TerraGoat - Vulnerable Terraform Infrastructure

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Introduction

TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Important notes

Where to get help: the Bridgecrew Community Slack

Before you proceed please take a not of these warning:

⚠️ TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.

Requirements

Terraform 0.12
aws cli
azure cli

To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.

Getting started

AWS Setup

Installation (AWS)

You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment.

Create an S3 Bucket backend to keep Terraform state

export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region="us-west-2"

aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
    --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region

# Enable versioning
aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled

# Enable encryption
aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms"
      }
    }
  ]
}'

Apply TerraGoat (AWS)

cd terraform/aws/
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"

terraform apply

Remove TerraGoat (AWS)

terraform destroy

Creating multiple TerraGoat AWS stacks

cd terraform/aws/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region"

    terraform apply -auto-approve
done

Deleting multiple TerraGoat stacks (AWS)

cd terraform/aws/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region"

    terraform destroy -auto-approve
done

Azure Setup

Installation (Azure)

You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment.

Create an Azure Storage Account backend to keep Terraform state

export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG"
export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa"
export TERRAGOAT_STATE_CONTAINER="mydevsecops"
export TF_VAR_environment="dev"
export TF_VAR_region="westus"

# Create resource group
az group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP

# Create storage account
az storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob

# Get storage account key
ACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)

# Create blob container
az storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY

Apply TerraGoat (Azure)

cd terraform/azure/
terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \
    -backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \
    -backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \
    -backend-config "key=$TF_VAR_environment.terraform.tfstate"

terraform apply

Remove TerraGoat (Azure)

terraform destroy

GCP Setup

Installation (GCP)

You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment.

Create a GCS backend to keep Terraform state

To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:

Sign into your GCP project, go to IAM > Service Accounts.
Click the CREATE SERVICE ACCOUNT.
Give a name to your service account (for example - terragoat) and click CREATE.
Grant the Service Account the Project > Editor role and click CONTINUE.
Click DONE.

To create the credentials:

Sign into your GCP project, go to IAM > Service Accounts and click on the relevant Service Account.
Click ADD KEY > Create new key > JSON and click CREATE. This will create a .json file and download it to your computer.

We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json), and storing the resulting JSON file inside terraform/gcp directory of terragoat. Once the credentials are set up, create the BE configuration as follows:

export TF_VAR_environment="dev"
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=<YOUR_PROJECT_NAME_HERE>

# Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}

Apply TerraGoat (GCP)

cd terraform/gcp/
terraform init -reconfigure -backend-config="bucket=$TF_TERRAGOAT_STATE_BUCKET" \
    -backend-config "credentials=$TF_VAR_credentials_path" \
    -backend-config "prefix=terragoat/${TF_VAR_environment}"

terraform apply

Remove TerraGoat (GCP)

terraform destroy

Bridgecrew's IaC herd of goats

CfnGoat - Vulnerable by design Cloudformation template
TerraGoat - Vulnerable by design Terraform stack
CDKGoat - Vulnerable by design CDK application
kustomizegoat - Vulnerable by design kustomize deployment

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at info@bridgecrew.io.

Existing vulnerabilities (Auto-Generated)

terraform scan results:

