Ensure all Cloud SQL database instance requires all incoming connections to use SSL TF-S2006
Incoming connections should use SSL while making connections with Cloud SQL database instances.
Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters TF-S2001
Stackdriver is the default logging solution for clusters deployed on GKE. GKE should have logging enabled so that access can be audited.
Ensure that Cloud SQL database instances are not open to the world TF-S2011
Ensure that Cloud SQL database instances is not publicly accessible to lower the attack surface.
An ingress security group rule allows traffic from /0 TF-AWS006
Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
An egress security group rule allows traffic to /0 TF-AWS007
Opening up unwanted CIDR ranges to connect out to the public internet is generally to be avoided.
Elasticsearch domain endpoint is using outdated TLS policy TF-AWS034
It is not recommended to use outdated/insecure TLS versions for encryption.
EKS should have the encryption of secrets enabled TF-AWS066
EKS cluster resources should have the encryption_config block set with protection of the secrets resource.
Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters TF-S2010
Node auto-upgrade keeps nodes up-to-date with the latest cluster master version when your master is updated on your behalf, and it should enabled.
S3 Access block should block public ACL TF-AWS074
S3 buckets should block public ACLs on buckets and any objects they contain.
Azure instance is using basic authentication TF-S1001
Ensure Azure instance does not use basic authentication but should prefer SSH-based authentication instead.
Azure AKS is not using RBAC TF-S1005
Ensure Azure AKS has RBAC (Role-based Access Control) enabled.
Standard pricing tier is not selected TF-S1019
The "standard" tier in Azure's Security Center enables threat detection for networks and virtual machines. It allows greater (compared to "free" tier) in-depth defense like threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics. It is highly recommended to opt for the "standard" tier instead of the "free" tier.
Master authorized networks are not enabled in GKE clusters TF-S2019
Authorized networks permit allowlisting of specific CIDR ranges and allow IP addresses in those ranges to access the cluster master endpoint using HTTPS. GKE uses TLS and authentication to secure access to the cluster master endpoint from the public Internet enabling the flexibility to administer the cluster from anywhere. Using authorized networks, you will be able to restrict access to specified sets of IP addresses further.
We recommend you enable "master authorized networks" in GKE clusters.
Load balancer is exposed to the internet TF-AWS005
Warns against to prevent accidental exposure of internal assets.
An inline ingress security group rule allows traffic from /0 TF-AWS008
Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
An inline egress security group rule allows traffic to /0 TF-AWS009
Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
An outdated SSL policy is in use by a load balancer TF-AWS010
It is not recommended to use outdated/insecure TLS versions for encryption.
A resource is marked as publicly accessible TF-AWS011
Database resources should not publicly available.
A resource has a public IP address TF-AWS012
You should limit the provision of public IP addresses for resources.
Task definition defines sensitive environment variable(s) TF-AWS013
You should not make secrets available to a user in plaintext in any scenario.