Table: terraform_resource - Query Terraform Resources using SQL
Terraform is an open-source infrastructure as code software tool that enables users to define and provision a data center infrastructure using a high-level configuration language. It supports a multitude of providers such as AWS, GCP, Azure, and more. The Terraform Resources are the main component in a Terraform configuration, and they describe one or more infrastructure objects, such as virtual networks, compute instances, or higher-level components such as DNS records.
Table Usage Guide
The terraform_resource table provides insights into Terraform Resources within the Terraform environment. As a DevOps engineer, explore resource-specific details through this table, including configuration, state, and provider details. Utilize it to uncover information about resources, such as their current state, the provider they are associated with, and the details of their configuration.
Examples
Basic info
Explore the fundamental details of your Terraform resources to gain a better understanding of their configuration and location. This can be beneficial in managing resources and assessing their setup.Explore which resources are currently in use within your Terraform configuration. This allows you to gain insights into the types, addresses, and paths of these resources, aiding you in your infrastructure management tasks.
select name, type, address, attributes_std, pathfrom terraform_resource;select name, type, address, attributes_std, pathfrom terraform_resource;List AWS IAM roles
Explore the configuration of your AWS infrastructure by identifying the roles assigned within it. This can help in understanding the access and permissions structure, aiding in security audits and compliance checks.Explore the various roles within your AWS IAM setup to understand their configurations and attributes. This could help in managing access control and ensuring security protocols are being followed.
select name, type, address, attributes_std, pathfrom terraform_resourcewhere type = 'aws_iam_role';select name, type, address, attributes_std, pathfrom terraform_resourcewhere type = 'aws_iam_role';List AWS IAM assume_role_policy Statements
Explore which AWS Identity and Access Management (IAM) roles have specific permissions. This is particularly useful for auditing security and compliance purposes, as it allows you to identify potential vulnerabilities in your IAM roles' permissions.Analyze the settings to understand the policies associated with AWS IAM roles. This can be useful to identify instances where specific roles have been granted certain permissions, ensuring secure and appropriate access control within your AWS environment.
select path, name, address, (attributes_std ->> 'assume_role_policy') :: jsonb -> 'Statement' as statementfrom terraform_resourcewhere type = 'aws_iam_role'select path, name, address, json_extract(attributes_std, '$.assume_role_policy.Statement') as statementfrom terraform_resourcewhere type = 'aws_iam_role'Get AMI for each AWS EC2 instance
Explore which AWS EC2 instances are associated with each Amazon Machine Image (AMI). This can help identify instances that may be using outdated or unsecured AMIs, supporting better security and compliance management.Explore which Amazon Machine Images (AMIs) are used for each Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. This is useful for understanding the software configurations of your EC2 instances.
select address, name, attributes_std ->> 'ami' as ami, pathfrom terraform_resourcewhere type = 'aws_instance';select address, name, json_extract(attributes_std, '$.ami') as ami, pathfrom terraform_resourcewhere type = 'aws_instance';List AWS CloudTrail trails that are not encrypted
Analyze the settings to understand which AWS CloudTrail trails are not encrypted, helping to identify potential security risks in your AWS environment.Determine the areas in which AWS CloudTrail trails are not encrypted to ensure data security and compliance. This is crucial for identifying potential security vulnerabilities in your AWS environment.
select address, name, pathfrom terraform_resourcewhere type = 'aws_cloudtrail' and attributes_std -> 'kms_key_id' is null;select address, name, pathfrom terraform_resourcewhere type = 'aws_cloudtrail' and json_extract(attributes_std, '$.kms_key_id') is null;List Azure storage accounts that allow public blob access
Explore which Azure storage accounts permit public access to their blobs. This is useful in identifying potential security vulnerabilities where sensitive data might be exposed.Explore which Azure storage accounts permit public blob access. This can be useful in identifying potential security risks and ensuring that sensitive data is not inadvertently exposed to the public.
select address, name, case when attributes_std -> 'allow_blob_public_access' is null then false else (attributes_std -> 'allow_blob_public_access') :: boolean end as allow_blob_public_access, pathfrom terraform_resourcewhere type = 'azurerm_storage_account' -- Optional arg that defaults to false and (attributes_std -> 'allow_blob_public_access') :: boolean;select address, name, case when json_extract(attributes_std, '$.allow_blob_public_access') is null then 0 else json_extract(attributes_std, '$.allow_blob_public_access') end as allow_blob_public_access, pathfrom terraform_resourcewhere type = 'azurerm_storage_account' and json_extract(attributes_std, '$.allow_blob_public_access');List Azure MySQL servers that don't enforce SSL
Explore which Azure MySQL servers are potentially vulnerable by identifying those that do not enforce SSL. This can help enhance security by pinpointing areas to strengthen encryption measures.Determine the areas in which Azure MySQL servers are not enforcing SSL. This is useful to identify potential security vulnerabilities and ensure all servers are adhering to best practices for secure connections.
select address, name, attributes_std -> 'ssl_enforcement_enabled' as ssl_enforcement_enabled, pathfrom terraform_resourcewhere type = 'azurerm_mysql_server' and not (attributes_std -> 'ssl_enforcement_enabled') :: boolean;select address, name, json_extract(attributes_std, '$.ssl_enforcement_enabled') as ssl_enforcement_enabled, pathfrom terraform_resourcewhere type = 'azurerm_mysql_server' and not json_extract(attributes_std, '$.ssl_enforcement_enabled');List Azure MySQL servers with public network access enabled
Determine the Azure MySQL servers that have public network access enabled. This can be useful for identifying potential security risks and ensuring that your servers are configured according to your organization's security policies.Determine the Azure MySQL servers that have public network access enabled. This helps in identifying potential security risks by highlighting servers that are exposed to the public internet.
select address, name, case when attributes_std -> 'public_network_access_enabled' is null then true else (attributes_std -> 'public_network_access_enabled') :: boolean end as public_network_access_enabled, pathfrom terraform_resourcewhere type in ('azurerm_mssql_server', 'azurerm_mysql_server') -- Optional arg that defaults to true and ( attributes_std -> 'public_network_access_enabled' is null or (attributes_std -> 'public_network_access_enabled') :: boolean );select address, name, case when json_extract(attributes_std, '$.public_network_access_enabled') is null then 1 else json_extract(attributes_std, '$.public_network_access_enabled') end as public_network_access_enabled, pathfrom terraform_resourcewhere type in ('azurerm_mssql_server', 'azurerm_mysql_server') and ( json_extract(attributes_std, '$.public_network_access_enabled') is null or json_extract(attributes_std, '$.public_network_access_enabled') );List resources from a plan file
This query allows you to analyze the resources outlined in a specific Terraform plan file. It helps in gaining insights into the different elements like name, type, and address, which can be beneficial for understanding the structure and configuration of your infrastructure.Explore which resources are included in a specific plan file. This can help identify instances where certain resources may need to be added, removed, or modified, providing insights into the overall configuration of your project.
select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/tfplan.json';select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/tfplan.json';List resources from a state file
Explore which resources are contained within a specific state file. This is useful for understanding the structure and content of your Terraform infrastructure without needing to navigate through multiple files or directories.Determine the resources within a specific state file in Terraform. This is useful for understanding the components of your infrastructure and their attributes, especially when managing large-scale deployments.