	check_id	file	resource	check_name	guideline
0	CKV_ALI_10	/alicloud/bucket.tf	alicloud_oss_bucket.bad_bucket	Ensure OSS bucket has versioning enabled
1	CKV_ALI_12	/alicloud/bucket.tf	alicloud_oss_bucket.bad_bucket	Ensure the OSS bucket has access logging enabled
2	CKV_ALI_11	/alicloud/bucket.tf	alicloud_oss_bucket.bad_bucket	Ensure OSS bucket has transfer Acceleration enabled
3	CKV_ALI_1	/alicloud/bucket.tf	alicloud_oss_bucket.bad_bucket	Alibaba Cloud OSS bucket accessible to public
4	CKV_ALI_6	/alicloud/bucket.tf	alicloud_oss_bucket.bad_bucket	Ensure OSS bucket is encrypted with Customer Master Key
5	CKV_ALI_36	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure RDS instance has log_disconnections enabled
6	CKV_ALI_37	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure RDS instance has log_connections enabled
7	CKV_ALI_34	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure RDS instance is set to auto upgrade minor versions
8	CKV_ALI_20	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure RDS instance uses SSL
9	CKV_ALI_30	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure RDS instance auto upgrades for minor versions
10	CKV_ALI_35	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure RDS instance has log_duration enabled
11	CKV_ALI_9	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure database instance is not public
12	CKV_ALI_25	/alicloud/rds.tf	alicloud_db_instance.seeme	Ensure RDS Instance SQL Collector Retention Period should be greater than 180
13	CKV_ALI_4	/alicloud/trail.tf	alicloud_actiontrail_trail.fail	Ensure Action Trail Logging for all regions
14	CKV_ALI_5	/alicloud/trail.tf	alicloud_actiontrail_trail.fail	Ensure Action Trail Logging for all events
15	CKV_ALI_10	/alicloud/trail.tf	alicloud_oss_bucket.trail	Ensure OSS bucket has versioning enabled
16	CKV_ALI_12	/alicloud/trail.tf	alicloud_oss_bucket.trail	Ensure the OSS bucket has access logging enabled
17	CKV_ALI_11	/alicloud/trail.tf	alicloud_oss_bucket.trail	Ensure OSS bucket has transfer Acceleration enabled
18	CKV_ALI_6	/alicloud/trail.tf	alicloud_oss_bucket.trail	Ensure OSS bucket is encrypted with Customer Master Key
19	CKV_AWS_157	/aws/db-app.tf	aws_db_instance.default	Ensure that RDS instances have Multi-AZ enabled	https://docs.bridgecrew.io/docs/general_73
20	CKV_AWS_161	/aws/db-app.tf	aws_db_instance.default	Ensure RDS database has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-database-has-iam-authentication-enabled
21	CKV_AWS_16	/aws/db-app.tf	aws_db_instance.default	Ensure all data stored in the RDS is securely encrypted at rest	https://docs.bridgecrew.io/docs/general_4
22	CKV_AWS_226	/aws/db-app.tf	aws_db_instance.default	Ensure DB instance gets all minor upgrades automatically
23	CKV_AWS_17	/aws/db-app.tf	aws_db_instance.default	Ensure all data stored in RDS is not publicly accessible	https://docs.bridgecrew.io/docs/public_2
24	CKV_AWS_118	/aws/db-app.tf	aws_db_instance.default	Ensure that enhanced monitoring is enabled for Amazon RDS instances	https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances
25	CKV_AWS_129	/aws/db-app.tf	aws_db_instance.default	Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled	https://docs.bridgecrew.io/docs/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled
26	CKV_AWS_133	/aws/db-app.tf	aws_db_instance.default	Ensure that RDS instances has backup policy	https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy
27	CKV_AWS_23	/aws/db-app.tf	aws_security_group.default	Ensure every security groups rule has a description	https://docs.bridgecrew.io/docs/networking_31
28	CKV_AWS_23	/aws/db-app.tf	aws_security_group_rule.ingress	Ensure every security groups rule has a description	https://docs.bridgecrew.io/docs/networking_31
29	CKV_AWS_23	/aws/db-app.tf	aws_security_group_rule.egress	Ensure every security groups rule has a description	https://docs.bridgecrew.io/docs/networking_31
30	CKV_AWS_79	/aws/db-app.tf	aws_instance.db_app	Ensure Instance Metadata Service Version 1 is not enabled	https://docs.bridgecrew.io/docs/bc_aws_general_31
31	CKV_AWS_135	/aws/db-app.tf	aws_instance.db_app	Ensure that EC2 is EBS optimized	https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized
32	CKV_AWS_8	/aws/db-app.tf	aws_instance.db_app	Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted	https://docs.bridgecrew.io/docs/general_13
33	CKV_AWS_126	/aws/db-app.tf	aws_instance.db_app	Ensure that detailed monitoring is enabled for EC2 instances	https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances
34	CKV_AWS_79	/aws/ec2.tf	aws_instance.web_host	Ensure Instance Metadata Service Version 1 is not enabled	https://docs.bridgecrew.io/docs/bc_aws_general_31
35	CKV_AWS_135	/aws/ec2.tf	aws_instance.web_host	Ensure that EC2 is EBS optimized	https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized
36	CKV_AWS_8	/aws/ec2.tf	aws_instance.web_host	Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted	https://docs.bridgecrew.io/docs/general_13
37	CKV_AWS_46	/aws/ec2.tf	aws_instance.web_host	Ensure no hard-coded secrets exist in EC2 user data	https://docs.bridgecrew.io/docs/bc_aws_secrets_1
38	CKV_AWS_126	/aws/ec2.tf	aws_instance.web_host	Ensure that detailed monitoring is enabled for EC2 instances	https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances
39	CKV_AWS_3	/aws/ec2.tf	aws_ebs_volume.web_host_storage	Ensure all data stored in the EBS is securely encrypted	https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume
40	CKV_AWS_189	/aws/ec2.tf	aws_ebs_volume.web_host_storage	Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)	https://docs.bridgecrew.io/docs/bc_aws_general_109
41	CKV_AWS_23	/aws/ec2.tf	aws_security_group.web-node	Ensure every security groups rule has a description	https://docs.bridgecrew.io/docs/networking_31
42	CKV_AWS_260	/aws/ec2.tf	aws_security_group.web-node	Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
43	CKV_AWS_24	/aws/ec2.tf	aws_security_group.web-node	Ensure no security groups allow ingress from 0.0.0.0:0 to port 22	https://docs.bridgecrew.io/docs/networking_1-port-security
44	CKV_AWS_130	/aws/ec2.tf	aws_subnet.web_subnet	Ensure VPC subnets do not assign public IP by default	https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
45	CKV_AWS_130	/aws/ec2.tf	aws_subnet.web_subnet2	Ensure VPC subnets do not assign public IP by default	https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
46	CKV_AWS_136	/aws/ecr.tf	aws_ecr_repository.repository	Ensure that ECR repositories are encrypted using KMS	https://docs.bridgecrew.io/docs/ensure-that-ecr-repositories-are-encrypted
47	CKV_AWS_51	/aws/ecr.tf	aws_ecr_repository.repository	Ensure ECR Image Tags are immutable	https://docs.bridgecrew.io/docs/bc_aws_general_24
48	CKV_AWS_163	/aws/ecr.tf	aws_ecr_repository.repository	Ensure ECR image scanning on push is enabled	https://docs.bridgecrew.io/docs/general_8
49	CKV_AWS_130	/aws/eks.tf	aws_subnet.eks_subnet1	Ensure VPC subnets do not assign public IP by default	https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
50	CKV_AWS_130	/aws/eks.tf	aws_subnet.eks_subnet2	Ensure VPC subnets do not assign public IP by default	https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default
51	CKV_AWS_39	/aws/eks.tf	aws_eks_cluster.eks_cluster	Ensure Amazon EKS public endpoint disabled	https://docs.bridgecrew.io/docs/bc_aws_kubernetes_2
52	CKV_AWS_38	/aws/eks.tf	aws_eks_cluster.eks_cluster	Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0	https://docs.bridgecrew.io/docs/bc_aws_kubernetes_1
53	CKV_AWS_37	/aws/eks.tf	aws_eks_cluster.eks_cluster	Ensure Amazon EKS control plane logging enabled for all log types	https://docs.bridgecrew.io/docs/bc_aws_kubernetes_4
54	CKV_AWS_58	/aws/eks.tf	aws_eks_cluster.eks_cluster	Ensure EKS Cluster has Secrets Encryption Enabled	https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3
55	CKV_AWS_127	/aws/elb.tf	aws_elb.weblb	Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager	https://docs.bridgecrew.io/docs/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager
56	CKV_AWS_92	/aws/elb.tf	aws_elb.weblb	Ensure the ELB has access logging enabled	https://docs.bridgecrew.io/docs/bc_aws_logging_23
57	CKV_AWS_111	/aws/es.tf	aws_iam_policy_document.policy	Ensure IAM policies does not allow write access without constraints	https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
58	CKV_AWS_109	/aws/es.tf	aws_iam_policy_document.policy	Ensure IAM policies does not allow permissions management / resource exposure without constraints	https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
59	CKV_AWS_137	/aws/es.tf	aws_elasticsearch_domain.monitoring-framework	Ensure that Elasticsearch is configured inside a VPC	https://docs.bridgecrew.io/docs/ensure-that-elasticsearch-is-configured-inside-a-vpc
60	CKV_AWS_247	/aws/es.tf	aws_elasticsearch_domain.monitoring-framework	Ensure all data stored in the Elasticsearch is encrypted with a CMK
61	CKV_AWS_248	/aws/es.tf	aws_elasticsearch_domain.monitoring-framework	Ensure that Elasticsearch is not using the default Security Group
62	CKV_AWS_228	/aws/es.tf	aws_elasticsearch_domain.monitoring-framework	Verify Elasticsearch domain is using an up to date TLS policy
63	CKV_AWS_84	/aws/es.tf	aws_elasticsearch_domain.monitoring-framework	Ensure Elasticsearch Domain Logging is enabled	https://docs.bridgecrew.io/docs/elasticsearch_7
64	CKV_AWS_5	/aws/es.tf	aws_elasticsearch_domain.monitoring-framework	Ensure all data stored in the Elasticsearch is securely encrypted at rest	https://docs.bridgecrew.io/docs/elasticsearch_3-enable-encryptionatrest
65	CKV_AWS_7	/aws/kms.tf	aws_kms_key.logs_key	Ensure rotation for customer created CMKs is enabled	https://docs.bridgecrew.io/docs/logging_8
66	CKV_AWS_115	/aws/lambda.tf	aws_lambda_function.analysis_lambda	Ensure that AWS Lambda function is configured for function-level concurrent execution limit	https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
67	CKV_AWS_45	/aws/lambda.tf	aws_lambda_function.analysis_lambda	Ensure no hard-coded secrets exist in lambda environment	https://docs.bridgecrew.io/docs/bc_aws_secrets_3
68	CKV_AWS_50	/aws/lambda.tf	aws_lambda_function.analysis_lambda	X-ray tracing is enabled for Lambda	https://docs.bridgecrew.io/docs/bc_aws_serverless_4
69	CKV_AWS_117	/aws/lambda.tf	aws_lambda_function.analysis_lambda	Ensure that AWS Lambda function is configured inside a VPC	https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
70	CKV_AWS_173	/aws/lambda.tf	aws_lambda_function.analysis_lambda	Check encryption settings for Lambda environmental variable	https://docs.bridgecrew.io/docs/bc_aws_serverless_5
71	CKV_AWS_116	/aws/lambda.tf	aws_lambda_function.analysis_lambda	Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)	https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
72	CKV_AWS_44	/aws/neptune.tf	aws_neptune_cluster.default	Ensure Neptune storage is securely encrypted	https://docs.bridgecrew.io/docs/general_18
73	CKV_AWS_101	/aws/neptune.tf	aws_neptune_cluster.default	Ensure Neptune logging is enabled	https://docs.bridgecrew.io/docs/bc_aws_logging_24
