├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── generate_readme_tables.py ├── resources └── README.md.template ├── run_all_tools.sh └── test-cases └── terraform ├── aws ├── best-practices │ ├── alb_drop_http_headers │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── cloudfront_not_using_waf │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── cloudtrail_enabled_on_multi_region │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── config_aggregator_all_regions │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── deploy_ec2_to_default_vpc │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── deploy_redshift_in_ec2_classic_mode │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── dynamodb_without_recovery_enabled │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── ec2_ebs_not_optimized │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── ecr_make_tags_immutable │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── ecr_use_image_scanning │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── ecs_cluster_container_insights │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── elasticache_automatic_backup │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── kms_uses_rotation │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── rds_retention_period_set │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── security_group_no_description_for_rules │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── security_group_no_description_for_security_group │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── security_group_no_unused │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── tag_all_items │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── plan.json │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ └── using_public_amis │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt ├── encryption │ ├── at-rest │ │ ├── athena_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── cloudtrail_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── cloudwatch_groups_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── codbuild_using_aws_key │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── dax_cluster_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── docdb_cluster_encrypted_at_rest_using_cmk_not_customer_managed │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── docdb_cluster_encrypted_without_kms_key │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── docdb_clusters_non_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── dynamodb_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── ecr_repo_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── elasticache_replication_group_not_encrypted_at_rest │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── elasticsearch_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── kinesis_stream_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── neptune_cluster_no_encryption │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── rds_cluster_encrypt_at_rest_disabled │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── redshift_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── rest_api_cache_non_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── s3_bucket_non_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── s3_bucket_object_non_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── sagemaker_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_default │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_key_arn │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── sns_topic_encrypted_at_rest_with_aws_managed_key_by_key_arn │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── sqs_queue_not_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── workgroups_non_encrypted │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── workspace_root_volume_not_encrypted_at_rest │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ └── workspace_user_volume_not_encrypted_at_rest │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ └── in-transit │ │ ├── alb_use_http │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── cloudfront_distribution_not_encrypted │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── cloudfront_protocol_version_is_low │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── ecs_task_definition_not_encrypted_in_transit │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── elasticache_replication_group_not_encrypted_in_transit │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── elasticsearch_encrypt_node_to_node_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── load_balancer_listener_http │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ └── vpc_has_only_dynamodb_vpce_gw_connection │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt ├── iam │ ├── iam-entities │ │ ├── human_users_defined │ │ │ ├── README.md │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── iam_user_inline_policy_attach │ │ │ ├── README.md │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── iam_user_managed_policy_direct_attachment │ │ │ ├── README.md │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── passrole_and_lambda_permissions_cause_priv_escalation │ │ │ ├── README.md │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── policy-too-broad │ │ │ ├── README.md │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── policy_missing_principal │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── public_and_private_ec2_same_role │ │ │ ├── README.md │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ └── role_assume_policy_principal_all │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ ├── resource-authentication │ │ ├── rds_without_authentication │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ └── rest_api_without_authorization │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ └── resource-policies │ │ ├── cloudwatch_log_destination_insecure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── ecr_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── efs_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── elasticsearch_domain_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── glacier_vault_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── glue_data_catalog_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── kms_key_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── lambda_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── rest_api_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── s3_bucket_acl_public_all_authenticated_users_canned │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── s3_bucket_acl_public_all_users_canned │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── s3_bucket_acl_public_all_users_canned_with_overriding_access_block │ │ ├── README.md │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── s3_bucket_policy_public_to_all_authenticated_users │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ └── secrets_manager_not_secure_policy │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt ├── logging │ ├── api_gateway_no_xray │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── cloudfront_distribution_without_logging │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── cloudtrail_file_log_validation_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── cloudwatch_log_groups_no_retention │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── docdb_audit_logs_missing │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── ec2_without_monitoring │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── eks_logging_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── elasticsearch_domain_logging_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── elb_without_access_logs │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── globalaccelerator_accelerator_no_flow_logs │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── lambda_without_explicit_log_group │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── lambda_without_xray │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── lambda_function_payload.zip │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── neptune_cluster_no_logging │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── rds_without_logging │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── redshift_without_logging │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── rest_api_no_access_logging │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ └── s3_access_logging_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt └── networking │ ├── default_sg_in_new_vpc │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── lambda_not_in_vpc │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── lambda_function_payload.zip │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── over_exposed_vpc_peering │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── public_ec2_points_to_private_domain │ ├── README.md │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── public_ec2_points_to_private_rds │ ├── README.md │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── public_ec2_points_to_private_redshift │ ├── README.md │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── publicly_accessible_dms │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── publicly_accessible_neptune_db │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── rds-vpc-controlled-public │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── rds_publicly_accessible.rego │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ └── vpc-endpoints │ ├── dynamodb-vpce-exist-without-routeassociation │ ├── README.md │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ └── sqs-vpc-endpoint-without-dns-resolution │ ├── README.md │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt ├── azure ├── best-practices │ ├── defender_for_app_services_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── defender_for_container_registry_not_used │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── defender_for_keyvault_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── defender_for_kubernetes_not_used │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── defender_for_servers_not_used │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── defender_for_sql_servers_not_used │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── defender_for_storage_not_used │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── email_notifications_for_high_severity_alerts_not_used │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── func_app_not_using_http2 │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── func_app_not_using_latest_tls │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── functionapp_lin_java_isnot_latest │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── functionapp_python_isnot_latest │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── functionapp_win_java_isnot_latest │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── sql_vulnerability_assessment_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── sql_vulnerability_email_not_set │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── vm_unmanaged_disks │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── vmss_unmanaged_disks │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── vpn_gw_using_basic_sku │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── webapp_http2_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── webapp_lin_java_isnot_latest │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── webapp_php_isnot_latest │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ └── webapp_win_java_isnot_latest │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt ├── encryption │ ├── at-rest │ │ ├── activitylog_storage_account_encryption_not_enabled │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ ├── sql_encryption_customer_key_not_set │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ │ └── storacc_encryption_not_enabled │ │ │ ├── checkov_results.txt │ │ │ ├── cloudrail_results.txt │ │ │ ├── kics_results.txt │ │ │ ├── main.tf │ │ │ ├── results_summary.json │ │ │ ├── snyk_results.txt │ │ │ ├── terrascan_results.txt │ │ │ └── tfsec_results.txt │ └── in-transit │ │ ├── app_service_ftps_unused │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── app_service_use_most_recent_supported_tls │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── func_app_ftps_not_required │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ ├── mysql_not_forcing_ssl │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ │ └── postgresql_not_forcing_ssl │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt ├── iam │ ├── app_service_authentication_missing │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── custom-role-owner-exists │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── func_app_authentication │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── func_app_client_cert_optional │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── functionapp_not_use_managedidentity │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── sql-server-ad-admin-not-set │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── storage_account_public_access_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── webapp_client_cert_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ └── webapp_not_use_managedidentity │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt ├── logging │ ├── auto_prov_log_analytics_agent_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── batch_diagnostic_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── dl_analytics_diagnostic_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── dl_store_diagnostic_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── event_hub_diagnostic_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── iot_hub_diagnostic_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── logic_app_wf_diagnostic_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── postgresql_log_connections_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── postgresql_log_disconnections_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── postgresql_logcheckpoints_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── search_diagnostic_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── servicebus_namespace_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── sql-server-audit-retention-30 │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── sql_server_audit_not_used │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ ├── stream_analytics_diagnostic_not_enabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt │ └── vmss_win_diagnostic_log_disabled │ │ ├── checkov_results.txt │ │ ├── cloudrail_results.txt │ │ ├── kics_results.txt │ │ ├── main.tf │ │ ├── results_summary.json │ │ ├── snyk_results.txt │ │ ├── terrascan_results.txt │ │ └── tfsec_results.txt └── networking │ ├── no_unused_nsg │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── public_access_sql_db │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── vm_public_rdp_lb_opened │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ ├── vm_public_rdp_nat_opened │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt │ └── vmss_public_rdp_lb_opened │ ├── checkov_results.txt │ ├── cloudrail_results.txt │ ├── kics_results.txt │ ├── main.tf │ ├── results_summary.json │ ├── snyk_results.txt │ ├── terrascan_results.txt │ └── tfsec_results.txt └── hcl_language_complexity ├── README.md ├── using_count_and_ternary_expr ├── checkov_results.txt ├── cloudrail_results.txt ├── kics_results.txt ├── main.tf ├── results_summary.json ├── snyk_results.txt ├── terrascan_results.txt └── tfsec_results.txt ├── using_for_each ├── checkov_results.txt ├── cloudrail_results.txt ├── kics_results.txt ├── main.tf ├── results_summary.json ├── snyk_results.txt ├── terrascan_results.txt └── tfsec_results.txt ├── using_locals ├── checkov_results.txt ├── cloudrail_results.txt ├── kics_results.txt ├── main.tf ├── results_summary.json ├── snyk_results.txt ├── terrascan_results.txt └── tfsec_results.txt ├── using_module_multi ├── checkov_results.txt ├── cloudrail_results.txt ├── kics_results.txt ├── main.tf ├── mymodule │ └── user.tf ├── results_summary.json ├── snyk_results.txt ├── terrascan_results.txt └── tfsec_results.txt └── using_module_simple ├── checkov_results.txt ├── cloudrail_results.txt ├── kics_results.txt ├── main.tf ├── results_summary.json ├── snyk_results.txt ├── terrascan_results.txt └── tfsec_results.txt /Makefile: -------------------------------------------------------------------------------- 1 | 2 | default: run-all 3 | 4 | .PHONY: run-% 5 | run-%: 6 | @echo "Running $*" 7 | ./run_all_tools.sh run_$* 8 | 9 | .PHONY: run-all 10 | run-all: 11 | @echo "Running all tools" 12 | ./run_all_tools.sh 13 | 14 | .PHONY: clear-%-results 15 | clear-%-results: 16 | @echo "Clearing results for $*" 17 | find . -name "$*_results.txt" -print -delete; 18 | 19 | .PHONY: clear-all-results 20 | clear-all-results: 21 | @echo "Clearing all results" 22 | find . -name "*_results.txt" -print -delete 23 | 24 | .PHONY: clear-plans 25 | clear-plans: 26 | @echo "Clearing all results" 27 | find . -name "plan.out" -print -delete; 28 | 29 | .PHONY: generate-readme 30 | generate-readme: 31 | @python3 generate_readme_tables.py > README.md -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/alb_drop_http_headers/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using Application Load Balancers in AWS is 2 | to configure it to drop invalid HTTP headers. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/alb_drop_http_headers/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/alb_drop_http_headers/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 18:03:26.92855296 +0000 UTC 8 | Policies Validated : 3 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/cloudfront_not_using_waf/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using CloudFront in AWS is 2 | to also configure a Web Application Firewall to protect it. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/cloudfront_not_using_waf/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/cloudtrail_enabled_on_multi_region/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using CloudTrail in AWS is 2 | to enable it for all regions, and not just one particular region. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/cloudtrail_enabled_on_multi_region/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/config_aggregator_all_regions/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using AWS Config is to enable the config aggregator - 2 | allowing you to analyze the configuration across multiple accounts and regions. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/config_aggregator_all_regions/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_config_configuration_aggregator" "organization" { 2 | 3 | name = "example" 4 | 5 | account_aggregation_source { 6 | account_ids = ["123456789012"] 7 | regions = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"] 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/config_aggregator_all_regions/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/config_aggregator_all_regions/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 18:01:54.468668584 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/deploy_ec2_to_default_vpc/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using EC2s in AWS is _not_ to deploy any resources 2 | to the default VPC. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/deploy_ec2_to_default_vpc/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/deploy_redshift_in_ec2_classic_mode/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using AWS is _not_ to deploy any resources 2 | in "classic mode" (without a specific VPC). 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/deploy_redshift_in_ec2_classic_mode/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-west-1" 3 | } 4 | 5 | resource "aws_redshift_cluster" "test" { 6 | cluster_identifier = "redshift-defaults-only" 7 | node_type = "dc2.large" 8 | master_password = "Test1234" 9 | master_username = "test" 10 | skip_final_snapshot = true 11 | } 12 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/deploy_redshift_in_ec2_classic_mode/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/dynamodb_without_recovery_enabled/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using AWS DynamoDB is to ensure point in time 2 | recovery is enabled. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/dynamodb_without_recovery_enabled/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ec2_ebs_not_optimized/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when deploying EC2 instances in AWS is to use an EBS optimized 2 | instance, greatly improving I/O speeds. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ec2_ebs_not_optimized/cloudrail_results.txt: -------------------------------------------------------------------------------- 1 | 2 | WARNINGs found: 3 | Rule: Ensure all data stored in the Launch configuration EBS is securely encrypted 4 | - 1 Resources Exposed: 5 | ----------------------------------------------- 6 | - Exposed Resource: [aws_instance.web] (main.tf:17) 7 | Violating Resource: [aws_instance.web] (main.tf:17) 8 | 9 | Evidence: 10 | | This rule evaluated aws_instance.web's configuration 11 | 12 | 13 | ----------------------------------------------- 14 | 15 | Cloudrail ran this assessment without any policies and so all rule violations show as warnings. 16 | You can increase a rule's enforcement level by creating a Policy in the Web UI and adding the rule to it. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ec2_ebs_not_optimized/main.tf: -------------------------------------------------------------------------------- 1 | data "aws_ami" "ubuntu" { 2 | most_recent = true 3 | 4 | filter { 5 | name = "name" 6 | values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] 7 | } 8 | 9 | filter { 10 | name = "virtualization-type" 11 | values = ["hvm"] 12 | } 13 | 14 | owners = ["099720109477"] # Canonical 15 | } 16 | 17 | resource "aws_instance" "web" { 18 | ami = data.aws_ami.ubuntu.id 19 | instance_type = "c1.xlarge" 20 | 21 | tags = { 22 | Name = "HelloWorld" 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ec2_ebs_not_optimized/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "no", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecr_make_tags_immutable/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when making containers available through AWS ECR 2 | is to have all tags be immutable - once a container is published, another image 3 | cannot assume the same tag. 4 | 5 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecr_make_tags_immutable/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecr_repository" "foo" { 2 | name = "bar" 3 | image_tag_mutability = "MUTABLE" 4 | 5 | image_scanning_configuration { 6 | scan_on_push = true 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecr_make_tags_immutable/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecr_use_image_scanning/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when making containers available through AWS ECR 2 | is to scan them for vulnerabilities before sharing or using them. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecr_use_image_scanning/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecr_repository" "foo" { 2 | name = "bar" 3 | image_tag_mutability = "MUTABLE" 4 | 5 | image_scanning_configuration { 6 | scan_on_push = false 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecr_use_image_scanning/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecs_cluster_container_insights/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using AWS ECR is to enable container insights 2 | for better visibility. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecs_cluster_container_insights/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecs_cluster" "foo" { 2 | name = "white-hart" 3 | 4 | # setting { 5 | # name = "containerInsights" 6 | # value = "enabled" 7 | # } 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecs_cluster_container_insights/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/ecs_cluster_container_insights/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 18:04:10.068219925 +0000 UTC 8 | Policies Validated : 0 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/elasticache_automatic_backup/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using AWS ElasticCache is to enable 2 | automatic backups in case of a data loss event. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/elasticache_automatic_backup/cloudrail_results.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iacsecurity/tool-compare/41fdcea49fbe92315cdab3ae0b1d2033e20ac39d/test-cases/terraform/aws/best-practices/elasticache_automatic_backup/cloudrail_results.txt -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/elasticache_automatic_backup/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_elasticache_cluster" "default" { 2 | cluster_id = "cluster" 3 | engine = "redis" 4 | node_type = "cache.m5.large" 5 | num_cache_nodes = 1 6 | parameter_group_name = "default.redis6.x" 7 | } 8 | 9 | resource "aws_elasticache_cluster" "disabled" { 10 | cluster_id = "cluster" 11 | engine = "redis" 12 | node_type = "cache.m5.large" 13 | num_cache_nodes = 1 14 | parameter_group_name = "default.redis6.x" 15 | 16 | snapshot_retention_limit = 0 17 | } 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/elasticache_automatic_backup/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "no", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/elasticache_automatic_backup/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 18:07:21.958976805 +0000 UTC 8 | Policies Validated : 3 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/kms_uses_rotation/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when storing keys in AWS KMS is to have the service 2 | rotate them regularly in case any keys are compromised. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/kms_uses_rotation/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_kms_key" "a" { 2 | description = "KMS key 1" 3 | deletion_window_in_days = 10 4 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/kms_uses_rotation/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/kms_uses_rotation/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Violation Details - 4 | 5 | Description : Ensure rotation for customer created CMKs is enabled 6 | File : main.tf 7 | Module Name : root 8 | Plan Root : ./ 9 | Line : 1 10 | Severity : HIGH 11 | 12 | ----------------------------------------------------------------------- 13 | 14 | 15 | Scan Summary - 16 | 17 | File/Folder : /iac 18 | IaC Type : all 19 | Scanned At : 2021-08-18 18:03:00.959002212 +0000 UTC 20 | Policies Validated : 4 21 | Violated Policies : 1 22 | Low : 0 23 | Medium : 0 24 | High : 1 25 | 26 | 27 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/rds_retention_period_set/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when using AWS RDS is to specifically define a 2 | retention period of backups. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/rds_retention_period_set/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_rds_cluster" "default" { 2 | cluster_identifier = "aurora-cluster-demo" 3 | engine = "aurora-mysql" 4 | engine_version = "5.7.mysql_aurora.2.03.2" 5 | availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] 6 | database_name = "mydb" 7 | master_username = "foo" 8 | master_password = "bar" 9 | preferred_backup_window = "07:00-09:00" 10 | } 11 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/rds_retention_period_set/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "no", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/security_group_no_description_for_rules/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when creating security groups in AWS is to 2 | add a description to the group and each of its rules for better clarity. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/security_group_no_description_for_rules/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/security_group_no_description_for_security_group/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when creating security groups in AWS is to 2 | add a description to the group and each of its rules for better clarity. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/security_group_no_description_for_security_group/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/security_group_no_unused/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/tag_all_items/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when creating resources in AWS is to add tags 2 | to each resource that supports it. This helps track billing by project or department, 3 | as well as other useful data. 4 | 5 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/tag_all_items/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_sns_topic" "cloudrail_1" { 6 | name = "sns_not_ecnrypted-1" 7 | tags = { 8 | Name = "Sns Topic Cloudrail Test" 9 | } 10 | } 11 | 12 | resource "aws_sqs_queue" "cloudrail" { 13 | name = "sqs_non_encrypted" 14 | tags = { 15 | Name = "Sqs Cloudrail Test" 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/tag_all_items/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/using_public_amis/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when creating EC2 instances is to use approved, specific 2 | AMIs managed by the organization, instead of public ones. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/best-practices/using_public_amis/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/athena_not_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket" "hoge" { 2 | bucket = "hoge" 3 | } 4 | 5 | resource "aws_athena_database" "hoge" { 6 | name = "database_name" 7 | bucket = aws_s3_bucket.hoge.bucket 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/athena_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/cloudtrail_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/cloudwatch_groups_not_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_cloudwatch_log_group" "cloudrail-test" { 6 | retention_in_days = 1 7 | } 8 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/cloudwatch_groups_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/cloudwatch_groups_not_encrypted/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 16:19:23.707523668 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/codbuild_using_aws_key/checkov_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | _ _ 4 | ___| |__ ___ ___| | _______ __ 5 | / __| '_ \ / _ \/ __| |/ / _ \ \ / / 6 | | (__| | | | __/ (__| < (_) \ V / 7 | \___|_| |_|\___|\___|_|\_\___/ \_/ 8 | 9 | By bridgecrew.io | version: 2.0.358 10 | Update available 2.0.358 -> 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | terraform scan results: 15 | 16 | Passed checks: 4, Failed checks: 0, Skipped checks: 0 17 | 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/codbuild_using_aws_key/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/codbuild_using_aws_key/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 17:36:59.365095295 +0000 UTC 8 | Policies Validated : 0 