select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/terraform.tfstate';select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/terraform.tfstate';Control examples
- ACM > ACM certificate should have create before destroy enabled
- ACM > ACM certificates should have transparency logging preference enabled
- API Gateway > API Gateway Deployment should have create_before_destroy enabled
- API Gateway > API Gateway Domain should have latest TLS security policy configured
- API Gateway > API Gateway Method Settings should have cache enabled
- API Gateway > API Gateway Method Settings should have cache encrypted
- API Gateway > API Gateway Method Settings should have data trace disabled
- API Gateway > API Gateway Method should have restrictive access
- API Gateway > API Gateway REST and WebSocket API logging should be enabled
- API Gateway > API Gateway REST API cache data should be encrypted at rest
- API Gateway > API Gateway REST API should have create_before_destroy enabled
- API Gateway > API Gateway REST API stages should have AWS X-Ray tracing enabled
- API Gateway > API Gateway stage should uses SSL certificate
- API Gateway > API Gateway V2 Route should have authorization type set
- API Management > API Management backends should use HTTPS
- API Management > API Management services client certificate should be enabled
- API Management > API Management services should restrict public network access
- API Management > API Management services should use a virtual network
- API Management > API Management services should use at least TLS 1.2 version
- App Configuration > App Configurations encryption should be enabled
- App Configuration > App Configurations local authentication should be disabled
- App Configuration > App Configurations purge protection should be enabled
- App Configuration > App Configurations should restrict public network access
- App Configuration > App Configurations should use standard SKU
- App Service > App Service environment should be zone redundant
- App Service > App Service Environment should enable internal encryption
- App Service > App Service plans should be zone redundant
- App Service > App Service plans should not use free, shared or basic SKU
- App Service > App Service should use a virtual network service endpoint
- App Service > Azure Defender for App Service should be enabled
- App Service > CORS should not allow every resource to access your Function Apps
- App Service > CORS should not allow every resource to access your Web Applications
- App Service > Diagnostic logs in App Services should be enabled
- App Service > Ensure App Service Authentication is set on Azure App Service
- App Service > Ensure FTP deployments are disabled
- App Service > Ensure that 'HTTP Version' is the latest, if used to run the Function app
- App Service > Ensure that 'HTTP Version' is the latest, if used to run the Web app
- App Service > Ensure that 'Java version' is the latest, if used as a part of the Function app
- App Service > Ensure that 'Java version' is the latest, if used as a part of the Web app
- App Service > Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- App Service > Ensure that 'Python version' is the latest, if used as a part of the Function app
- App Service > Ensure that 'Python version' is the latest, if used as a part of the Web app
- App Service > Ensure that Register with Azure Active Directory is enabled on App Service
- App Service > Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
- App Service > Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
- App Service > FTPS only should be required in your Function App
- App Service > FTPS should be required in your Web App
- App Service > Function App should only be accessible over HTTPS
- App Service > Function Apps builtin logging should be enabled
- App Service > Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- App Service > Function apps should restrict public network access
- App Service > Latest TLS version should be used in your Function App
- App Service > Latest TLS version should be used in your Web App
- App Service > Managed identity should be used in your Function App
- App Service > Managed identity should be used in your Web App
- App Service > Remote debugging should be turned off for Web Applications
- App Service > Web app slots remote debugging should be disabled
- App Service > Web app slots should only be accessible over HTTPS
- App Service > Web app slots should use the latest TLS version
- App Service > Web Application should only be accessible over HTTPS
- App Service > Web apps detailed error messages should be enabled
- App Service > Web apps failed request tracing should be enabled
- App Service > Web apps HTTP logs should be enabled
- App Service > Web apps should be configured to always be on
- App Service > Web apps should have health check enabled
- App Service > Web apps should have more than one worker
- App Service > Web apps should restrict public network access
- App Service > Web apps should use Azure files
- App Service > Web apps should use the latest 'Net Framework' version
- AppFlow > AppFlow Connector Profile should be encrypted with KMS CMK
- AppFlow > AppFlow Flow should be encrypted with KMS CMK
- Application Gateway > Application Gateway should restrict message lookup in Log4j2
- Application Gateway > Application Gateway should use HTTPS Listener
- Application Gateway > Application Gateway should use secure SSL cipher
- Application Gateway > Web Application Firewall (WAF) should be enabled for Application Gateway
- AppSync > AppSync API cache encryption at rest should be enabled
- AppSync > AppSync API cache encryption in transit should be enabled
- AppSync > AppSync GraphQL API CloudWatch logs should be enabled
- AppSync > AppSync GraphQL API field level logs should be enabled
- Artifact Registry Repository > Artifact Registry Repository should be encrypted with KMS CMK
- Artifact Registry Repository > Artifact Registry Repository should not be publicly accessible
- Athena > Athena database encryption at rest should be enabled
- Athena > Athena workgroup configuration should be enforced
- Athena > Athena workgroup encryption at rest should be enabled
- Auto Scaling > Auto Scaling groups should have tagging enabled
- Auto Scaling > Auto Scaling groups should use launch templates
- Auto Scaling > Auto Scaling groups with a load balancer should use health checks
- Auto Scaling > Auto Scaling launch config public IP should be disabled
- Automation > Automation account variables encryption should be enabled
- Backup > Backup plan min frequency and min retention check
- Backup > Backup vault encryption at rest enabled
- Batch > Azure Batch account should use customer-managed keys to encrypt data
- Batch > Resource logs in Batch accounts should be enabled
- BigQuery > Big Query Table deletion protection should be enabled
- BigQuery > Big Query Table should not be publicly accessible
- BigQuery > Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets
- BigQuery > Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)
- BigQuery > Ensure that BigQuery datasets are not anonymously or publicly accessible
- Bigtable > Big Query Instance should be encrypted with KMS CMK
- Bigtable Instance deletion protection should be enabled
- Block Storage > Block Storage block volume backup should be enabled
- Block Storage > Block Storage block volume encryption should be enabled
- Block Storage > Block Storage boot volume backup encryption should be enabled
- Block Storage > Block Storage boot volume encryption should be enabled
- Cache for Redis > Azure Cache for Redis should reside within a virtual network
- Cache for Redis > Only secure connections to your Azure Cache for Redis should be enabled
- Cache for Redis > Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'
- Cache for Redis > Redis Caches should restrict public access
- Cache for Redis > Redis Caches standard replication should be enabled
- Cloud Build > Cloud Build workers should use private IP addresses
- Cloud Function > Cloud Function should not be publicly accessible
- Cloud Guard > Ensure Cloud Guard is enabled in the root compartment of the tenancy
- Cloud Run > Cloud Run services should not be publicly accessible
- CloudFormation > CloudFormation Stacks should have notifications enabled
- CloudFront > CloudFront distribution should be in enabled state
- CloudFront > CloudFront distributions minimum protocol version should be set
- CloudFront > CloudFront distributions should have a default root object configured
- CloudFront > CloudFront distributions should have AWS WAF enabled
- CloudFront > CloudFront distributions should have logging enabled
- CloudFront > CloudFront distributions should have origin access identity enabled
- CloudFront > CloudFront distributions should have origin failover configured
- CloudFront > CloudFront distributions should require encryption in transit
- CloudFront > CloudFront response header policy should be configured with Strict Transport Security
- CloudSearch > CloudSearch should have enforced HTTPS enabled
- CloudSearch > CloudSearch should use the latest TLS version
- CloudTrail > CloudTrail event data should be stored encrypted with KMS CMK
- CloudTrail > CloudTrail trail log file validation should be enabled
- CloudTrail > CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail > CloudTrail trail should have SNS topic enabled
- CloudTrail > Ensure CloudTrail is enabled in all regions
- CloudWatch > CloudWatch alarm action should be enabled
- CloudWatch > Ensure CloudWatch Logs destination policy has no wildcards
- CloudWatch > Log group encryption at rest should be enabled
- CloudWatch > Log group retention period should be at least 365 days
- CloudWatch > Log group retention period should be set
- CodeArtifact > CodeArtifact Domain should be encrypted with KMS CMK
- CodeBuild > CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- CodeBuild > CodeBuild project encryption at rest should be enabled
- CodeBuild > CodeBuild project environments should have logging enabled
- CodeBuild > CodeBuild project plaintext environment variables should not contain sensitive AWS values
- CodeBuild > CodeBuild project privileged mode should be disabled
- CodeBuild > CodeBuild project S3 logs encryption should be enabled
- CodeCommit > CodeCommit approval rule template should have at least 2 approvals
- CodePipeline > CodePipeline Artifacts encrypted with KMS CMK
- Cognitive Search > Azure Cognitive Search services should disable public network access
- Cognitive Search > Azure Cognitive Search services should use private link
- Cognitive Search > Cognitive Search services allowed IPs should restrict public access
- Cognitive Search > Cognitive Search services should maintain SLA for index updates
- Cognitive Search > Cognitive Search services should use managed identity
- Cognitive Services > Cognitive Services accounts should disable public network access
- Cognitive Services > Cognitive Services accounts should enable data encryption with a customer-managed key
- Cognitive Services > Cognitive Services accounts should have local authentication methods disabled
- Cognitive Services > Cognitive Services accounts should restrict network access
- Comprehend > Comprehend entity recognizer model encrypted with KMS CMK
- Comprehend > Comprehend entity recognizer volume encrypted with KMS CMK
- Compute > Azure Defender for servers should be enabled
- Compute > Cloud Armor prevents message lookup in Log4j2
- Compute > Compute instance boot disk encryption should be enabled
- Compute > Compute instance boot volume encryption in transit should be enabled
- Compute > Compute instance legacy metadata service endpoint should be disabled
- Compute > Compute instance monitoring should be enabled
- Compute > Compute Subnetworks should have Private IPv6 Google Access enabled
- Compute > Compute virtual machine scale sets should have automatic OS image patching enabled
- Compute > Deploy default Microsoft IaaSAntimalware extension for Windows Server
- Compute > Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Compute > Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
- Compute > Ensure 'Block Project-wide SSH keys' is enabled for VM instances
- Compute > Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
- Compute > Ensure Compute instances are launched with Shielded VM enabled
- Compute > Ensure legacy networks do not exist for a project
- Compute > Ensure OS login is enabled for a project
- Compute > Ensure Private Google Access is enabled for all subnetworks in VPC
- Compute > Ensure that Compute instances do not have public IP addresses
- Compute > Ensure that Compute instances have Confidential Computing enabled
- Compute > Ensure that instances are not configured to use the default service account
- Compute > Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
- Compute > Ensure that IP forwarding is not enabled on Instances
- Compute > Ensure that the default network does not exist in a project
- Compute > Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
- Compute > Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Compute > Google compute firewall ingress does not allow unrestricted FTP port 20 access
- Compute > Google compute firewall ingress does not allow unrestricted FTP port 21 access
- Compute > Google compute firewall ingress does not allow unrestricted HTTP port 80 access
- Compute > Google compute firewall ingress does not allow unrestricted MySQL port 3306 access
- Compute > Google compute firewall ingress does not allow unrestricted RDP port 3389 access
- Compute > Google compute firewall ingress does not allow unrestricted SSH port 22 access
- Compute > Guest Configuration extension should be installed on your machines
- Compute > IP Forwarding on your virtual machine should be disabled
- Compute > Linux Virtual machines and scale sets should enable SSH key authentication
- Compute > Linux virtual machines scale sets should disable password authentication
- Compute > Linux virtual machines should disable password authentication
- Compute > Managed disks should be encrypted
- Compute > System updates should be installed on your machines
- Compute > Virtual machines and scale sets should have agent installed
- Compute > Virtual machines and virtual machine scale sets should have encryption at host enabled
- Compute > Virtual machines should be migrated to new Azure Resource Manager resources
- Compute > Virtual machines should disable password authentication
- Compute > Virtual machines should not allow extension operations
- Compute > Windows Virtual machines and scale sets should have automatic updates enabled
- Config > Config aggregator should be enabled in all regions
- Connect > Connect instance kinesis video stream storage config is encrypted with KMS CMK
- Connect > Connect instance S3 storage config is encrypted with KMS CMK
- Container Instance > Container instance container groups should be in virtual network
- Container Instance > Container instance container groups should use secure environment variable
- Container Registry > Azure Defender for container registries should be enabled
- Container Registry > Container registries admin user should be disabled
- Container Registry > Container registries anonymous pull should be disabled
- Container Registry > Container registries image scan should be enabled
- Container Registry > Container registries public network access should be disabled
- Container Registry > Container registries quarantine policy should be enabled
- Container Registry > Container registries retention policy should be enabled
- Container Registry > Container registries should be encrypted with a customer-managed key
- Container Registry > Container registries should be geo-replicated
- Container Registry > Container registries should be zone redundant
- Container Registry > Container registries should not allow unrestricted network access
- Container Registry > Container registries trust policy should be enabled
- Container Registry > Container Registry should use a virtual network service endpoint
- Content Delivery Network > Content Delivery Network custom domains should use at least TLS 1.2 version
- Content Delivery Network > Content Delivery Networks HTTP endpoint should be disabled
- Content Delivery Network > Content Delivery Networks HTTPS endpoint should be enabled
- Cosmos DB > Azure Cosmos DB accounts should have firewall rules
- Cosmos DB > Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Cosmos DB > Cosmos DB accounts should have access key metadata writes disabled
- Cosmos DB > Cosmos DB accounts should have local authentication disabled
- Cosmos DB > Cosmos DB accounts should have public network access disabled
- Cosmos DB > Cosmos DB accounts should have restricted access
- Cosmos DB > Cosmos DB should use a virtual network service endpoint