74	CKV_AWS_41	/aws/providers.tf	aws.plain_text_access_keys_provider	Ensure no hard coded AWS access key and secret key exists in provider	https://docs.bridgecrew.io/docs/bc_aws_secrets_5
75	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app1-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
76	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app1-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
77	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app1-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
78	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app1-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
79	CKV_AWS_133	/aws/rds.tf	aws_rds_cluster.app1-rds-cluster	Ensure that RDS instances has backup policy	https://docs.bridgecrew.io/docs/ensure-that-rds-instances-have-backup-policy
80	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app2-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
81	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app2-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
82	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app2-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
83	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app2-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
84	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app3-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
85	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app3-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
86	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app3-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
87	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app3-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
88	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app4-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
89	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app4-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
90	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app4-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
91	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app4-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
92	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app5-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
93	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app5-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
94	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app5-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
95	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app5-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
96	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app6-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
97	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app6-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
98	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app6-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
99	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app6-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
100	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app7-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
101	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app7-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
102	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app7-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
103	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app7-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
104	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app8-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
105	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app8-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
106	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app8-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
107	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app8-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
108	CKV_AWS_128	/aws/rds.tf	aws_rds_cluster.app9-rds-cluster	Ensure that an Amazon RDS Clusters have AWS Identity and Access Management (IAM) authentication enabled	https://docs.bridgecrew.io/docs/ensure-that-an-amazon-rds-clusters-have-iam-authentication-enabled
109	CKV_AWS_139	/aws/rds.tf	aws_rds_cluster.app9-rds-cluster	Ensure that RDS clusters have deletion protection enabled	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-and-instances-have-deletion-protection-enabled
110	CKV_AWS_96	/aws/rds.tf	aws_rds_cluster.app9-rds-cluster	Ensure all data stored in Aurora is securely encrypted at rest	https://docs.bridgecrew.io/docs/bc_aws_general_38
111	CKV_AWS_162	/aws/rds.tf	aws_rds_cluster.app9-rds-cluster	Ensure RDS cluster has IAM authentication enabled	https://docs.bridgecrew.io/docs/ensure-rds-cluster-has-iam-authentication-enabled
112	CKV_AWS_186	/aws/s3.tf	aws_s3_bucket_object.data_object	Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK)	https://docs.bridgecrew.io/docs/bc_aws_general_106
113	CKV_AZURE_116	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure that AKS uses Azure Policies Add-on	https://docs.bridgecrew.io/docs/ensure-that-aks-uses-azure-policies-add-on
114	CKV_AZURE_8	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure Kubernetes Dashboard is disabled	https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5
115	CKV_AZURE_4	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure AKS logging to Azure Monitoring is Configured	https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1
116	CKV_AZURE_117	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure that AKS uses disk encryption set	https://docs.bridgecrew.io/docs/ensure-that-aks-uses-disk-encryption-set
117	CKV_AZURE_115	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure that AKS enables private clusters	https://docs.bridgecrew.io/docs/ensure-that-aks-enables-private-clusters
118	CKV_AZURE_141	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure AKS local admin account is disabled
119	CKV_AZURE_7	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure AKS cluster has Network Policy configured	https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4
120	CKV_AZURE_6	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure AKS has an API Server Authorized IP Ranges enabled	https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3
121	CKV_AZURE_5	/azure/aks.tf	azurerm_kubernetes_cluster.k8s_cluster	Ensure RBAC is enabled on AKS clusters	https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2
122	CKV_AZURE_15	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure web app is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/bc_azr_networking_6
123	CKV_AZURE_78	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure FTP deployments are disabled	https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled
124	CKV_AZURE_18	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that 'HTTP Version' is the latest if used to run the web app	https://docs.bridgecrew.io/docs/bc_azr_networking_8
125	CKV_AZURE_88	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that app services use Azure Files	https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files
126	CKV_AZURE_13	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure App Service Authentication is set on Azure App Service	https://docs.bridgecrew.io/docs/bc_azr_general_2
127	CKV_AZURE_71	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that Managed identity provider is enabled for app services	https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services
128	CKV_AZURE_80	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that 'Net Framework' version is the latest, if used as a part of the web app	https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app
129	CKV_AZURE_65	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that App service enables detailed error messages	https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages
130	CKV_AZURE_63	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that App service enables HTTP logging	https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging
131	CKV_AZURE_17	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure the web app has 'Client Certificates (Incoming client certificates)' set	https://docs.bridgecrew.io/docs/bc_azr_networking_7
132	CKV_AZURE_16	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that Register with Azure Active Directory is enabled on App Service	https://docs.bridgecrew.io/docs/bc_azr_iam_1
133	CKV_AZURE_66	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure that App service enables failed request tracing	https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing
134	CKV_AZURE_14	/azure/app_service.tf	azurerm_app_service.app-service1	Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service	https://docs.bridgecrew.io/docs/bc_azr_networking_5
135	CKV_AZURE_78	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure FTP deployments are disabled	https://docs.bridgecrew.io/docs/ensure-ftp-deployments-are-disabled
136	CKV_AZURE_18	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that 'HTTP Version' is the latest if used to run the web app	https://docs.bridgecrew.io/docs/bc_azr_networking_8
137	CKV_AZURE_88	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that app services use Azure Files	https://docs.bridgecrew.io/docs/ensure-that-app-services-use-azure-files
138	CKV_AZURE_13	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure App Service Authentication is set on Azure App Service	https://docs.bridgecrew.io/docs/bc_azr_general_2
139	CKV_AZURE_71	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that Managed identity provider is enabled for app services	https://docs.bridgecrew.io/docs/ensure-that-managed-identity-provider-is-enabled-for-app-services
140	CKV_AZURE_80	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that 'Net Framework' version is the latest, if used as a part of the web app	https://docs.bridgecrew.io/docs/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app
141	CKV_AZURE_65	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that App service enables detailed error messages	https://docs.bridgecrew.io/docs/tbdensure-that-app-service-enables-detailed-error-messages
142	CKV_AZURE_63	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that App service enables HTTP logging	https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-http-logging
143	CKV_AZURE_17	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure the web app has 'Client Certificates (Incoming client certificates)' set	https://docs.bridgecrew.io/docs/bc_azr_networking_7
144	CKV_AZURE_16	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that Register with Azure Active Directory is enabled on App Service	https://docs.bridgecrew.io/docs/bc_azr_iam_1
