetes |
| 525 | CKV_LIN_1 | provider | linode | Ensure no hard coded Linode tokens exist in provider | Terraform |
| 526 | CKV_LIN_2 | resource | linode_instance | Ensure SSH key set in authorized_keys | Terraform |