- Data Explorer > Azure Data Explorer encryption at rest should use a customer-managed key
- Data Explorer > Disk encryption should be enabled on Azure Data Explorer
- Data Explorer > Double encryption should be enabled on Azure Data Explorer
- Data Explorer > Kusto clusters should use managed identities
- Data Explorer > Kusto clusters should use SKU with an SLA
- Data Factory > Azure data factories should be encrypted with a customer-managed key
- Data Factory > Data factories should have public network access disabled
- Data Factory > Data factories should use GitHub repository
- Data Fusion > Data Fusion instance should have Stackdriver Logging enabled
- Data Fusion > Data Fusion instance should have Stackdriver Monitoring enabled
- Data Fusion > Data Fusion instance should not be publicly accessible
- Data Lake Storage > Require encryption on Data Lake Store accounts
- Database > Database encryption should be enabled
- Database > Database home encryption should be enabled
- Database > Database system encryption should be enabled
- Databricks > Databricks should disable restric public network access
- Dataflow > Dataflow job should not be publicly accessible
- Dataflow > Dataflow should be encrypted with KMS CMK
- Dataproc > Dataproc cluster should be encrypted with KMS CMK
- Dataproc > Dataproc cluster should not be publicly accessible
- Dataproc > Dataproc cluster should not have public IP
- DataSync > DataSync object storage location configuration should restrict secret key exposure
- DAX > DAX clusters endpoint encryption should have TLS enabled
- DAX > DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- DLM > DLM lifecycle policy events cross-region encryption should be enabled
- DLM > DLM lifecycle policy events cross-region encryption with KMS CMK should be enabled
- DLM > DLM schedule cross-region encryption should be enabled
- DLM > DLM schedule cross-region encryption with KMS CMK should be enabled
- DMS > DMS replication instances should be encrypted with KMS CMK
- DMS > DMS replication instances should have automatic minor version upgrade enabled
- DMS > DMS replication instances should not be publicly accessible
- DMS > DMS S3 endpoints should be encrypted with KMS CMK
- DNS > Azure Defender for DNS should be enabled
- DNS > Ensure that DNSSEC is enabled for Cloud DNS
- DNS > Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
- DNS > Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
- DocumentDB > DocDB cluster audit logging should be enabled
- DocumentDB > DocDB cluster backup retention period should be at least 7 days
- DocumentDB > DocDB cluster should be encrypted using KMS
- DocumentDB > DocDB cluster should have log export enabled
- DocumentDB > DocDB Global Cluster encryption at rest enabled
- DocumentDB > DocDB parameter group should have audit logs enabled
- DocumentDB > DocDB TLS should be enabled
- DynamoDB > DynamoDB table point-in-time recovery should be enabled
- DynamoDB > DynamoDB table should be encrypted with AWS KMS
- DynamoDB > DynamoDB table should have encryption enabled
- DynamoDB > DynamoDB VPC endpoint should be enabled in all route tables in use in a VPC
- EBS > EBS snapshots should be encrypted with KMS CMK
- EBS > EBS volumes should have encryption enabled
- EC2 > EBS default encryption should be enabled
- EC2 > EC2 AMI copy should be encrypted
- EC2 > EC2 AMI copy should be encrypted with KMS CMK
- EC2 > EC2 AMI image builder components should be encrypted with KMS CMK
- EC2 > EC2 AMI image builder distribution configurations should be encrypted with KMS CMK
- EC2 > EC2 AMI image builder image recipes should be encrypted with KMS CMK
- EC2 > EC2 AMI launch permission should be restricted
- EC2 > EC2 AMI should be encrypted
- EC2 > EC2 instance detailed monitoring should be enabled
- EC2 > EC2 instance EBS encryption should be enabled
- EC2 > EC2 instance should have EBS optimization enabled
- EC2 > EC2 instances should not contain secrets in user data
- EC2 > EC2 instances should not have a public IP address
- EC2 > EC2 instances should not use multiple ENIs
- EC2 > EC2 instances should use IMDSv2
- EC2 > EC2 instances termination protection should be enabled
- EC2 > EC2 launch configuration EBS encryption should be enabled
- EC2 > EC2 launch configuration should not have a metadata response hop limit greater than 1
- EC2 > EC2 launch template should not have a metadata response hop limit greater than 1
- EC2 > Ensure EC2 instances do not use default VPC
- ECR > ECR repository policy should prohibit public access
- ECR > ECR repository should be encrypted with KMS
- ECR > ECR repository should use image scanning
- ECR > ECR repository tags should be immutable
- ECS > ECS cluster container insights should be enabled
- ECS > ECS cluster logging should be enabled
- ECS > ECS cluster logging should be encrypted with KMS CMK
- ECS > ECS containers should be limited to read-only access to root filesystems
- ECS > ECS containers should run in non-privileged mode
- ECS > ECS Fargate services should run on the latest Fargate platform version
- ECS > ECS task definition encryption in transit should be enabled
- ECS > ECS Task definition should have different Execution Role ARN and Task Role ARN
- ECS > ECS task definitions should not share the host's process namespace
- EFS > EFS access point should have a root directory
- EFS > EFS access point should have a user identity
- EFS > EFS file system encryption at rest should be enabled
- EFS > EFS file system should be encrypted with KMS CMK
- EFS > EFS file systems should be in a backup plan
- EKS > EKS cluster control plane logging should be enabled for all log types
- EKS > EKS cluster log types should be enabled
- EKS > EKS cluster node group should be configured to restrict SSH access from 0.0.0.0/0
- EKS > EKS cluster should run on supported Kubernetes version
- EKS > EKS clusters endpoint should restrict public access
- EKS > EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- ElastiCache > ElastiCache cluster should have subnet group
- ElastiCache > ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- ElastiCache > ElastiCache Redis cluster should have auto minor version upgrade enabled
- ElastiCache > ElastiCache replication group should be encrypted at rest
- ElastiCache > ElastiCache replication group should be encrypted at transit
- ElastiCache > ElastiCache replication group should be encrypted at transit
- ElastiCache > ElastiCache replication group should be encrypted with KMS CMK
- ElasticBeanstalk > Elastic Beanstalk enhanced health reporting should be enabled
- ElasticBeanstalk > Elastic Beanstalk managed platform updates should be enabled
- Elasticsearch > Amazon Elasticsearch Service domains should be in a VPC
- Elasticsearch > Connections to Elasticsearch domains should be encrypted using TLS 1.2
- Elasticsearch > Elasticsearch domain error logging to CloudWatch Logs should be enabled
- Elasticsearch > Elasticsearch domain node-to-node encryption should be enabled
- Elasticsearch > Elasticsearch domain should be encrypted with KMS CMK
- Elasticsearch > Elasticsearch domain should enforces HTTPS
- Elasticsearch > Elasticsearch domain should not use the default security group
- Elasticsearch > Elasticsearch domain should send logs to cloudWatch
- Elasticsearch > Elasticsearch domains should be configured with at least three dedicated master nodes
- Elasticsearch > Elasticsearch domains should have at least three data nodes
- Elasticsearch > Elasticsearch domains should have audit logging enabled
- Elasticsearch > ES domain encryption at rest should be enabled
- ELB > Classic Load Balancers should have connection draining enabled
- ELB > ELB application and classic load balancer logging should be enabled
- ELB > ELB application load balancer deletion protection should be enabled
- ELB > ELB application load balancers should be drop HTTP headers
- ELB > ELB application load balancers should have drop invalid header fields configured
- ELB > ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB > ELB application, network and gateway load balancer should have cross-zone load balancing enabled
- ELB > ELB application, network and gateway load balancers should have defensive or strictest desync mitigation mode configured
- ELB > ELB classic load balancers should have cross-zone load balancing enabled
- ELB > ELB classic load balancers should have defensive or strictest desync mitigation mode configured
- ELB > ELB classic load balancers should only use SSL or HTTPS listeners