145	CKV_AZURE_66	/azure/app_service.tf	azurerm_app_service.app-service2	Ensure that App service enables failed request tracing	https://docs.bridgecrew.io/docs/ensure-that-app-service-enables-failed-request-tracing
146	CKV_AZURE_1	/azure/instance.tf	azurerm_linux_virtual_machine.linux_machine	Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)	https://docs.bridgecrew.io/docs/bc_azr_networking_1
147	CKV_AZURE_50	/azure/instance.tf	azurerm_linux_virtual_machine.linux_machine	Ensure Virtual Machine Extensions are not Installed	https://docs.bridgecrew.io/docs/bc_azr_general_14
148	CKV_AZURE_149	/azure/instance.tf	azurerm_linux_virtual_machine.linux_machine	Ensure that Virtual machine does not enable password authentication
149	CKV_AZURE_151	/azure/instance.tf	azurerm_windows_virtual_machine.windows_machine	Ensure Windows VM enables encryption
150	CKV_AZURE_50	/azure/instance.tf	azurerm_windows_virtual_machine.windows_machine	Ensure Virtual Machine Extensions are not Installed	https://docs.bridgecrew.io/docs/bc_azr_general_14
151	CKV_AZURE_109	/azure/key_vault.tf	azurerm_key_vault.example	Ensure that key vault allows firewall rules settings	https://docs.bridgecrew.io/docs/ensure-that-key-vault-allows-firewall-rules-settings
152	CKV_AZURE_42	/azure/key_vault.tf	azurerm_key_vault.example	Ensure the key vault is recoverable	https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable
153	CKV_AZURE_110	/azure/key_vault.tf	azurerm_key_vault.example	Ensure that key vault enables purge protection	https://docs.bridgecrew.io/docs/ensure-that-key-vault-enables-purge-protection
154	CKV_AZURE_112	/azure/key_vault.tf	azurerm_key_vault_key.generated	Ensure that key vault key is backed by HSM	https://docs.bridgecrew.io/docs/ensure-that-key-vault-key-is-backed-by-hsm
155	CKV_AZURE_40	/azure/key_vault.tf	azurerm_key_vault_key.generated	Ensure that the expiration date is set on all keys	https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-keys
156	CKV_AZURE_114	/azure/key_vault.tf	azurerm_key_vault_secret.secret	Ensure that key vault secrets have "content_type" set	https://docs.bridgecrew.io/docs/ensure-that-key-vault-secrets-have-content_type-set
157	CKV_AZURE_41	/azure/key_vault.tf	azurerm_key_vault_secret.secret	Ensure that the expiration date is set on all secrets	https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets
158	CKV_AZURE_38	/azure/logging.tf	azurerm_monitor_log_profile.logging_profile	Ensure audit profile captures all the activities	https://docs.bridgecrew.io/docs/ensure-audit-profile-captures-all-activities
159	CKV_AZURE_37	/azure/logging.tf	azurerm_monitor_log_profile.logging_profile	Ensure that Activity Log Retention is set 365 days or greater	https://docs.bridgecrew.io/docs/set-activity-log-retention-to-365-days-or-greater
160	CKV_AZURE_35	/azure/mssql.tf	azurerm_storage_account.security_storage_account	Ensure default network access rule for Storage Accounts is set to deny	https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny
161	CKV_AZURE_33	/azure/mssql.tf	azurerm_storage_account.security_storage_account	Ensure Storage logging is enabled for Queue service for read, write and delete requests	https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service
162	CKV_AZURE_44	/azure/mssql.tf	azurerm_storage_account.security_storage_account	Ensure Storage Account is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/bc_azr_storage_2
163	CKV_AZURE_52	/azure/mssql.tf	azurerm_mssql_server.mssql1	Ensure MSSQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
164	CKV_AZURE_113	/azure/mssql.tf	azurerm_mssql_server.mssql1	Ensure that SQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
165	CKV_AZURE_52	/azure/mssql.tf	azurerm_mssql_server.mssql2	Ensure MSSQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
166	CKV_AZURE_113	/azure/mssql.tf	azurerm_mssql_server.mssql2	Ensure that SQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
167	CKV_AZURE_52	/azure/mssql.tf	azurerm_mssql_server.mssql3	Ensure MSSQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
168	CKV_AZURE_113	/azure/mssql.tf	azurerm_mssql_server.mssql3	Ensure that SQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
169	CKV_AZURE_52	/azure/mssql.tf	azurerm_mssql_server.mssql4	Ensure MSSQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
170	CKV_AZURE_113	/azure/mssql.tf	azurerm_mssql_server.mssql4	Ensure that SQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
171	CKV_AZURE_52	/azure/mssql.tf	azurerm_mssql_server.mssql5	Ensure MSSQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
172	CKV_AZURE_113	/azure/mssql.tf	azurerm_mssql_server.mssql5	Ensure that SQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
173	CKV_AZURE_52	/azure/mssql.tf	azurerm_mssql_server.mssql6	Ensure MSSQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
174	CKV_AZURE_113	/azure/mssql.tf	azurerm_mssql_server.mssql6	Ensure that SQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
175	CKV_AZURE_52	/azure/mssql.tf	azurerm_mssql_server.mssql7	Ensure MSSQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mssql-is-using-the-latest-version-of-tls-encryption
176	CKV_AZURE_113	/azure/mssql.tf	azurerm_mssql_server.mssql7	Ensure that SQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-sql-server-disables-public-network-access
177	CKV_AZURE_25	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy1	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
178	CKV_AZURE_27	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy1	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
179	CKV_AZURE_25	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy2	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
180	CKV_AZURE_27	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy2	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
181	CKV_AZURE_25	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy3	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
182	CKV_AZURE_27	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy3	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
183	CKV_AZURE_25	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy4	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
184	CKV_AZURE_27	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy4	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
185	CKV_AZURE_25	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy5	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
186	CKV_AZURE_26	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy5	Ensure that 'Send Alerts To' is enabled for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_7
187	CKV_AZURE_27	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy5	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
188	CKV_AZURE_25	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy6	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
189	CKV_AZURE_27	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy6	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
190	CKV_AZURE_25	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy7	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
191	CKV_AZURE_27	/azure/mssql.tf	azurerm_mssql_server_security_alert_policy.alertpolicy7	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
192	CKV_AZURE_10	/azure/networking.tf	azurerm_network_security_group.bad_sg	Ensure that SSH access is restricted from the internet	https://docs.bridgecrew.io/docs/bc_azr_networking_3
193	CKV_AZURE_9	/azure/networking.tf	azurerm_network_security_group.bad_sg	Ensure that RDP access is restricted from the internet	https://docs.bridgecrew.io/docs/bc_azr_networking_2
194	CKV_AZURE_12	/azure/networking.tf	azurerm_network_watcher_flow_log.flow_log	Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'	https://docs.bridgecrew.io/docs/bc_azr_logging_1
195	CKV_AZURE_39	/azure/roles.tf	azurerm_role_definition.example	Ensure that no custom subscription owner roles are created	https://docs.bridgecrew.io/docs/do-not-create-custom-subscription-owner-roles
196	CKV_AZURE_19	/azure/security_center.tf	azurerm_security_center_subscription_pricing.pricing	Ensure that standard pricing tier is selected	https://docs.bridgecrew.io/docs/ensure-standard-pricing-tier-is-selected
197	CKV_AZURE_20	/azure/security_center.tf	azurerm_security_center_contact.contact	Ensure that security contact 'Phone number' is set	https://docs.bridgecrew.io/docs/bc_azr_general_3
198	CKV_AZURE_22	/azure/security_center.tf	azurerm_security_center_contact.contact	Ensure that 'Send email notification for high severity alerts' is set to 'On'	https://docs.bridgecrew.io/docs/bc_azr_general_5
199	CKV_AZURE_21	/azure/security_center.tf	azurerm_security_center_contact.contact	Ensure that 'Send email notification for high severity alerts' is set to 'On'	https://docs.bridgecrew.io/docs/bc_azr_general_4
200	CKV_AZURE_25	/azure/sql.tf	azurerm_mssql_server_security_alert_policy.example	Ensure that 'Threat Detection types' is set to 'All'	https://docs.bridgecrew.io/docs/bc_azr_general_6
201	CKV_AZURE_26	/azure/sql.tf	azurerm_mssql_server_security_alert_policy.example	Ensure that 'Send Alerts To' is enabled for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_7
202	CKV_AZURE_27	/azure/sql.tf	azurerm_mssql_server_security_alert_policy.example	Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers	https://docs.bridgecrew.io/docs/bc_azr_general_8
203	CKV_AZURE_127	/azure/sql.tf	azurerm_mysql_server.example	Ensure that My SQL server enables Threat detection policy	https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-threat-detection-policy
204	CKV_AZURE_94	/azure/sql.tf	azurerm_mysql_server.example	Ensure that My SQL server enables geo-redundant backups	https://docs.bridgecrew.io/docs/ensure-that-my-sql-server-enables-geo-redundant-backups
205	CKV_AZURE_53	/azure/sql.tf	azurerm_mysql_server.example	Ensure 'public network access enabled' is set to 'False' for mySQL servers	https://docs.bridgecrew.io/docs/ensure-public-network-access-enabled-is-set-to-false-for-mysql-servers
206	CKV_AZURE_54	/azure/sql.tf	azurerm_mysql_server.example	Ensure MySQL is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/ensure-mysql-is-using-the-latest-version-of-tls-encryption
207	CKV_AZURE_28	/azure/sql.tf	azurerm_mysql_server.example	Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server	https://docs.bridgecrew.io/docs/bc_azr_networking_9
208	CKV_AZURE_147	/azure/sql.tf	azurerm_postgresql_server.example	Ensure PostgreSQL is using the latest version of TLS encryption
209	CKV_AZURE_130	/azure/sql.tf	azurerm_postgresql_server.example	Ensure that PostgreSQL server enables infrastructure encryption	https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-infrastructure-encryption
210	CKV_AZURE_29	/azure/sql.tf	azurerm_postgresql_server.example	Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server	https://docs.bridgecrew.io/docs/bc_azr_networking_10
211	CKV_AZURE_128	/azure/sql.tf	azurerm_postgresql_server.example	Ensure that PostgreSQL server enables Threat detection policy	https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-threat-detection-policy