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/codbuild_using_aws_key/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 57.998292ms 5 | parsing HCL 537.417µs 6 | evaluating values 3.426708ms 7 | running checks 12.66925ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 1 12 | blocks 4 13 | modules 0 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/dax_cluster_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/dax_cluster_not_encrypted/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Violation Details - 4 | 5 | Description : Ensure server-side encryption is enabled for AWS DAX Cluster 6 | File : main.tf 7 | Module Name : root 8 | Plan Root : ./ 9 | Line : 25 10 | Severity : MEDIUM 11 | 12 | ----------------------------------------------------------------------- 13 | 14 | 15 | Scan Summary - 16 | 17 | File/Folder : /iac 18 | IaC Type : all 19 | Scanned At : 2021-08-18 16:18:40.412169551 +0000 UTC 20 | Policies Validated : 1 21 | Violated Policies : 1 22 | Low : 0 23 | Medium : 1 24 | High : 0 25 | 26 | 27 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/docdb_cluster_encrypted_at_rest_using_cmk_not_customer_managed/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | data "aws_kms_key" "test" { 6 | key_id = "alias/aws/rds" 7 | } 8 | 9 | resource "aws_docdb_cluster" "test2" { 10 | cluster_identifier = "my-docdb-cluster-test2" 11 | engine = "docdb" 12 | master_username = "foo" 13 | master_password = "mustbeeightchars" 14 | skip_final_snapshot = true 15 | storage_encrypted = true 16 | kms_key_id = data.aws_kms_key.test.arn 17 | } 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/docdb_cluster_encrypted_at_rest_using_cmk_not_customer_managed/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/docdb_cluster_encrypted_without_kms_key/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_docdb_cluster" "test1" { 6 | cluster_identifier = "my-docdb-cluster-test1" 7 | engine = "docdb" 8 | master_username = "foo" 9 | master_password = "mustbeeightchars" 10 | skip_final_snapshot = true 11 | storage_encrypted = true 12 | } 13 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/docdb_cluster_encrypted_without_kms_key/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/docdb_clusters_non_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_docdb_cluster" "docdb" { 6 | cluster_identifier = "my-docdb-cluster" 7 | engine = "docdb" 8 | master_username = "foo" 9 | master_password = "mustbeeightchars" 10 | skip_final_snapshot = true 11 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/docdb_clusters_non_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/dynamodb_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/ecr_repo_not_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecr_repository" "foo" { 2 | name = "bar" 3 | image_tag_mutability = "IMMUTABLE" 4 | 5 | image_scanning_configuration { 6 | scan_on_push = true 7 | } 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/ecr_repo_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/elasticache_replication_group_not_encrypted_at_rest/cloudrail_results.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iacsecurity/tool-compare/41fdcea49fbe92315cdab3ae0b1d2033e20ac39d/test-cases/terraform/aws/encryption/at-rest/elasticache_replication_group_not_encrypted_at_rest/cloudrail_results.txt -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/elasticache_replication_group_not_encrypted_at_rest/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_elasticache_replication_group" "example" { 2 | automatic_failover_enabled = true 3 | availability_zones = ["us-west-2a", "us-west-2b"] 4 | replication_group_id = "tf-rep-group-1" 5 | replication_group_description = "test description" 6 | node_type = "cache.m4.large" 7 | number_cache_clusters = 2 8 | parameter_group_name = "default.redis3.2" 9 | port = 6379 10 | } 11 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/elasticache_replication_group_not_encrypted_at_rest/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/elasticache_replication_group_not_encrypted_at_rest/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 17:35:29.25194692 +0000 UTC 8 | Policies Validated : 0 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/elasticsearch_not_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_elasticsearch_domain" "example" { 2 | domain_name = "example" 3 | elasticsearch_version = "1.5" 4 | 5 | cluster_config { 6 | instance_type = "r4.large.elasticsearch" 7 | } 8 | 9 | snapshot_options { 10 | automated_snapshot_start_hour = 23 11 | } 12 | 13 | tags = { 14 | Domain = "TestDomain" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/elasticsearch_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/kinesis_stream_not_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_kinesis_stream" "test_stream" { 2 | name = "terraform-kinesis-test" 3 | shard_count = 1 4 | retention_period = 48 5 | 6 | shard_level_metrics = [ 7 | "IncomingBytes", 8 | "OutgoingBytes", 9 | ] 10 | 11 | tags = { 12 | Environment = "test" 13 | } 14 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/kinesis_stream_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/kinesis_stream_not_encrypted/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Violation Details - 4 | 5 | Description : Ensure Kinesis Stream is encrypted 6 | File : main.tf 7 | Module Name : root 8 | Plan Root : ./ 9 | Line : 1 10 | Severity : HIGH 11 | 12 | ----------------------------------------------------------------------- 13 | 14 | 15 | Scan Summary - 16 | 17 | File/Folder : /iac 18 | IaC Type : all 19 | Scanned At : 2021-08-18 17:39:40.728637134 +0000 UTC 20 | Policies Validated : 1 21 | Violated Policies : 1 22 | Low : 0 23 | Medium : 0 24 | High : 1 25 | 26 | 27 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/neptune_cluster_no_encryption/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_neptune_cluster" "test" { 2 | cluster_identifier = "neptune-cluster-demo" 3 | engine = "neptune" 4 | backup_retention_period = 5 5 | preferred_backup_window = "07:00-09:00" 6 | skip_final_snapshot = true 7 | iam_database_authentication_enabled = true 8 | apply_immediately = true 9 | } 10 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/neptune_cluster_no_encryption/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/rds_cluster_encrypt_at_rest_disabled/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-west-1" 3 | } 4 | 5 | resource "aws_rds_cluster" "default" { 6 | cluster_identifier = "cloudrail-test-non-encrypted" 7 | engine = "aurora-mysql" 8 | engine_version = "5.7.mysql_aurora.2.03.2" 9 | availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] 10 | database_name = "cloudrail" 11 | master_username = "administrator" 12 | master_password = "cloudrail-TEST-password" 13 | skip_final_snapshot = true 14 | } 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/rds_cluster_encrypt_at_rest_disabled/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/redshift_not_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-west-1" 3 | } 4 | 5 | resource "aws_redshift_cluster" "default" { 6 | cluster_identifier = "tf-redshift-cluster" 7 | database_name = "mydb" 8 | master_username = "foo" 9 | master_password = "Mustbe8characters" 10 | node_type = "dc1.large" 11 | cluster_type = "single-node" 12 | } 13 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/redshift_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/rest_api_cache_non_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/s3_bucket_non_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_s3_bucket" "cloudrail" { 6 | bucket = "cloudrail-non-encrypted-czx7zxchs" 7 | acl = "private" 8 | } 9 | 10 | resource "aws_s3_bucket_public_access_block" "cloudrail" { 11 | bucket = aws_s3_bucket.cloudrail.id 12 | block_public_acls = true 13 | block_public_policy = true 14 | ignore_public_acls = true 15 | restrict_public_buckets = true 16 | } 