Detected password authentication instead of SSH keys TF-AZU005
Passwords can be brute-forced, are prone to human error with possibitlies of weak password creation. Moreover password policies may be frustrating. Using SSH keys reduces the brute force attack vector to significant degrees.
An inbound firewall rule allows traffic from /0 TF-GCP003
Firewall source IPs must be restrictive. Specifying a non restrictive IP range allows your infrastructure to send traffic to unauthorized IP ranges. Specify a restrictive source IP range in the source_ranges attribute. Refer https://cloud.google.com/vpc/docs/using-firewalls for an overview.
Consider using # for comments TF-L0040
The Terraform language supports two different syntaxes for single-line comments: # and //. However, # is the default comment style and should be used in most cases. Ref: Configuration Syntax: Comments.
Invalid AWS MQ broker engine type TF-L0050
Value provided in engine_type for AWS MQ is not valid. Please check AWS Broker Engine Types for vilid values.
An ingress security group rule allows traffic from /0 TF-AWS006
Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
An egress security group rule allows traffic to /0 TF-AWS007
Opening up unwanted CIDR ranges to connect out to the public internet is generally to be avoided.
Load balancer is exposed to the internet TF-AWS005
Warns against to prevent accidental exposure of internal assets.
An inline ingress security group rule allows traffic from /0 TF-AWS008
Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
An inline egress security group rule allows traffic to /0 TF-AWS009
Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
An outdated SSL policy is in use by a load balancer TF-AWS010
It is not recommended to use outdated/insecure TLS versions for encryption.
A resource is marked as publicly accessible TF-AWS011
Database resources should not publicly available.
Task definition defines sensitive environment variable(s) TF-AWS013
You should not make secrets available to a user in plaintext in any scenario.
Launch configuration with unencrypted block device TF-AWS014
Blocks devices should be encrypted to ensure sensitive data is stored securely at rest.
Unencrypted SQS queue TF-AWS015
Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.
Unencrypted SNS topic TF-AWS016
Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.
Unencrypted S3 bucket TF-AWS017
S3 Buckets should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific buckets.
Missing description for security group/security group rule TF-AWS018
Security groups and security group rules should include a description for auditing purposes.
An inbound network security rule allows traffic from /0 TF-AZU001
Firewall source IPs must be restrictive. Specifying a non restrictive IP range allows your infrastructure to send traffic to unauthorized IP ranges. Specify a restrictive source IP range in the source_addresses attribute. Refer https://docs.microsoft.com/en-us/azure/firewall/overview for an overview.
S3 Bucket does not have logging enabled TF-AWS002
Buckets should have logging enabled so that access can be audited.
AWS Classic resource usage TF-AWS003
AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers.