Terraform

Passwords can be brute-forced, are prone to human error with possibitlies of weak password creation. Moreover password policies may be frustrating. Using SSH keys reduces the brute force attack vector to significant degrees.

Firewall source IPs must be restrictive. Specifying a non restrictive IP range allows your infrastructure to send traffic to unauthorized IP ranges. Specify a restrictive source IP range in the source_ranges attribute. Refer https://cloud.google.com/vpc/docs/using-firewalls for an overview.

Opening up unwanted CIDR ranges to the public internet is generally to be avoided.

Opening up unwanted CIDR ranges to connect out to the public internet is generally to be avoided.

Warns against to prevent accidental exposure of internal assets.

Opening up unwanted CIDR ranges to the public internet is generally to be avoided.

Opening up unwanted CIDR ranges to the public internet is generally to be avoided.

It is not recommended to use outdated/insecure TLS versions for encryption.

Database resources should not publicly available.

You should not make secrets available to a user in plaintext in any scenario.

Blocks devices should be encrypted to ensure sensitive data is stored securely at rest.

Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.

Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues.

S3 Buckets should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific buckets.

Security groups and security group rules should include a description for auditing purposes.

Firewall source IPs must be restrictive. Specifying a non restrictive IP range allows your infrastructure to send traffic to unauthorized IP ranges. Specify a restrictive source IP range in the source_addresses attribute. Refer https://docs.microsoft.com/en-us/azure/firewall/overview for an overview.

Buckets should have logging enabled so that access can be audited.

AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers.

Plain HTTP is unencrypted and human-readable.

Azure managed disks automatically encrypt your data by default when persisting it to the cloud. Server-side encryption protects your data and helps you meet your organizational security and compliance commitments. Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. By default, managed disks use platform-managed encryption keys. As of June 10, 2017, all new managed disks, snapshots, images, and new data written to existing managed disks are automatically encrypted-at-rest with platform-managed keys. You can choose to manage encryption at the level of each managed disk, with your own keys. Server-side encryption for managed disks with customer-managed keys offers an integrated experience with Azure Key Vault. You can either import your RSA keys to your Key Vault or generate new RSA keys in Azure Key Vault. Refer https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption for more information.