17 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/s3_bucket_non_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/s3_bucket_object_non_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "eu-west-1" 3 | } 4 | 5 | resource "aws_s3_bucket" "cloudrail" { 6 | bucket = "cloudrail-non-encrypted-czx7zxchs" 7 | acl = "private" 8 | } 9 | 10 | resource "aws_s3_bucket_public_access_block" "cloudrail" { 11 | bucket = aws_s3_bucket.cloudrail.id 12 | block_public_acls = true 13 | block_public_policy = true 14 | ignore_public_acls = true 15 | restrict_public_buckets = true 16 | } 17 | 18 | resource "aws_s3_bucket_object" "object" { 19 | bucket = aws_s3_bucket.cloudrail.id 20 | key = "example_file_non_encrypted" 21 | content = "Cloudrail example" 22 | } 23 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/s3_bucket_object_non_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sagemaker_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sagemaker_not_encrypted/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Violation Details - 4 | 5 | Description : Ensure SageMaker Instance is Encrypted 6 | File : main.tf 7 | Module Name : root 8 | Plan Root : ./ 9 | Line : 23 10 | Severity : MEDIUM 11 | 12 | ----------------------------------------------------------------------- 13 | 14 | 15 | Scan Summary - 16 | 17 | File/Folder : /iac 18 | IaC Type : all 19 | Scanned At : 2021-08-18 17:37:27.050999127 +0000 UTC 20 | Policies Validated : 1 21 | Violated Policies : 1 22 | Low : 0 23 | Medium : 1 24 | High : 0 25 | 26 | 27 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sagemaker_not_encrypted/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 72.525665ms 5 | parsing HCL 534.292µs 6 | evaluating values 7.469667ms 7 | running checks 15.410208ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 1 12 | blocks 2 13 | modules 0 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_default/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_secretsmanager_secret" "test" { 6 | name = "test-cloudrail" 7 | } 8 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_default/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_key_arn/checkov_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | _ _ 4 | ___| |__ ___ ___| | _______ __ 5 | / __| '_ \ / _ \/ __| |/ / _ \ \ / / 6 | | (__| | | | __/ (__| < (_) \ V / 7 | \___|_| |_|\___|\___|_|\_\___/ \_/ 8 | 9 | By bridgecrew.io | version: 2.0.358 10 | Update available 2.0.358 -> 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | terraform scan results: 15 | 16 | Passed checks: 2, Failed checks: 0, Skipped checks: 0 17 | 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_key_arn/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | data "aws_kms_key" "by_alias" { 6 | key_id = "alias/aws/secretsmanager" 7 | } 8 | 9 | resource "aws_secretsmanager_secret" "test" { 10 | name = "test-cloudrail-1" 11 | kms_key_id = data.aws_kms_key.by_alias.arn 12 | } 13 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_key_arn/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/secretsmanager_secrets_encrypted_at_rest_with_aws_managed_key_by_key_arn/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 16:18:18.592421138 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sns_topic_encrypted_at_rest_with_aws_managed_key_by_key_arn/checkov_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | _ _ 4 | ___| |__ ___ ___| | _______ __ 5 | / __| '_ \ / _ \/ __| |/ / _ \ \ / / 6 | | (__| | | | __/ (__| < (_) \ V / 7 | \___|_| |_|\___|\___|_|\_\___/ \_/ 8 | 9 | By bridgecrew.io | version: 2.0.358 10 | Update available 2.0.358 -> 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | terraform scan results: 15 | 16 | Passed checks: 2, Failed checks: 0, Skipped checks: 0 17 | 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sns_topic_encrypted_at_rest_with_aws_managed_key_by_key_arn/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | data "aws_kms_key" "by_alias" { 6 | key_id = "alias/aws/sns" 7 | } 8 | 9 | resource "aws_sns_topic" "test" { 10 | name = "sns_ecnrypted" 11 | kms_master_key_id = data.aws_kms_key.by_alias.arn 12 | } 13 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sns_topic_encrypted_at_rest_with_aws_managed_key_by_key_arn/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sns_topic_encrypted_at_rest_with_aws_managed_key_by_key_arn/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 16:21:14.329942386 +0000 UTC 8 | Policies Validated : 2 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sqs_queue_not_encrypted/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_sqs_queue" "cloudrail" { 6 | name = "sqs_non_encrypted" 7 | } 8 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/sqs_queue_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/workgroups_non_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/workspace_root_volume_not_encrypted_at_rest/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/at-rest/workspace_user_volume_not_encrypted_at_rest/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/alb_use_http/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/cloudfront_distribution_not_encrypted/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/cloudfront_protocol_version_is_low/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/ecs_task_definition_not_encrypted_in_transit/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/elasticache_replication_group_not_encrypted_in_transit/cloudrail_results.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iacsecurity/tool-compare/41fdcea49fbe92315cdab3ae0b1d2033e20ac39d/test-cases/terraform/aws/encryption/in-transit/elasticache_replication_group_not_encrypted_in_transit/cloudrail_results.txt -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/elasticache_replication_group_not_encrypted_in_transit/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_elasticache_replication_group" "example" { 6 | automatic_failover_enabled = true 7 | availability_zones = ["us-west-2a", "us-west-2b"] 8 | replication_group_id = "tf-rep-group-1" 9 | replication_group_description = "test description" 10 | node_type = "cache.m4.large" 11 | number_cache_clusters = 2 12 | parameter_group_name = "default.redis3.2" 13 | port = 6379 14 | } 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/elasticache_replication_group_not_encrypted_in_transit/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/elasticache_replication_group_not_encrypted_in_transit/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 16:15:47.26619222 +0000 UTC 8 | Policies Validated : 0 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/elasticsearch_encrypt_node_to_node_disabled/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_elasticsearch_domain" "example" { 6 | domain_name = "cloudrail-non-enc-in-tran" 7 | elasticsearch_version = "6.0" 8 | 9 | cluster_config { 10 | instance_type = "i3.large.elasticsearch" 11 | } 12 | 13 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/elasticsearch_encrypt_node_to_node_disabled/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/load_balancer_listener_http/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "yes" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/encryption/in-transit/vpc_has_only_dynamodb_vpce_gw_connection/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/human_users_defined/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when managing IAM in AWS is not to have users 2 | at all, and specifically no human users. Instead, AWS SSO should be used. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/human_users_defined/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/human_users_defined/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 17:51:39.872707508 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/human_users_defined/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 56.425916ms 5 | parsing HCL 499.292µs 6 | evaluating values 3.464625ms 7 | running checks 13.586666ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 1 12 | blocks 4 13 | modules 0 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/iam_user_inline_policy_attach/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when managing IAM in AWS is not to attach a policy 2 | directly to a user, rather attach it to the group the user belongs to. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/iam_user_inline_policy_attach/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_iam_user" "user-1" { 6 | name = "user-1" 7 | } 8 | 9 | resource "aws_iam_user_policy" "policy" { 10 | name = "inline-policy" 11 | user = aws_iam_user.user-1.name 12 | 13 | policy = < 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | terraform scan results: 15 | 16 | Passed checks: 7, Failed checks: 0, Skipped checks: 0 17 | 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/passrole_and_lambda_permissions_cause_priv_escalation/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/passrole_and_lambda_permissions_cause_priv_escalation/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 17:49:28.995464128 +0000 UTC 8 | Policies Validated : 0 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/policy-too-broad/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when managing IAM in AWS is to focus on providing 2 | each entity the least amount of privilege possible - only what is necessary. 3 | 4 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/policy-too-broad/checkov_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | _ _ 4 | ___| |__ ___ ___| | _______ __ 5 | / __| '_ \ / _ \/ __| |/ / _ \ \ / / 6 | | (__| | | | __/ (__| < (_) \ V / 7 | \___|_| |_|\___|\___|_|\_\___/ \_/ 8 | 9 | By bridgecrew.io | version: 2.0.358 10 | Update available 2.0.358 -> 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | terraform scan results: 15 | 16 | Passed checks: 5, Failed checks: 0, Skipped checks: 0 17 | 18 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/policy-too-broad/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/policy-too-broad/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 17:49:49.970058263 +0000 UTC 8 | Policies Validated : 0 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/policy_missing_principal/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/policy_missing_principal/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Violation Details - 4 | 5 | Description : Ensure rotation for customer created CMKs is enabled 6 | File : main.tf 7 | Module Name : root 8 | Plan Root : ./ 9 | Line : 5 10 | Severity : HIGH 11 | 12 | ----------------------------------------------------------------------- 13 | 14 | 15 | Scan Summary - 16 | 17 | File/Folder : /iac 18 | IaC Type : all 19 | Scanned At : 2021-08-18 17:51:19.739478388 +0000 UTC 20 | Policies Validated : 1 21 | Violated Policies : 1 22 | Low : 0 23 | Medium : 0 24 | High : 1 25 | 26 | 27 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/public_and_private_ec2_same_role/README.md: -------------------------------------------------------------------------------- 1 | One of the best practices when managing IAM in AWS is to ensure separation of 2 | roles. Different compute resources should not share roles, as modifying one 3 | may give unintended permissions to another. This is especially true if one resource 4 | is public and the other is private. 5 | 6 | This test case simulates a case where this best practice is _not_ followed. -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/public_and_private_ec2_same_role/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/role_assume_policy_principal_all/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/role_assume_policy_principal_all/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 17:52:00.280330128 +0000 UTC 8 | Policies Validated : 0 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/iam-entities/role_assume_policy_principal_all/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 45.837667ms 5 | parsing HCL 516µs 6 | evaluating values 1.888876ms 7 | running checks 11.136125ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 1 12 | blocks 2 13 | modules 0 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-authentication/rds_without_authentication/cloudrail_results.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iacsecurity/tool-compare/41fdcea49fbe92315cdab3ae0b1d2033e20ac39d/test-cases/terraform/aws/iam/resource-authentication/rds_without_authentication/cloudrail_results.txt -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-authentication/rds_without_authentication/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_db_instance" "default" { 2 | allocated_storage = 10 3 | engine = "mysql" 4 | engine_version = "5.7" 5 | instance_class = "db.t3.micro" 6 | name = "mydb" 7 | username = "foo" 8 | password = "foobarbaz" 9 | parameter_group_name = "default.mysql5.7" 10 | skip_final_snapshot = true 11 | } 12 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-authentication/rds_without_authentication/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "no", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-authentication/rest_api_without_authorization/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-authentication/rest_api_without_authorization/snyk_results.txt: -------------------------------------------------------------------------------- 1 | Failed to run the process ... 2 | { 3 | "ok": false, 4 | "error": "Failed to build policy engine", 5 | "path": "/project" 6 | } 7 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/cloudwatch_log_destination_insecure_policy/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/cloudwatch_log_destination_insecure_policy/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Violation Details - 4 | 5 | Description : Ensure Kinesis Stream is encrypted 6 | File : main.tf 7 | Module Name : root 8 | Plan Root : ./ 9 | Line : 49 10 | Severity : HIGH 11 | 12 | ----------------------------------------------------------------------- 13 | 14 | 15 | Scan Summary - 16 | 17 | File/Folder : /iac 18 | IaC Type : all 19 | Scanned At : 2021-08-18 17:44:24.080795167 +0000 UTC 20 | Policies Validated : 1 21 | Violated Policies : 1 22 | Low : 0 23 | Medium : 0 24 | High : 1 25 | 26 | 27 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/ecr_not_secure_policy/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_ecr_repository" "foo" { 2 | name = "bar" 3 | image_tag_mutability = "MUTABLE" 4 | 5 | image_scanning_configuration { 6 | scan_on_push = true 7 | } 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/ecr_not_secure_policy/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/efs_not_secure_policy/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/efs_not_secure_policy/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 17:46:12.416928801 +0000 UTC 8 | Policies Validated : 2 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/elasticsearch_domain_not_secure_policy/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "yes", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/glacier_vault_not_secure_policy/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "yes", 6 | "terrascan": "no", 7 | "tfsec": "yes" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/glacier_vault_not_secure_policy/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Violation Details - 4 | 5 | Description : Ensure SNS topic is Encrypted using KMS master key 6 | File : main.tf 7 | Module Name : root 8 | Plan Root : ./ 9 | Line : 5 10 | Severity : MEDIUM 11 | 12 | ----------------------------------------------------------------------- 13 | 14 | 15 | Scan Summary - 16 | 17 | File/Folder : /iac 18 | IaC Type : all 19 | Scanned At : 2021-08-18 17:47:22.9609125 +0000 UTC 20 | Policies Validated : 2 21 | Violated Policies : 1 22 | Low : 0 23 | Medium : 1 24 | High : 0 25 | 26 | 27 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/glue_data_catalog_not_secure_policy/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/aws/iam/resource-policies/kms_key_not_secure_policy/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | resource "aws_kms_key" "not_secure_policy" { 6 | description = "KMS key + not_secure_policy" 7 | deletion_window_in_days = 7 8 | 9 | policy = < 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | terraform scan results: 15 | 16 | Passed checks: 1, Failed checks: 0, Skipped checks: 0 17 | 18 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_for_each/main.tf: -------------------------------------------------------------------------------- 1 | # In this case we're using a for-each and expect the tool to only for all users who have a password 2 | # and only those that have a password. 3 | 4 | resource "aws_iam_user" "example" { 5 | for_each = { 6 | jack = "jack" 7 | jill = "jill" 8 | jane = "jane" 9 | } 10 | name = each.value 11 | path = "/" 12 | force_destroy = true 13 | } 14 | 15 | resource "aws_iam_user_login_profile" "example" { 16 | for_each = { 17 | jack = "jack" 18 | jill = "jill" 19 | # jane = "jane" - excluding one on purpose 20 | } 21 | user = each.value 22 | pgp_key = "keybase:some_person_that_exists" 23 | } 24 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_for_each/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_for_each/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 16:14:23.956510459 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_for_each/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 59.513166ms 5 | parsing HCL 491µs 6 | evaluating values 3.915875ms 7 | running checks 13.011125ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 1 12 | blocks 2 13 | modules 0 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_locals/checkov_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | _ _ 4 | ___| |__ ___ ___| | _______ __ 5 | / __| '_ \ / _ \/ __| |/ / _ \ \ / / 6 | | (__| | | | __/ (__| < (_) \ V / 7 | \___|_| |_|\___|\___|_|\_\___/ \_/ 8 | 9 | By bridgecrew.io | version: 2.0.358 10 | Update available 2.0.358 -> 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | terraform scan results: 15 | 16 | Passed checks: 1, Failed checks: 0, Skipped checks: 0 17 | 18 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_locals/main.tf: -------------------------------------------------------------------------------- 1 | # In this case we are using a local variable to pass information to the login_profile resource. 2 | # While a case that looks exactly like this is less common, the use of locals, variables, etc. to 3 | # pass information to resource is very common. 4 | 5 | resource "aws_iam_user" "example" { 6 | name = "example" 7 | path = "/" 8 | force_destroy = true 9 | } 10 | 11 | locals { 12 | user_name = aws_iam_user.example.name 13 | } 14 | 15 | resource "aws_iam_user_login_profile" "example" { 16 | user = local.user_name 17 | pgp_key = "keybase:some_person_that_exists" 18 | } 19 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_locals/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "yes", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_locals/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-20 04:58:27.430669444 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_locals/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 57.797751ms 5 | parsing HCL 532.041µs 6 | evaluating values 3.101918ms 7 | running checks 11.189583ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 1 12 | blocks 3 13 | modules 0 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_multi/main.tf: -------------------------------------------------------------------------------- 1 | # In this case we're using a module and setting a password for one user, 2 | # but not the other. For a tool to pass this test case it should alert a violation about 3 | # only one of the two users. A tool that doesn't alert at all is considered a failure of the test. 4 | 5 | module "jack" { 6 | source = "./mymodule" 7 | user_name = "jack" 8 | allow_password = true 9 | pgp_key = "keybase:some_key" 10 | } 11 | 12 | module "jill" { 13 | source = "./mymodule" 14 | user_name = "jill" 15 | allow_password = false 16 | pgp_key = "keybase:some_key" 17 | } -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_multi/mymodule/user.tf: -------------------------------------------------------------------------------- 1 | variable "allow_password" { 2 | type = bool 3 | } 4 | 5 | variable "user_name" { 6 | type = string 7 | } 8 | 9 | variable "pgp_key" { 10 | type = string 11 | } 12 | 13 | resource "aws_iam_user" "user" { 14 | name = var.user_name 15 | path = "/" 16 | force_destroy = true 17 | } 18 | 19 | resource "aws_iam_user_login_profile" "jack" { 20 | count = var.allow_password ? 1 : 0 21 | user = aws_iam_user.user.name 22 | pgp_key = var.pgp_key 23 | } 24 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_multi/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "yes", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_multi/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 12:54:34.921911924 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_multi/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 109.378625ms 5 | parsing HCL 591.251µs 6 | evaluating values 13.784083ms 7 | running checks 18.988834ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 2 12 | blocks 2 13 | modules 2 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_simple/checkov_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | _ _ 4 | ___| |__ ___ ___| | _______ __ 5 | / __| '_ \ / _ \/ __| |/ / _ \ \ / / 6 | | (__| | | | __/ (__| < (_) \ V / 7 | \___|_| |_|\___|\___|_|\_\___/ \_/ 8 | 9 | By bridgecrew.io | version: 2.0.358 10 | Update available 2.0.358 -> 2.0.359 11 | Run pip3 install -U checkov to update 12 | 13 | 14 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_simple/main.tf: -------------------------------------------------------------------------------- 1 | # In this case, we're simply using an external, commonly used module 2 | # to create a user who has a password. 3 | module "jack" { 4 | source = "cloudposse/iam-user/aws" 5 | version = "v0.8.0" 6 | name = "jack" 7 | user_name = "jack@companyname.com" 8 | pgp_key = "keybase:jack" 9 | groups = ["admins"] 10 | } -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_simple/results_summary.json: -------------------------------------------------------------------------------- 1 | { 2 | "checkov": "no", 3 | "cloudrail": "yes", 4 | "kics": "no", 5 | "snyk": "no", 6 | "terrascan": "no", 7 | "tfsec": "no" 8 | } 9 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_simple/terrascan_results.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | Scan Summary - 4 | 5 | File/Folder : /iac 6 | IaC Type : all 7 | Scanned At : 2021-08-18 16:14:49.82672618 +0000 UTC 8 | Policies Validated : 1 9 | Violated Policies : 0 10 | Low : 0 11 | Medium : 0 12 | High : 0 13 | 14 | 15 | -------------------------------------------------------------------------------- /test-cases/terraform/hcl_language_complexity/using_module_simple/tfsec_results.txt: -------------------------------------------------------------------------------- 1 | 2 | times 3 | ------------------------------------------ 4 | disk i/o 13.118098ms 5 | parsing HCL 59.094µs 6 | evaluating values 43.269647ms 7 | running checks 6.381818ms 8 | 9 | counts 10 | ------------------------------------------ 11 | files loaded 10 12 | blocks 1 13 | modules 2 14 | 15 | results 16 | ------------------------------------------ 17 | critical 0 18 | high 0 19 | medium 0 20 | low 0 21 | ignored 0 22 | 23 | No problems detected! 24 | 25 | --------------------------------------------------------------------------------