212	CKV_AZURE_102	/azure/sql.tf	azurerm_postgresql_server.example	Ensure that PostgreSQL server enables geo-redundant backups	https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-enables-geo-redundant-backups
213	CKV_AZURE_68	/azure/sql.tf	azurerm_postgresql_server.example	Ensure that PostgreSQL server disables public network access	https://docs.bridgecrew.io/docs/ensure-that-postgresql-server-disables-public-network-access
214	CKV_AZURE_32	/azure/sql.tf	azurerm_postgresql_configuration.thrtottling_config	Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server	https://docs.bridgecrew.io/docs/bc_azr_networking_13
215	CKV_AZURE_30	/azure/sql.tf	azurerm_postgresql_configuration.example	Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server	https://docs.bridgecrew.io/docs/bc_azr_networking_11
216	CKV_AZURE_2	/azure/storage.tf	azurerm_managed_disk.example	Ensure Azure managed disk has encryption enabled	https://docs.bridgecrew.io/docs/bc_azr_general_1
217	CKV_AZURE_93	/azure/storage.tf	azurerm_managed_disk.example	Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption	https://docs.bridgecrew.io/docs/ensure-that-managed-disks-use-a-specific-set-of-disk-encryption-sets-for-the-customer-managed-key-encryption
218	CKV_AZURE_35	/azure/storage.tf	azurerm_storage_account.example	Ensure default network access rule for Storage Accounts is set to deny	https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny
219	CKV_AZURE_3	/azure/storage.tf	azurerm_storage_account.example	Ensure that 'Secure transfer required' is set to 'Enabled'
220	CKV_AZURE_33	/azure/storage.tf	azurerm_storage_account.example	Ensure Storage logging is enabled for Queue service for read, write and delete requests	https://docs.bridgecrew.io/docs/enable-requests-on-storage-logging-for-queue-service
221	CKV_AZURE_44	/azure/storage.tf	azurerm_storage_account.example	Ensure Storage Account is using the latest version of TLS encryption	https://docs.bridgecrew.io/docs/bc_azr_storage_2
222	CKV_AZURE_36	/azure/storage.tf	azurerm_storage_account_network_rules.test	Ensure 'Trusted Microsoft Services' is enabled for Storage Account access	https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
223	CKV_GCP_6	/gcp/big_data.tf	google_sql_database_instance.master_instance	Ensure all Cloud SQL database instance requires all incoming connections to use SSL	https://docs.bridgecrew.io/docs/bc_gcp_general_1
224	CKV_GCP_11	/gcp/big_data.tf	google_sql_database_instance.master_instance	Ensure that Cloud SQL database Instances are not open to the world	https://docs.bridgecrew.io/docs/bc_gcp_networking_4
225	CKV_GCP_79	/gcp/big_data.tf	google_sql_database_instance.master_instance	Ensure SQL database is using latest Major version
226	CKV_GCP_60	/gcp/big_data.tf	google_sql_database_instance.master_instance	Ensure Cloud SQL database does not have public IP	https://docs.bridgecrew.io/docs/bc_gcp_sql_11
227	CKV_GCP_14	/gcp/big_data.tf	google_sql_database_instance.master_instance	Ensure all Cloud SQL database instance have backup configuration enabled	https://docs.bridgecrew.io/docs/bc_gcp_general_2
228	CKV_GCP_15	/gcp/big_data.tf	google_bigquery_dataset.dataset	Ensure that BigQuery datasets are not anonymously or publicly accessible	https://docs.bridgecrew.io/docs/bc_gcp_general_3
229	CKV_GCP_81	/gcp/big_data.tf	google_bigquery_dataset.dataset	Ensure Big Query Tables are encrypted with Customer Supplied Encryption Keys (CSEK)
230	CKV_GCP_62	/gcp/gcs.tf	google_storage_bucket.terragoat_website	Bucket should log access	https://docs.bridgecrew.io/docs/bc_gcp_logging_2
231	CKV_GCP_78	/gcp/gcs.tf	google_storage_bucket.terragoat_website	Ensure Cloud storage has versioning enabled
232	CKV_GCP_29	/gcp/gcs.tf	google_storage_bucket.terragoat_website	Ensure that Cloud Storage buckets have uniform bucket-level access enabled	https://docs.bridgecrew.io/docs/bc_gcp_gcs_2
233	CKV_GCP_28	/gcp/gcs.tf	google_storage_bucket_iam_binding.allow_public_read	Ensure that Cloud Storage bucket is not anonymously or publicly accessible	https://docs.bridgecrew.io/docs/bc_gcp_public_1
234	CKV_GCP_70	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure the GKE Release Channel is set	https://docs.bridgecrew.io/docs/ensure-the-gke-release-channel-is-set
235	CKV_GCP_69	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure the GKE Metadata Server is Enabled	https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled
236	CKV_GCP_67	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure legacy Compute Engine instance metadata APIs are Disabled	https://docs.bridgecrew.io/docs/ensure-legacy-compute-engine-instance-metadata-apis-are-disabled
237	CKV_GCP_19	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure GKE basic auth is disabled	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_11
238	CKV_GCP_21	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure Kubernetes Clusters are configured with Labels	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_13
239	CKV_GCP_66	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure use of Binary Authorization	https://docs.bridgecrew.io/docs/ensure-use-of-binary-authorization
240	CKV_GCP_61	/gcp/gke.tf	google_container_cluster.workload_cluster	Enable VPC Flow Logs and Intranode Visibility	https://docs.bridgecrew.io/docs/enable-vpc-flow-logs-and-intranode-visibility
241	CKV_GCP_25	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure Kubernetes Cluster is created with Private cluster enabled	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_6
242	CKV_GCP_1	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_1
243	CKV_GCP_18	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure GKE Control Plane is not public	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_10
244	CKV_GCP_64	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure clusters are created with Private Nodes	https://docs.bridgecrew.io/docs/ensure-clusters-are-created-with-private-nodes
245	CKV_GCP_13	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure client certificate authentication to Kubernetes Engine Clusters is disabled	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_8
246	CKV_GCP_12	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure Network Policy is enabled on Kubernetes Engine Clusters	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_7
247	CKV_GCP_65	/gcp/gke.tf	google_container_cluster.workload_cluster	Manage Kubernetes RBAC users with Google Groups for GKE	https://docs.bridgecrew.io/docs/manage-kubernetes-rbac-users-with-google-groups-for-gke
248	CKV_GCP_24	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_9
249	CKV_GCP_7	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_2
250	CKV_GCP_23	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure Kubernetes Cluster is created with Alias IP ranges enabled	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_15
251	CKV_GCP_8	/gcp/gke.tf	google_container_cluster.workload_cluster	Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_3
252	CKV_GCP_68	/gcp/gke.tf	google_container_node_pool.custom_node_pool	Ensure Secure Boot for Shielded GKE Nodes is Enabled	https://docs.bridgecrew.io/docs/ensure-secure-boot-for-shielded-gke-nodes-is-enabled
253	CKV_GCP_22	/gcp/gke.tf	google_container_node_pool.custom_node_pool	Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_14
254	CKV_GCP_69	/gcp/gke.tf	google_container_node_pool.custom_node_pool	Ensure the GKE Metadata Server is Enabled	https://docs.bridgecrew.io/docs/ensure-the-gke-metadata-server-is-enabled
255	CKV_GCP_9	/gcp/gke.tf	google_container_node_pool.custom_node_pool	Ensure 'Automatic node repair' is enabled for Kubernetes Clusters	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_4
256	CKV_GCP_10	/gcp/gke.tf	google_container_node_pool.custom_node_pool	Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters	https://docs.bridgecrew.io/docs/bc_gcp_kubernetes_5
257	CKV_GCP_38	/gcp/instances.tf	google_compute_instance.server	Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)	https://docs.bridgecrew.io/docs/encrypt-boot-disks-for-instances-with-cseks
258	CKV_GCP_35	/gcp/instances.tf	google_compute_instance.server	Ensure 'Enable connecting to serial ports' is not enabled for VM Instance	https://docs.bridgecrew.io/docs/bc_gcp_networking_11
259	CKV_GCP_40	/gcp/instances.tf	google_compute_instance.server	Ensure that Compute instances do not have public IP addresses	https://docs.bridgecrew.io/docs/bc_gcp_public_2
260	CKV_GCP_34	/gcp/instances.tf	google_compute_instance.server	Ensure that no instance in the project overrides the project setting for enabling OSLogin(OSLogin needs to be enabled in project metadata for all instances)	https://docs.bridgecrew.io/docs/bc_gcp_networking_10
261	CKV_GCP_30	/gcp/instances.tf	google_compute_instance.server	Ensure that instances are not configured to use the default service account	https://docs.bridgecrew.io/docs/bc_gcp_iam_1
262	CKV_GCP_36	/gcp/instances.tf	google_compute_instance.server	Ensure that IP forwarding is not enabled on Instances	https://docs.bridgecrew.io/docs/bc_gcp_networking_12
263	CKV_GCP_32	/gcp/instances.tf	google_compute_instance.server	Ensure 'Block Project-wide SSH keys' is enabled for VM instances	https://docs.bridgecrew.io/docs/bc_gcp_networking_8
264	CKV_GCP_39	/gcp/instances.tf	google_compute_instance.server	Ensure Compute instances are launched with Shielded VM enabled	https://docs.bridgecrew.io/docs/bc_gcp_general_y
265	CKV_GCP_37	/gcp/instances.tf	google_compute_disk.unencrypted_disk	Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)	https://docs.bridgecrew.io/docs/bc_gcp_general_x
266	CKV_GCP_74	/gcp/networks.tf	google_compute_subnetwork.public-subnetwork	Ensure that private_ip_google_access is enabled for Subnet
267	CKV_GCP_26	/gcp/networks.tf	google_compute_subnetwork.public-subnetwork	Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network	https://docs.bridgecrew.io/docs/bc_gcp_logging_1
268	CKV_GCP_76	/gcp/networks.tf	google_compute_subnetwork.public-subnetwork	Ensure that Private google access is enabled for IPV6
269	CKV_GCP_88	/gcp/networks.tf	google_compute_firewall.allow_all	Ensure Google compute firewall ingress does not allow unrestricted mysql access
270	CKV_GCP_106	/gcp/networks.tf	google_compute_firewall.allow_all	Ensure Google compute firewall ingress does not allow unrestricted http port 80 access
271	CKV_GCP_77	/gcp/networks.tf	google_compute_firewall.allow_all	Ensure Google compute firewall ingress does not allow on ftp port
272	CKV_GCP_3	/gcp/networks.tf	google_compute_firewall.allow_all	Ensure Google compute firewall ingress does not allow unrestricted rdp access	https://docs.bridgecrew.io/docs/bc_gcp_networking_2
273	CKV_GCP_75	/gcp/networks.tf	google_compute_firewall.allow_all	Ensure Google compute firewall ingress does not allow unrestricted FTP access
274	CKV_GCP_2	/gcp/networks.tf	google_compute_firewall.allow_all	Ensure Google compute firewall ingress does not allow unrestricted ssh access	https://docs.bridgecrew.io/docs/bc_gcp_networking_1