- ELB > ELB classic load balancers should use SSL certificates
- ELB > ELB HTTP HTTPS target group should be configured with Healthcheck
- ELB > ELB load balancer listeners should use a secure protocol
- EMR > EMR cluster Kerberos should be enabled
- EMR > EMR cluster security configurations should have EBS encryption enabled
- EMR > EMR cluster security configurations should have encryption in transit enabled
- EMR > EMR cluster security configurations should have local disk encryption enabled
- EMR > EMR cluster security configurations should use SSE-KMS
- Event Grid > Event Grid domains should disable public network access
- Event Grid > Event Grid domains should have local authentication disabled
- Event Grid > Event Grid domains should use managed identity
- Event Grid > Event Grid topics should disable public network access
- Event Grid > Event Grid topics should have local authentication disabled
- Event Grid > Event Grid topics should use managed identity
- Event Hubs > Event Hub namespaces 'Minimum TLS version' should be set to 'Version 1.2'
- Event Hubs > Event Hub namespaces should be encrypted
- Event Hubs > Event Hub namespaces should be zone redundant
- Event Hubs > Event Hub should use a virtual network service endpoint
- EventBridge > EventBridge Scheduler Schedule should be encrypted with KMS CMK
- File Storage > File Storage file system encryption should be enabled
- Firewall > Firewall has firewall policy set
- Firewall > Firewall policy intrusion detection mode set to deny
- Firewall > Firewall threat intel mode set to deny
- Front Door > Front Door firewall policy should restricts message lookup in Log4j2
- Front Door > Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
- FSx > FSx Lustre File System should be encrypted with KMS CMK
- FSx > FSx ONTAP File System should be encrypted with KMS CMK
- FSx > FSx OpenZFS File System should be encrypted with KMS CMK
- FSx > FSx Windows File System should be encrypted with KMS CMK
- Glacier > Glacier vault should restrict public access
- Global Accelerator > Global Accelerator flow logs should be enabled
- Glue > Glue crawler security configuration should be enabled
- Glue > Glue data catalog encryption should be enabled
- Glue > Glue dev endpoint security configuration should be enabled
- Glue > Glue job security configuration should be enabled
- Glue > Glue security configuration encryption should be enabled
- GuardDuty > GuardDuty should be enabled
- Healthcare APIs > Azure API for FHIR should disable public network access
- Healthcare APIs > Azure API for FHIR should use a customer-managed key to encrypt data at rest
- IAM > Custom subscription administrator roles should not exist
- IAM > Ensure basic roles are not used at folder level
- IAM > Ensure basic roles are not used at organization level
- IAM > Ensure basic roles are not used at project level
- IAM > Ensure Default Service account is not used at a folder level
- IAM > Ensure Default Service account is not used at a organization level
- IAM > Ensure Default Service account is not used at a project level
- IAM > Ensure IAM password policy expires passwords within 90 days or less
- IAM > Ensure IAM password policy prevents password reuse
- IAM > Ensure IAM password policy requires a minimum length of 8 or greater
- IAM > Ensure IAM password policy requires at least one lowercase letter
- IAM > Ensure IAM password policy requires at least one number
- IAM > Ensure IAM password policy requires at least one symbol
- IAM > Ensure IAM password policy requires at least one uppercase letter
- IAM > Ensure IAM password policy requires minimum length of 14 or greate
- IAM > Ensure roles do not impersonate or manage Service Accounts used at folder level
- IAM > Ensure roles do not impersonate or manage Service Accounts used at organization level
- IAM > Ensure roles do not impersonate or manage Service Accounts used at project level
- IAM > Ensure that Service Account has no admin privileges
- IAM > Ensure that there are only GCP-managed service account keys for each service account
- IAM > Ensure that users are not assigned the Service Account User or Service Account Token Creator roles at project level
- IAM > IAM workload identity pool provider should be restricted
- IAM > Password policies for IAM users should have strong configurations
- Identity and Access Management > Ensure IAM password policy requires minimum length of 14 or greater
- Identity and Access Management > IAM password policy should contain at least one lowercase character
- Identity and Access Management > IAM password policy should contain at least one numeric character
- Identity and Access Management > IAM password policy should contain at least one special character
- Identity and Access Management > IAM password policy should contain at least one uppercase character
- IoT Hub > IoT Hubs should disable public network access
- IoT Hub > Resource logs in IoT Hub should be enabled
- Kendra > Kendra indexes should use KMS CMKs for server-side encryption
- Key Vault > Azure Defender for Key Vault should be enabled
- Key Vault > Azure Key Vault Managed HSM should have purge protection enabled
- Key Vault > Azure Key Vault should disable public network access
- Key Vault > Key Vault keys should have an expiration date
- Key Vault > Key Vault secrets should have a content type
- Key Vault > Key Vault secrets should have an expiration date
- Key Vault > Key Vault should use a virtual network service endpoint
- Key Vault > Key vaults should have purge protection enabled
- Key Vault > Resource logs in Azure Key Vault Managed HSM should be enabled
- Key Vault > Resource logs in Key Vault should be enabled
- Keyspaces > Keyspaces tables should be encrypted with KMS CMK
- Kinesis > Kinesis firehose delivery streams should be encrypted with KMS CMK
- Kinesis > Kinesis firehose delivery streams should have server side encryption enabled
- Kinesis > Kinesis stream encryption at rest should be enabled
- Kinesis > Kinesis streams should be encrypted with KMS CMK
- Kinesis > Kinesis vidoe streams should be encrypted with KMS CMK
- KMS > Check that CMEK rotation policy is in place and is sufficiently short
- KMS > Ensure KMS encryption keys are rotated within a period of 90 days
- KMS > KMS CMK rotation should be enabled
- KMS > KMS Crypto keys should have prevent destroy enabled
- KMS > KMS keys should not be publicly accessible
- Kubernetes > Check that GKE clusters have a Network Policy installed
- Kubernetes > Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)
- Kubernetes > Ensure automatic node repair is enabled on all node pools in a GKE cluster
- Kubernetes > Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
- Kubernetes > Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters
- Kubernetes > Ensure Legacy Authorization is disabled on Kubernetes Engine Clusters
- Kubernetes > GKE clusters alias IP ranges should be enabled
- Kubernetes > GKE clusters authenticator group should be configured to manage RBAC users
- Kubernetes > GKE clusters client binary authorizationn should be enabled
- Kubernetes > GKE clusters client certificate authentication should be disabled
- Kubernetes > GKE clusters control plane should restrict public access
- Kubernetes > GKE clusters GKE metadata server should be enabled
- Kubernetes > GKE clusters integrity monitoring should be enabled for shielded nodes
- Kubernetes > GKE clusters intranodal visibility should be enabled
- Kubernetes > GKE clusters master authorized networks should be enabled
- Kubernetes > GKE clusters release channel should be configured
- Kubernetes > GKE clusters resource labels should be configured
- Kubernetes > GKE clusters secure boot should be enabled for shielded nodes
- Kubernetes > GKE clusters shielded nodes should be enabled
- Kubernetes > GKE clusters should not use cluster level node pool
- Kubernetes > GKE clusters should use Container-Optimized OS(cos) node image
- Kubernetes > GKE clusters stackdriver logging should be enabled
- Kubernetes > GKE clusters stackdriver monitoring should be enabled
- Kubernetes > Verify all GKE clusters are Private Clusters
- Kubernetes Service > Authorized IP ranges should be defined on Kubernetes Services
- Kubernetes Service > Azure Defender for Kubernetes should be enabled
- Kubernetes Service > Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Kubernetes Service > Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys
- Kubernetes Service > Kubernetes cluster nodes should restrict public access
- Kubernetes Service > Kubernetes clusters key vault secret rotation should be enabled
- Kubernetes Service > Kubernetes clusters local admin should be disabled
- Kubernetes Service > Kubernetes clusters only critical system pods should run on system nodes
- Kubernetes Service > Kubernetes clusters should have logging enabled
- Kubernetes Service > Kubernetes clusters should have network policy enabled
- Kubernetes Service > Kubernetes clusters should restrict public access
- Kubernetes Service > Kubernetes clusters should use a minimum number of 50 pods
- Kubernetes Service > Kubernetes clusters should use scale sets type nodes
- Kubernetes Service > Kubernetes clusters should use standard SKU
- Kubernetes Service > Kubernetes clusters should use type ephemeral OS disk
- Kubernetes Service > Kubernetes clusters upgrade channel should be configured
- Kubernetes Service > Role-Based Access Control (RBAC) should be used on Kubernetes Services
- Kubernetes Service > Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- Lambda > Lambda functions concurrent execution limit configured
- Lambda > Lambda functions should be configured with a dead-letter queue
- Lambda > Lambda functions should be in a VPC
- Lambda > Lambda functions should have code signing configured
- Lambda > Lambda functions should not have URLs AuthType as 'None'
- Lambda > Lambda functions should use latest runtimes
- Lambda > Lambda functions variable encryption should be enabled
- Lambda > Lambda functions variable should not have any sensitive data
- Lambda > Lambda functions xray tracing should be enabled
- Lambda > Lambda permissions should restrict service permission by source account or source arn
- Logging > Ensure that retention policies on log buckets are configured using Bucket Lock
- Logic > Resource logs in Logic Apps should be enabled
- Machine Learning > Azure Machine Learning workspaces should be encrypted with a customer-managed key
- Machine Learning > Machine Learning Compute Clusters local authentication should be disabled
- Machine Learning > Machine Learning Compute Clusters minimum node count should be set to zero
- Machine Learning > Machine Learning workspaces should restrict public access
- Managed Workflows for Apache Airflow > MWAA environment should have scheduler logs enabled
- Managed Workflows for Apache Airflow > MWAA environment should have webserver logs enabled
- Managed Workflows for Apache Airflow > MWAA environment should have worker logs enabled
- MariaDB > Geo-redundant backup should be enabled for Azure Database for MariaDB
- MariaDB > MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'
- MariaDB > Public network access should be disabled for MariaDB servers
- Monitor > Azure Monitor log profile should collect logs for categories 'write', 'delete' and 'action'
- Monitor > Azure Monitor should collect activity logs from all regions
- Monitor > Ensure the storage container storing the activity logs is not publicly accessible
- Monitor > Monitor log profiles should have retention set to 365 days or greater
- MQ > MQ Broker should be encrypted with KMS CMK
- MQ > MQ Broker should have audit logging enabled
- MQ > MQ Broker should have automatic minor version upgrade enabled
- MQ > MQ Broker should have general logging enabled
- MQ > MQ Broker should not be publicly accessible
- MQ > MQ Broker should use correct engine version for their engine type
- MSK > MSK Cluster Nodes should have be encrypted with KMS CMK
- MSK > MSK Cluster Nodes should have encryption in transt enabled
- MSK > MSK Cluster Nodes should have logging enabled
- MSK > MSK Cluster Nodes should not be publicly accessible
- MySQL > Enforce SSL connection should be enabled for MySQL database servers
- MySQL > Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- MySQL > Geo-redundant backup should be enabled for Azure Database for MySQL
- MySQL > Infrastructure encryption should be enabled for Azure Database for MySQL servers
- MySQL > MySQL servers should have threat detection enabled
- MySQL > MySQL servers should use customer-managed keys to encrypt data at rest
- MySQL > Public network access should be disabled for MySQL servers
- Neptune > Neptune cluster backup retention period should be at least 7 days
- Neptune > Neptune cluster encryption at rest should be enabled
- Neptune > Neptune cluster instance should not be publicly accessible
- Neptune > Neptune cluster should be encrypted with KMS CMK
- Neptune > Neptune clusters should be configured to copy tags to snapshots
- Neptune > Neptune clusters should have IAM authentication enabled
- Neptune > Neptune logging should be enabled
- Neptune > Neptune snapshot should be encrypted with KMS CMK
- Neptune > Neptune snapshot storage encryption should be enabled
- Object Storage > Ensure no Object Storage buckets are publicly visible
- Object Storage > Object Storage bucket encryption should be enabled
- Object Storage > Object Storage bucket object events should be enabled
- Object Storage > Object Storage bucket versioning should be enabled
- OpenSearch > OpenSearch domain should be encrypted with KMS CMK
- OpenSearch > OpenSearch domain should enforces HTTPS
- OpenSearch > OpenSearch domain should not use the default security group
- PostgreSQL > Enable connection_throttling on PostgreSQL Servers
- PostgreSQL > Enable log_checkpoints on PostgreSQL Servers
- PostgreSQL > Enable log_connections on PostgreSQL Servers
- PostgreSQL > Enable log_disconnections on PostgreSQL Servers
- PostgreSQL > Enable log_retention_days on PostgreSQL Servers
- PostgreSQL > Enforce SSL connection should be enabled for PostgreSQL database servers
- PostgreSQL > Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- PostgreSQL > Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- PostgreSQL > PostgreSQL flexible serves Geo-redundant backup should be enabled
- PostgreSQL > PostgreSQL Servers should use at least TLS 1.2 version
- PostgreSQL > PostgreSQL servers should use customer-managed keys to encrypt data at rest
- PostgreSQL > PostgreSQL Servers threat detection policy should be enabled
- PostgreSQL > Public network access should be disabled for PostgreSQL servers
- PubSub > PubSub Topic encrypted with KMS CMK
- PubSub > PubSub Topic Repository not publicly accessible
- QLDB > QLDB ledger permission mode should be set to 'STANDARD'
- QLDB > QLDB ledger should have deletion protection enabled
- RDS > Amazon Aurora clusters should have backtracking enabled
- RDS > An RDS event notifications subscription should be configured for critical cluster events
- RDS > An RDS event notifications subscription should be configured for critical database instance events
- RDS > An RDS event notifications subscription should be configured for critical database parameter group events
- RDS > An RDS event notifications subscription should be configured for critical database security group events
- RDS > Database logging should be enabled
- RDS > IAM authentication should be configured for RDS clusters
- RDS > MemoryDB clusters should be encrypted with KMS CMK
- RDS > MemoryDB clusters should have encryption in transit enabled
- RDS > MemoryDB snapshots should be encrypted with KMS CMK
- RDS > RDS clusters should have deletion protection enabled
- RDS > RDS databases and clusters should not use a database engine default port
- RDS > RDS DB cluster activity stream should be encrypted with KMS CMK
- RDS > RDS DB cluster instances should have auto minor version upgrade enabled
- RDS > RDS DB cluster instances should have performance insights enabled
- RDS > RDS DB cluster instances should have performance insights encrypted with KMS CMK
- RDS > RDS DB clusters should be configured for multiple Availability Zones
- RDS > RDS DB clusters should be configured to copy tags to snapshots
- RDS > RDS DB clusters should be encrypted using KMS CMK
- RDS > RDS DB clusters should have encryption at rest enabled
- RDS > RDS DB instance and cluster enhanced monitoring should be enabled
- RDS > RDS DB instance automatic minor version upgrade should be enabled
- RDS > RDS DB instance backup should be enabled
- RDS > RDS DB instance encryption at rest should be enabled
- RDS > RDS DB instance multiple az should be enabled
- RDS > RDS DB instances should be configured to copy tags to snapshots
- RDS > RDS DB instances should have deletion protection enabled
- RDS > RDS DB instances should have iam authentication enabled