275	CKV_OCI_9	/oracle/bucket.tf	oci_objectstorage_bucket.secretsquirrel	Ensure OCI Object Storage is encrypted with Customer Managed Key	https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-encrypted-with-customer-managed-key
276	CKV_OCI_8	/oracle/bucket.tf	oci_objectstorage_bucket.secretsquirrel	Ensure OCI Object Storage has versioning enabled	https://docs.bridgecrew.io/docs/ensure-oci-object-storage-has-versioning-enabled
277	CKV_OCI_7	/oracle/bucket.tf	oci_objectstorage_bucket.secretsquirrel	Ensure OCI Object Storage bucket can emit object events	https://docs.bridgecrew.io/docs/ensure-oci-object-storage-bucket-can-emit-object-events
278	CKV_OCI_10	/oracle/bucket.tf	oci_objectstorage_bucket.secretsquirrel	Ensure OCI Object Storage is not Public	https://docs.bridgecrew.io/docs/ensure-oci-object-storage-is-not-public
279	CKV2_AWS_12	/aws/eks.tf	aws_vpc.eks_vpc	Ensure the default security group of every VPC restricts all traffic	https://docs.bridgecrew.io/docs/networking_4
280	CKV2_AWS_12	/aws/ec2.tf	aws_vpc.web_vpc	Ensure the default security group of every VPC restricts all traffic	https://docs.bridgecrew.io/docs/networking_4
281	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app8-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
282	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app4-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
283	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app7-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
284	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app1-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
285	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app3-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
286	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app9-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
287	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app5-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
288	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app6-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
289	CKV2_AWS_8	/aws/rds.tf	aws_rds_cluster.app2-rds-cluster	Ensure that RDS clusters has backup plan of AWS Backup	https://docs.bridgecrew.io/docs/ensure-that-rds-clusters-has-backup-plan-of-aws-backup
290	CKV_AWS_145	/aws/s3.tf	aws_s3_bucket.financials	Ensure that S3 buckets are encrypted with KMS by default	https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
291	CKV_AWS_145	/aws/s3.tf	aws_s3_bucket.data_science	Ensure that S3 buckets are encrypted with KMS by default	https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
292	CKV_AWS_145	/aws/s3.tf	aws_s3_bucket.data	Ensure that S3 buckets are encrypted with KMS by default	https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
293	CKV_AWS_145	/aws/ec2.tf	aws_s3_bucket.flowbucket	Ensure that S3 buckets are encrypted with KMS by default	https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
294	CKV_AWS_145	/aws/s3.tf	aws_s3_bucket.operations	Ensure that S3 buckets are encrypted with KMS by default	https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
295	CKV_AWS_18	/aws/s3.tf	aws_s3_bucket.financials	Ensure the S3 bucket has access logging enabled	https://docs.bridgecrew.io/docs/s3_13-enable-logging
296	CKV_AWS_18	/aws/s3.tf	aws_s3_bucket.data	Ensure the S3 bucket has access logging enabled	https://docs.bridgecrew.io/docs/s3_13-enable-logging
297	CKV_AWS_18	/aws/ec2.tf	aws_s3_bucket.flowbucket	Ensure the S3 bucket has access logging enabled	https://docs.bridgecrew.io/docs/s3_13-enable-logging
298	CKV_AWS_18	/aws/s3.tf	aws_s3_bucket.operations	Ensure the S3 bucket has access logging enabled	https://docs.bridgecrew.io/docs/s3_13-enable-logging
299	CKV_AWS_18	/aws/s3.tf	aws_s3_bucket.logs	Ensure the S3 bucket has access logging enabled	https://docs.bridgecrew.io/docs/s3_13-enable-logging
300	CKV2_AWS_11	/aws/eks.tf	aws_vpc.eks_vpc	Ensure VPC flow logging is enabled in all VPCs	https://docs.bridgecrew.io/docs/logging_9-enable-vpc-flow-logging
301	CKV2_AWS_2	/aws/ec2.tf	aws_ebs_volume.web_host_storage	Ensure that only encrypted EBS volumes are attached to EC2 instances	https://docs.bridgecrew.io/docs/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances
302	CKV2_AWS_6	/aws/s3.tf	aws_s3_bucket.financials	Ensure that S3 bucket has a Public Access block	https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
303	CKV2_AWS_6	/aws/s3.tf	aws_s3_bucket.data_science	Ensure that S3 bucket has a Public Access block	https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
304	CKV2_AWS_6	/aws/s3.tf	aws_s3_bucket.data	Ensure that S3 bucket has a Public Access block	https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
305	CKV2_AWS_6	/aws/ec2.tf	aws_s3_bucket.flowbucket	Ensure that S3 bucket has a Public Access block	https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
306	CKV2_AWS_6	/aws/s3.tf	aws_s3_bucket.operations	Ensure that S3 bucket has a Public Access block	https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
307	CKV2_AWS_6	/aws/s3.tf	aws_s3_bucket.logs	Ensure that S3 bucket has a Public Access block	https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
308	CKV_AWS_21	/aws/s3.tf	aws_s3_bucket.financials	Ensure all data stored in the S3 bucket have versioning enabled	https://docs.bridgecrew.io/docs/s3_16-enable-versioning
309	CKV_AWS_21	/aws/s3.tf	aws_s3_bucket.data	Ensure all data stored in the S3 bucket have versioning enabled	https://docs.bridgecrew.io/docs/s3_16-enable-versioning
310	CKV_AWS_21	/aws/ec2.tf	aws_s3_bucket.flowbucket	Ensure all data stored in the S3 bucket have versioning enabled	https://docs.bridgecrew.io/docs/s3_16-enable-versioning
311	CKV2_AZURE_7	/azure/sql.tf	azurerm_sql_server.example	Ensure that Azure Active Directory Admin is configured	https://docs.bridgecrew.io/docs/ensure-that-azure-active-directory-admin-is-configured
312	CKV2_AZURE_1	/azure/storage.tf	azurerm_storage_account.example	Ensure storage for critical data are encrypted with Customer Managed Key	https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key
313	CKV2_AZURE_1	/azure/mssql.tf	azurerm_storage_account.security_storage_account	Ensure storage for critical data are encrypted with Customer Managed Key	https://docs.bridgecrew.io/docs/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key
314	CKV2_AZURE_16	/azure/sql.tf	azurerm_mysql_server.example	Ensure that MySQL server enables customer-managed key for encryption	https://docs.bridgecrew.io/docs/ensure-that-mysql-server-enables-customer-managed-key-for-encryption
315	CKV_AZURE_120	/azure/application_gateway.tf	azurerm_application_gateway.network	Ensure that Application Gateway enables WAF	https://docs.bridgecrew.io/docs/ensure-that-application-gateway-enables-waf
316	CKV_AWS_144	/aws/s3.tf	aws_s3_bucket.financials	Ensure that S3 bucket has cross-region replication enabled	https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
317	CKV_AWS_144	/aws/s3.tf	aws_s3_bucket.data_science	Ensure that S3 bucket has cross-region replication enabled	https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
318	CKV_AWS_144	/aws/s3.tf	aws_s3_bucket.data	Ensure that S3 bucket has cross-region replication enabled	https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
319	CKV_AWS_144	/aws/ec2.tf	aws_s3_bucket.flowbucket	Ensure that S3 bucket has cross-region replication enabled	https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
320	CKV_AWS_144	/aws/s3.tf	aws_s3_bucket.operations	Ensure that S3 bucket has cross-region replication enabled	https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
321	CKV_AWS_144	/aws/s3.tf	aws_s3_bucket.logs	Ensure that S3 bucket has cross-region replication enabled	https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
322	CKV2_AZURE_18	/azure/storage.tf	azurerm_storage_account.example	Ensure that Storage Accounts use customer-managed key for encryption	https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption
323	CKV2_AZURE_18	/azure/mssql.tf	azurerm_storage_account.security_storage_account	Ensure that Storage Accounts use customer-managed key for encryption	https://docs.bridgecrew.io/docs/ensure-that-storage-accounts-use-customer-managed-key-for-encryption
324	CKV_AWS_19	/aws/s3.tf	aws_s3_bucket.financials	Ensure all data stored in the S3 bucket is securely encrypted at rest	https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
325	CKV_AWS_19	/aws/s3.tf	aws_s3_bucket.data_science	Ensure all data stored in the S3 bucket is securely encrypted at rest	https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
326	CKV_AWS_19	/aws/s3.tf	aws_s3_bucket.data	Ensure all data stored in the S3 bucket is securely encrypted at rest	https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
327	CKV_AWS_19	/aws/ec2.tf	aws_s3_bucket.flowbucket	Ensure all data stored in the S3 bucket is securely encrypted at rest	https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
328	CKV_AWS_19	/aws/s3.tf	aws_s3_bucket.operations	Ensure all data stored in the S3 bucket is securely encrypted at rest	https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
329	CKV_AZURE_24	/azure/sql.tf	azurerm_sql_server.example	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
330	CKV_AZURE_24	/azure/mssql.tf	azurerm_mssql_server.mssql5	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
331	CKV_AZURE_24	/azure/mssql.tf	azurerm_mssql_server.mssql1	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
332	CKV_AZURE_24	/azure/mssql.tf	azurerm_mssql_server.mssql6	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
333	CKV_AZURE_24	/azure/mssql.tf	azurerm_mssql_server.mssql2	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
334	CKV_AZURE_24	/azure/mssql.tf	azurerm_mssql_server.mssql4	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
335	CKV_AZURE_24	/azure/mssql.tf	azurerm_mssql_server.mssql7	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
336	CKV_AZURE_24	/azure/mssql.tf	azurerm_mssql_server.mssql3	Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_3
337	CKV_AZURE_23	/azure/sql.tf	azurerm_sql_server.example	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2
338	CKV_AZURE_23	/azure/mssql.tf	azurerm_mssql_server.mssql5	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2
339	CKV_AZURE_23	/azure/mssql.tf	azurerm_mssql_server.mssql1	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2
340	CKV_AZURE_23	/azure/mssql.tf	azurerm_mssql_server.mssql6	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2
341	CKV_AZURE_23	/azure/mssql.tf	azurerm_mssql_server.mssql2	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2
342	CKV_AZURE_23	/azure/mssql.tf	azurerm_mssql_server.mssql4	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2
343	CKV_AZURE_23	/azure/mssql.tf	azurerm_mssql_server.mssql7	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2
344	CKV_AZURE_23	/azure/mssql.tf	azurerm_mssql_server.mssql3	Ensure that 'Auditing' is set to 'On' for SQL servers	https://docs.bridgecrew.io/docs/bc_azr_logging_2