- RDS > RDS DB instances should have performance insights enabled
- RDS > RDS DB instances should have performance insights encrypted with KMS CMK
- RDS > RDS DB instances should prohibit public access
- RDS > RDS DB instances should use recent CA certificates
- RDS > RDS DB snapshots should be encrypted with KMS CMK
- RDS > RDS DB snapshots should not be publicly accessible
- RDS > RDS Global Cluster (MySQl & PostgreSQL) should have encryption enabled
- RDS > RDS MySQL DB clusters should have audit logging enabled
- Redis > Redis instances encryption in transit should be enabled
- Redis > Redis instances should have auth enabled
- Redshift > Amazon Redshift clusters should be encrypted with KMS
- Redshift > Amazon Redshift clusters should have automatic snapshots enabled
- Redshift > Amazon Redshift clusters should have logging enabled
- Redshift > Amazon Redshift clusters should use enhanced VPC routing
- Redshift > Amazon Redshift should have automatic upgrades to major versions enabled
- Redshift > Amazon Redshift should have required maintenance settings
- Redshift > Redshift cluster audit logging and encryption should be enabled
- Redshift > Redshift clusters should be encrypted
- Redshift > Redshift clusters should not be using EC2 classic mode
- Redshift > Redshift clusters should not use the default database name
- Redshift > Redshift clusters should prohibit public access
- Redshift > Redshift serverless namespaces should be encrypted with KMS CMK
- Redshift > Redshift snapshot copy grant should be encrypted with KMS CMK
- Resource Manager > Azure Defender for Resource Manager should be enabled
- S3 > Ensure MFA Delete is enabled on S3 buckets
- S3 > S3 Block Public Access setting should be enabled at the bucket level
- S3 > S3 bucket cross-region replication should enabled
- S3 > S3 bucket default encryption should be enabled
- S3 > S3 bucket default encryption should be enabled with KMS
- S3 > S3 bucket lifecycle configuration should abort incomplete multipart uploads
- S3 > S3 bucket logging should be enabled
- S3 > S3 bucket object copy should be encrypted with KMS CMK
- S3 > S3 bucket object lock should be enabled
- S3 > S3 bucket object should be encrypted with KMS CMK
- S3 > S3 bucket should have block public policy enabled
- S3 > S3 bucket should ignore public ACLs
- S3 > S3 bucket versioning should be enabled
- S3 > S3 public access should be blocked at account level
- SageMaker > SageMaker domain should be encypted using KMS CMK
- SageMaker > SageMaker endpoint configuration encryption should be enabled
- SageMaker > SageMaker notebook instance encryption should be enabled
- SageMaker > SageMaker notebook instances root access should be disabled
- SageMaker > SageMaker notebook instances should be in a VPC
- SageMaker > SageMaker notebook instances should not have direct internet access
- Secrets Manager > Secrets Manager secrets should be encrypted with KMS CMK
- Secrets Manager > Secrets Manager secrets should be rotated within a specified number of days
- Secrets Manager > Secrets Manager secrets should have automatic rotation enabled
- Security Center > Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Security Center > Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
- Security Center > Email notification for high severity alerts should be enabled
- Security Center > Email notification to subscription owner for high severity alerts should be enabled
- Security Center > Ensure that Azure Defender is set to On for App Service
- Security Center > Ensure that Azure Defender is set to On for Azure SQL database servers
- Security Center > Ensure that Azure Defender is set to On for Container Registries
- Security Center > Ensure that Azure Defender is set to On for Key Vault
- Security Center > Ensure that Azure Defender is set to On for Kubernetes
- Security Center > Ensure that Azure Defender is set to On for Servers
- Security Center > Ensure that Azure Defender is set to On for Storage
- Security Center > Security Center should use the standard pricing tier
- Security Center > Subscriptions should have a contact email address for security issues
- Security Center > Subscriptions should have a contact phone number for security issues
- Service Bus > Service Bus namespaces should have infrastructure encryption enabled
- Service Bus > Service bus namespaces should have local authentication disabled
- Service Bus > Service bus namespaces should restrict public access
- Service Bus > Service Bus namespaces should use a customer-managed key for encryption
- Service Bus > Service bus namespaces should use managed identity
- Service Bus > Service bus namespaces should use the latest TLS version
- Service Fabric > Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Service Fabric > Service Fabric clusters should only use Azure Active Directory for client authentication
- SignalR > SignalR services should use paid SKU
- Simple Email Service > SES configuration set should enforce TLS usage
- SNS > SNS topic policies should prohibit public access
- SNS > SNS topics should be encrypted at rest
- Spanner > Spanner databases deletion protection should be enabled
- Spanner > Spanner databases drop protection should be enabled
- Spanner > Spanner databases should be encrypted with a KMS CMK
- Spring Cloud > Azure Spring Cloud should use network injection
- Spring Cloud > Spring Cloud API should not be publicly accessible
- Spring Cloud > Spring Cloud API should only be accessible over HTTPS
- SQL > An Azure Active Directory administrator should be provisioned for SQL servers
- SQL > Azure Defender for Azure SQL Database servers should be enabled
- SQL > Azure Defender for SQL servers on machines should be enabled
- SQL > Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- SQL > Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
- SQL > Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- SQL > Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- SQL > Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- SQL > Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately
- SQL > Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- SQL > Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- SQL > Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- SQL > Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- SQL > Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
- SQL > Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
- SQL > Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- SQL > Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- SQL > Ensure that Azure Active Directory Admin is configured
- SQL > Ensure that Cloud SQL database instances are configured with automated backups
- SQL > Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- SQL > Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- SQL > Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
- SQL > Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- SQL > Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- SQL > Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- SQL > Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- SQL > Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
- SQL > Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'
- SQL > Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
- SQL > GCP SQL instance should be using latest major database version
- SQL > GCP SQL instance should not be publicly accessible
- SQL > GCP SQL instance should not have public IP address
- SQL > GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower
- SQL > GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value
- SQL > GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'
- SQL > GCP SQL PostgreSQL instance should log SQL statements
- SQL > Long-term geo-redundant backup should be enabled for Azure SQL Databases
- SQL > Public network access on Azure SQL Database should be disabled
- SQL > SQL databases ledger should be enabled
- SQL > SQL databases should be zone redundant
- SQL > SQL databases should have log monitoring enabled
- SQL > SQL servers should have Administrator Email Security Alert enabled
- SQL > SQL servers should have all Security Alerts enabled
- SQL > SQL servers should have Email Security Alert enabled
- SQL > SQL servers should use the latest TLS version 1.2
- SQL > SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- SQS > Amazon SQS queues should be encrypted at rest
- SQS > SQS queue policies should not allow ALL (*) actions
- SQS > SQS queue policies should not allow ALL (*) principal
- SQS > VPC Endpoint for SQS should be enabled in all Availability Zones in use a VPC
- SSM > SSM documents should not be publicly accessible
- SSM > SSM parameter should be encypted using KMS CMK
- Step Functions > Step Functions state machine should have execution history logging enabled
- Step Functions > Step Functions state machine should have X-Ray tracing enabled
- Storage > Azure Defender for Storage should be enabled
- Storage > Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- Storage > Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- Storage > Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- Storage > Ensure that 'Public access level' is set to Private for blob containers
- Storage > Ensure that Cloud Storage bucket is not anonymously or publicly accessible
- Storage > Ensure that Cloud Storage buckets have uniform bucket-level access enabled
- Storage > Secure transfer to storage accounts should be enabled
- Storage > Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Storage > Storage account public access should be disallowed
- Storage > Storage accounts should be migrated to new Azure Resource Manager resources
- Storage > Storage accounts should have infrastructure encryption
- Storage > Storage accounts should have replication type set
- Storage > Storage accounts should restrict network access
- Storage > Storage accounts should restrict network access using virtual network rules
- Storage > Storage Accounts should use a virtual network service endpoint
- Storage > Storage accounts should use customer-managed key for encryption
- Storage > Storage accounts should use latest minimum TLS version
- Storage > Storage accounts should use private link
- Storage > Storage buckets logging should be enabled
- Storage > Storage buckets public access prevention should be enforced
- Storage > Storage buckets self logging should be disabled
- Storage > Storage buckets versioning should be enabled
- Storage > Storage container public access should be disabled
- Storage Sync > Azure File Sync should use private link
- Synapse Analytics > Azure Synapse workspaces should use customer-managed keys to encrypt data at rest
- Synapse Analytics > Azure Synapse workspaces should use private link
- Synapse Analytics > Synapse workspaces should have data exfiltration protection enabled
- Timestream > Timestream databases should be encrypted using KMS CMK
- VCN > Ensure Network Security Group has stateless ingress security rules
- VCN > Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22
- VCN > Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 3389
- VCN > Ensure no security lists allow ingress from 0.0.0.0/0 to port 22
- VCN > Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
- VCN > Ensure subnets are not publicly accessible
- VCN > Ensure the Network default security list of every VCN restricts all traffic except ICMP
- VCN > Ensure VCN has at least one inbound security list configured
- VCN > Ensure VCN inbound security lists are stateless
- Vertex AI > Vertex AI datasets should be encrypted with KMS CMK
- Vertex AI > Vertex AI notebook instances should restrict public access
- Virtual Network > Gateway subnets should not be configured with a network security group
- Virtual Network > Network DNS server should have at least two connected DNS Endpoint
- Virtual Network > Network Security Groups HTTP Services are restricted from the Internet
- Virtual Network > Network Security Groups RDP Services are restricted from the Internet
- Virtual Network > Network Security Groups SSH Services are restricted from the Internet
- Virtual Network > Network Security Groups UDP Services are restricted from the Internet
- Virtual Network > Network Security Rules HTTP Services are restricted from the Internet
- Virtual Network > Network Security Rules RDP Services are restricted from the Internet
- Virtual Network > Network Security Rules SSH Services are restricted from the Internet
- Virtual Network > Network Security Rules UDP Services are restricted from the Internet
- Virtual Network > Network should have at least two connected DNS Endpoints
- Virtual Network > Network Watcher flow logs should have retention set to 90 days or greater
- Virtual Network > Subnets should be associated with a Network Security Group
- VPC > Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- VPC > Network ACL ingress rule should not allow access to all ports
- VPC > Network ACL should not allow unrestricted FTP port 20 access
- VPC > Network ACL should not allow unrestricted FTP port 21 access
- VPC > Network ACL should not allow unrestricted RDP port 3389 access
- VPC > Network ACL should not allow unrestricted SSH port 22 access
- VPC > Unused network access control lists should be removed
- VPC > VPC default security group should not allow inbound and outbound traffic
- VPC > VPC EC2 transit gateway should not automatically accept VPC attachment requests
- VPC > VPC EIPs should be associated with an EC2 instance or ENI
- VPC > VPC endpoint service acceptance should be enabled
- VPC > VPC flow logs should be enabled
- VPC > VPC internet gateways should be attached to authorized VPC
- VPC > VPC network firewall policy should define a encryption configuration that uses KMS CMK
- VPC > VPC network firewall rule group should be encrypted with KMS CMK
- VPC > VPC network firewall should be encrypted with KMS CMK
- VPC > VPC network firewall should have deletion protection enabled
- VPC > VPC security group rule should have description for rules
- VPC > VPC security group should have description for rules
- VPC > VPC security groups should be associated with at least one ENI
- VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC > VPC subnet auto-assign public IP should be disabled
- VPC > VPC transfer server should allow only secure protocols
- VPC > VPC transfer server should not be publicly accessible
- WAF > WAF regional web ACL logging should be enabled
- WAF > WAF regional web ACL should have at least one rule or rule group attached
- WAF > WAF regional web ACLs should have rules with actions
- WAF > WAF web ACL logging should be enabled
- WAF > WAF web ACL should have at least one rule or rule group
- WAF > WAF web ACLs should have rules with actions
- WAFV2 > WAFV2 web ACL should have at least one rule or rule group attached
- Web PubSub > Web PubSubs should use managed identity
- Web PubSub > Web PubSubs should use SKU with an SLA
- WorkSpaces > AWS workspaces root volume should be encrypted at rest
- WorkSpaces > AWS workspaces user volume should be encrypted at rest
Schema for terraform_resource
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| address | text | The absolute resource address. | |
| arguments | jsonb | Resource arguments. | |
| attributes | jsonb | Resource attributes. The value will populate only for the resources that come from a state file. | |
| attributes_std | jsonb | Resource attributes. Contains the value from either the arguments or the attributes property. | |
| count | bigint | The integer value for the count meta-argument if it's set as a number in a literal expression. | |
| count_src | jsonb | The count meta-argument accepts a whole number, and creates that many instances of the resource or module. | |
| depends_on | jsonb | Use the depends_on meta-argument to handle hidden resource or module dependencies that Terraform can't automatically infer. | |
| end_line | bigint | Ending line number. | |
| for_each | jsonb | The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set. | |
| lifecycle | jsonb | The lifecycle meta-argument is a nested block that can appear within a resource block. | |
| mode | text | The type of resource Terraform creates, either a resource (managed) or data source (data). | |
| name | text | Resource name. | |
| path | text | = | Path to the file. |
| provider | text | The provider meta-argument specifies which provider configuration to use for a resource, overriding Terraform's default behavior of selecting one based on the resource type name. | |
| source | text | The block source code. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| start_line | bigint | Starting line number. | |
| type | text | Resource type. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- terraformYou can pass the configuration to the command with the --config argument:
steampipe_export_terraform --config '<your_config>' terraform_resource