dockerfile scan results:

	check_id	file	resource	check_name	guideline
0	CKV_DOCKER_3	/aws/resources/Dockerfile	/aws/resources/Dockerfile.	Ensure that a user for the container has been created	https://docs.bridgecrew.io/docs/ensure-that-a-user-for-the-container-has-been-created
1	CKV_DOCKER_2	/aws/resources/Dockerfile	/aws/resources/Dockerfile.	Ensure that HEALTHCHECK instructions have been added to container images	https://docs.bridgecrew.io/docs/ensure-that-healthcheck-instructions-have-been-added-to-container-images

secrets scan results:

	check_id	file	resource	check_name	guideline
0	CKV_SECRET_2	/aws/lambda.tf	25910f981e85ca04baf359199dd0bd4a3ae738b6	AWS Access Key	https://docs.bridgecrew.io/docs/git_secrets_2
1	CKV_SECRET_6	/aws/lambda.tf	d70eab08607a4d05faa2d0d6647206599e9abc65	Base64 High Entropy String	https://docs.bridgecrew.io/docs/git_secrets_6
2	CKV_SECRET_2	/aws/providers.tf	25910f981e85ca04baf359199dd0bd4a3ae738b6	AWS Access Key	https://docs.bridgecrew.io/docs/git_secrets_2
3	CKV_SECRET_6	/aws/providers.tf	d70eab08607a4d05faa2d0d6647206599e9abc65	Base64 High Entropy String	https://docs.bridgecrew.io/docs/git_secrets_6
4	CKV_SECRET_6	/azure/sql.tf	a57ae0fe47084bc8a05f69f3f8083896f8b437b0	Base64 High Entropy String	https://docs.bridgecrew.io/docs/git_secrets_6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

TerraGoat - Vulnerable Terraform Infrastructure

Table of Contents

Introduction

Important notes

Requirements

Getting started

AWS Setup

Installation (AWS)

Create an S3 Bucket backend to keep Terraform state

Apply TerraGoat (AWS)

Remove TerraGoat (AWS)

Creating multiple TerraGoat AWS stacks

Deleting multiple TerraGoat stacks (AWS)

Azure Setup

Installation (Azure)

Create an Azure Storage Account backend to keep Terraform state

Apply TerraGoat (Azure)

Remove TerraGoat (Azure)

GCP Setup

Installation (GCP)

Create a GCS backend to keep Terraform state

Apply TerraGoat (GCP)

Remove TerraGoat (GCP)

Bridgecrew's IaC herd of goats

Contributing

Support

Existing vulnerabilities (Auto-Generated)

terraform scan results:

dockerfile scan results:

secrets scan results:

Files

README.md

Latest commit

History

README.md

File metadata and controls

TerraGoat - Vulnerable Terraform Infrastructure

Table of Contents

Introduction

Important notes

Requirements

Getting started

AWS Setup

Installation (AWS)

Create an S3 Bucket backend to keep Terraform state

Apply TerraGoat (AWS)

Remove TerraGoat (AWS)

Creating multiple TerraGoat AWS stacks

Deleting multiple TerraGoat stacks (AWS)

Azure Setup

Installation (Azure)

Create an Azure Storage Account backend to keep Terraform state

Apply TerraGoat (Azure)

Remove TerraGoat (Azure)

GCP Setup

Installation (GCP)

Create a GCS backend to keep Terraform state

Apply TerraGoat (GCP)

Remove TerraGoat (GCP)

Bridgecrew's IaC herd of goats

Contributing

Support

Existing vulnerabilities (Auto-Generated)

terraform scan results:

dockerfile scan results:

secrets scan results: