Table: terraform_resource - Query Terraform Resources using SQL
Terraform is an open-source infrastructure as code software tool that enables users to define and provision a data center infrastructure using a high-level configuration language. It supports a multitude of providers such as AWS, GCP, Azure, and more. The Terraform Resources are the main component in a Terraform configuration, and they describe one or more infrastructure objects, such as virtual networks, compute instances, or higher-level components such as DNS records.
Table Usage Guide
The terraform_resource
table provides insights into Terraform Resources within the Terraform environment. As a DevOps engineer, explore resource-specific details through this table, including configuration, state, and provider details. Utilize it to uncover information about resources, such as their current state, the provider they are associated with, and the details of their configuration.
Examples
Basic info
Explore the fundamental details of your Terraform resources to gain a better understanding of their configuration and location. This can be beneficial in managing resources and assessing their setup.Explore which resources are currently in use within your Terraform configuration. This allows you to gain insights into the types, addresses, and paths of these resources, aiding you in your infrastructure management tasks.
select name, type, address, attributes_std, pathfrom terraform_resource;
select name, type, address, attributes_std, pathfrom terraform_resource;
List AWS IAM roles
Explore the configuration of your AWS infrastructure by identifying the roles assigned within it. This can help in understanding the access and permissions structure, aiding in security audits and compliance checks.Explore the various roles within your AWS IAM setup to understand their configurations and attributes. This could help in managing access control and ensuring security protocols are being followed.
select name, type, address, attributes_std, pathfrom terraform_resourcewhere type = 'aws_iam_role';
select name, type, address, attributes_std, pathfrom terraform_resourcewhere type = 'aws_iam_role';
List AWS IAM assume_role_policy
Statements
Explore which AWS Identity and Access Management (IAM) roles have specific permissions. This is particularly useful for auditing security and compliance purposes, as it allows you to identify potential vulnerabilities in your IAM roles' permissions.Analyze the settings to understand the policies associated with AWS IAM roles. This can be useful to identify instances where specific roles have been granted certain permissions, ensuring secure and appropriate access control within your AWS environment.
select path, name, address, (attributes_std ->> 'assume_role_policy') :: jsonb -> 'Statement' as statementfrom terraform_resourcewhere type = 'aws_iam_role'
select path, name, address, json_extract(attributes_std, '$.assume_role_policy.Statement') as statementfrom terraform_resourcewhere type = 'aws_iam_role'
Get AMI for each AWS EC2 instance
Explore which AWS EC2 instances are associated with each Amazon Machine Image (AMI). This can help identify instances that may be using outdated or unsecured AMIs, supporting better security and compliance management.Explore which Amazon Machine Images (AMIs) are used for each Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. This is useful for understanding the software configurations of your EC2 instances.
select address, name, attributes_std ->> 'ami' as ami, pathfrom terraform_resourcewhere type = 'aws_instance';
select address, name, json_extract(attributes_std, '$.ami') as ami, pathfrom terraform_resourcewhere type = 'aws_instance';
List AWS CloudTrail trails that are not encrypted
Analyze the settings to understand which AWS CloudTrail trails are not encrypted, helping to identify potential security risks in your AWS environment.Determine the areas in which AWS CloudTrail trails are not encrypted to ensure data security and compliance. This is crucial for identifying potential security vulnerabilities in your AWS environment.
select address, name, pathfrom terraform_resourcewhere type = 'aws_cloudtrail' and attributes_std -> 'kms_key_id' is null;
select address, name, pathfrom terraform_resourcewhere type = 'aws_cloudtrail' and json_extract(attributes_std, '$.kms_key_id') is null;
List Azure storage accounts that allow public blob access
Explore which Azure storage accounts permit public access to their blobs. This is useful in identifying potential security vulnerabilities where sensitive data might be exposed.Explore which Azure storage accounts permit public blob access. This can be useful in identifying potential security risks and ensuring that sensitive data is not inadvertently exposed to the public.
select address, name, case when attributes_std -> 'allow_blob_public_access' is null then false else (attributes_std -> 'allow_blob_public_access') :: boolean end as allow_blob_public_access, pathfrom terraform_resourcewhere type = 'azurerm_storage_account' -- Optional arg that defaults to false and (attributes_std -> 'allow_blob_public_access') :: boolean;
select address, name, case when json_extract(attributes_std, '$.allow_blob_public_access') is null then 0 else json_extract(attributes_std, '$.allow_blob_public_access') end as allow_blob_public_access, pathfrom terraform_resourcewhere type = 'azurerm_storage_account' and json_extract(attributes_std, '$.allow_blob_public_access');
List Azure MySQL servers that don't enforce SSL
Explore which Azure MySQL servers are potentially vulnerable by identifying those that do not enforce SSL. This can help enhance security by pinpointing areas to strengthen encryption measures.Determine the areas in which Azure MySQL servers are not enforcing SSL. This is useful to identify potential security vulnerabilities and ensure all servers are adhering to best practices for secure connections.
select address, name, attributes_std -> 'ssl_enforcement_enabled' as ssl_enforcement_enabled, pathfrom terraform_resourcewhere type = 'azurerm_mysql_server' and not (attributes_std -> 'ssl_enforcement_enabled') :: boolean;
select address, name, json_extract(attributes_std, '$.ssl_enforcement_enabled') as ssl_enforcement_enabled, pathfrom terraform_resourcewhere type = 'azurerm_mysql_server' and not json_extract(attributes_std, '$.ssl_enforcement_enabled');
List Azure MySQL servers with public network access enabled
Determine the Azure MySQL servers that have public network access enabled. This can be useful for identifying potential security risks and ensuring that your servers are configured according to your organization's security policies.Determine the Azure MySQL servers that have public network access enabled. This helps in identifying potential security risks by highlighting servers that are exposed to the public internet.
select address, name, case when attributes_std -> 'public_network_access_enabled' is null then true else (attributes_std -> 'public_network_access_enabled') :: boolean end as public_network_access_enabled, pathfrom terraform_resourcewhere type in ('azurerm_mssql_server', 'azurerm_mysql_server') -- Optional arg that defaults to true and ( attributes_std -> 'public_network_access_enabled' is null or (attributes_std -> 'public_network_access_enabled') :: boolean );
select address, name, case when json_extract(attributes_std, '$.public_network_access_enabled') is null then 1 else json_extract(attributes_std, '$.public_network_access_enabled') end as public_network_access_enabled, pathfrom terraform_resourcewhere type in ('azurerm_mssql_server', 'azurerm_mysql_server') and ( json_extract(attributes_std, '$.public_network_access_enabled') is null or json_extract(attributes_std, '$.public_network_access_enabled') );
List resources from a plan file
This query allows you to analyze the resources outlined in a specific Terraform plan file. It helps in gaining insights into the different elements like name, type, and address, which can be beneficial for understanding the structure and configuration of your infrastructure.Explore which resources are included in a specific plan file. This can help identify instances where certain resources may need to be added, removed, or modified, providing insights into the overall configuration of your project.
select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/tfplan.json';
select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/tfplan.json';
List resources from a state file
Explore which resources are contained within a specific state file. This is useful for understanding the structure and content of your Terraform infrastructure without needing to navigate through multiple files or directories.Determine the resources within a specific state file in Terraform. This is useful for understanding the components of your infrastructure and their attributes, especially when managing large-scale deployments.
select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/terraform.tfstate';
select name, type, address, attributes_std, pathfrom terraform_resourcewhere path = '/path/to/terraform.tfstate';
Control examples
- ACM certificate should have create before destroy enabled
- ACM certificates should have transparency logging preference enabled
- Amazon Aurora clusters should have backtracking enabled
- Amazon Elasticsearch Service domains should be in a VPC
- Amazon Redshift clusters should be encrypted with KMS
- Amazon Redshift clusters should have automatic snapshots enabled
- Amazon Redshift clusters should have logging enabled
- Amazon Redshift clusters should use enhanced VPC routing
- Amazon Redshift should have automatic upgrades to major versions enabled
- Amazon Redshift should have required maintenance settings
- Amazon SQS queues should be encrypted at rest
- An Azure Active Directory administrator should be provisioned for SQL servers
- An RDS event notifications subscription should be configured for critical cluster events
- An RDS event notifications subscription should be configured for critical database instance events
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- API Gateway Deployment should have create_before_destroy enabled
- API Gateway Domain should have latest TLS security policy configured
- API Gateway Method Settings should have cache enabled
- API Gateway Method Settings should have cache encrypted
- API Gateway Method Settings should have data trace disabled
- API Gateway Method should have restrictive access
- API Gateway REST and WebSocket API logging should be enabled
- API Gateway REST API cache data should be encrypted at rest
- API Gateway REST API should have create_before_destroy enabled
- API Gateway REST API stages should have AWS X-Ray tracing enabled
- API Gateway stage should uses SSL certificate
- API Gateway V2 Route should have authorization type set
- API Management backends should use HTTPS
- API Management services client certificate should be enabled
- API Management services should restrict public network access
- API Management services should use a virtual network
- API Management services should use at least TLS 1.2 version
- App Configurations encryption should be enabled
- App Configurations local authentication should be disabled
- App Configurations purge protection should be enabled
- App Configurations should restrict public network access
- App Configurations should use standard SKU
- App Service environment should be zone redundant
- App Service Environment should enable internal encryption
- App Service plans should be zone redundant
- App Service plans should not use free, shared or basic SKU
- App Service should use a virtual network service endpoint
- AppFlow Connector Profile should be encrypted with KMS CMK
- AppFlow Flow should be encrypted with KMS CMK
- Application Gateway should restrict message lookup in Log4j2
- Application Gateway should use HTTPS Listener
- Application Gateway should use secure SSL cipher
- AppSync API cache encryption at rest should be enabled
- AppSync API cache encryption in transit should be enabled
- AppSync GraphQL API CloudWatch logs should be enabled
- AppSync GraphQL API field level logs should be enabled
- Artifact Registry Repository should be encrypted with KMS CMK
- Artifact Registry Repository should not be publicly accessible
- Athena database encryption at rest should be enabled
- Athena workgroup configuration should be enforced
- Athena workgroup encryption at rest should be enabled
- Authorized IP ranges should be defined on Kubernetes Services
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Auto Scaling groups should have tagging enabled
- Auto Scaling groups should use launch templates
- Auto Scaling groups with a load balancer should use health checks
- Auto Scaling launch config public IP should be disabled
- Automation account variables encryption should be enabled
- AWS workspaces root volume should be encrypted at rest
- AWS workspaces user volume should be encrypted at rest
- Azure API for FHIR should disable public network access
- Azure API for FHIR should use a customer-managed key to encrypt data at rest
- Azure Batch account should use customer-managed keys to encrypt data
- Azure Cache for Redis should reside within a virtual network
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Azure Data Explorer encryption at rest should use a customer-managed key
- Azure data factories should be encrypted with a customer-managed key
- Azure Defender for App Service should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Azure Defender for container registries should be enabled
- Azure Defender for DNS should be enabled
- Azure Defender for Key Vault should be enabled
- Azure Defender for Kubernetes should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for SQL servers on machines should be enabled
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
- Azure Defender for Storage should be enabled
- Azure File Sync should use private link
- Azure Key Vault Managed HSM should have purge protection enabled
- Azure Key Vault should disable public network access
- Azure Machine Learning workspaces should be encrypted with a customer-managed key
- Azure Monitor log profile should collect logs for categories 'write', 'delete' and 'action'
- Azure Monitor should collect activity logs from all regions
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Azure Spring Cloud should use network injection
- Azure Synapse workspaces should use customer-managed keys to encrypt data at rest
- Azure Synapse workspaces should use private link
- Backup plan min frequency and min retention check
- Backup vault encryption at rest enabled
- Big Query Instance should be encrypted with KMS CMK
- Big Query Table deletion protection should be enabled
- Big Query Table should not be publicly accessible
- Bigtable Instance deletion protection should be enabled
- Block Storage block volume backup should be enabled
- Block Storage block volume encryption should be enabled
- Block Storage boot volume backup encryption should be enabled
- Block Storage boot volume encryption should be enabled
- Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys
- Check that CMEK rotation policy is in place and is sufficiently short
- Check that GKE clusters have a Network Policy installed
- Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)
- Classic Load Balancers should have connection draining enabled
- Cloud Armor prevents message lookup in Log4j2
- Cloud Build workers should use private IP addresses
- Cloud Function should not be publicly accessible
- Cloud Run services should not be publicly accessible
- CloudFormation Stacks should have notifications enabled
- CloudFront distribution should be in enabled state
- CloudFront distributions minimum protocol version should be set
- CloudFront distributions should have a default root object configured
- CloudFront distributions should have AWS WAF enabled
- CloudFront distributions should have logging enabled
- CloudFront distributions should have origin access identity enabled
- CloudFront distributions should have origin failover configured
- CloudFront distributions should require encryption in transit
- CloudFront response header policy should be configured with Strict Transport Security
- CloudSearch should have enforced HTTPS enabled
- CloudSearch should use the latest TLS version
- CloudTrail event data should be stored encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail should have SNS topic enabled
- CloudWatch alarm action should be enabled
- CodeArtifact Domain should be encrypted with KMS CMK
- CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- CodeBuild project encryption at rest should be enabled
- CodeBuild project environments should have logging enabled
- CodeBuild project plaintext environment variables should not contain sensitive AWS values
- CodeBuild project privileged mode should be disabled
- CodeBuild project S3 logs encryption should be enabled
- CodeCommit approval rule template should have at least 2 approvals
- CodePipeline Artifacts encrypted with KMS CMK
- Cognitive Search services allowed IPs should restrict public access
- Cognitive Search services should maintain SLA for index updates
- Cognitive Search services should use managed identity
- Cognitive Services accounts should disable public network access
- Cognitive Services accounts should enable data encryption with a customer-managed key
- Cognitive Services accounts should have local authentication methods disabled
- Cognitive Services accounts should restrict network access
- Comprehend entity recognizer model encrypted with KMS CMK
- Comprehend entity recognizer volume encrypted with KMS CMK
- Compute instance boot disk encryption should be enabled
- Compute instance boot volume encryption in transit should be enabled
- Compute instance legacy metadata service endpoint should be disabled
- Compute instance monitoring should be enabled
- Compute Subnetworks should have Private IPv6 Google Access enabled
- Compute virtual machine scale sets should have automatic OS image patching enabled
- Config aggregator should be enabled in all regions
- Connect instance kinesis video stream storage config is encrypted with KMS CMK
- Connect instance S3 storage config is encrypted with KMS CMK
- Connections to Elasticsearch domains should be encrypted using TLS 1.2
- Container instance container groups should be in virtual network
- Container instance container groups should use secure environment variable
- Container registries admin user should be disabled
- Container registries anonymous pull should be disabled
- Container registries image scan should be enabled
- Container registries public network access should be disabled
- Container registries quarantine policy should be enabled
- Container registries retention policy should be enabled
- Container registries should be encrypted with a customer-managed key
- Container registries should be geo-replicated
- Container registries should be zone redundant
- Container registries should not allow unrestricted network access
- Container registries trust policy should be enabled
- Container Registry should use a virtual network service endpoint
- Content Delivery Network custom domains should use at least TLS 1.2 version
- Content Delivery Networks HTTP endpoint should be disabled
- Content Delivery Networks HTTPS endpoint should be enabled
- CORS should not allow every resource to access your Function Apps
- CORS should not allow every resource to access your Web Applications
- Cosmos DB accounts should have access key metadata writes disabled
- Cosmos DB accounts should have local authentication disabled
- Cosmos DB accounts should have public network access disabled
- Cosmos DB accounts should have restricted access
- Cosmos DB should use a virtual network service endpoint
- Custom subscription administrator roles should not exist
- Data factories should have public network access disabled
- Data factories should use GitHub repository
- Data Fusion instance should have Stackdriver Logging enabled
- Data Fusion instance should have Stackdriver Monitoring enabled
- Data Fusion instance should not be publicly accessible
- Database encryption should be enabled
- Database home encryption should be enabled
- Database logging should be enabled
- Database system encryption should be enabled
- Databricks should disable restric public network access
- Dataflow job should not be publicly accessible
- Dataflow should be encrypted with KMS CMK
- Dataproc cluster should be encrypted with KMS CMK
- Dataproc cluster should not be publicly accessible
- Dataproc cluster should not have public IP
- DataSync object storage location configuration should restrict secret key exposure
- DAX clusters endpoint encryption should have TLS enabled
- Deploy default Microsoft IaaSAntimalware extension for Windows Server
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
- Diagnostic logs in App Services should be enabled
- Disk encryption should be enabled on Azure Data Explorer
- DLM lifecycle policy events cross-region encryption should be enabled
- DLM lifecycle policy events cross-region encryption with KMS CMK should be enabled
- DLM schedule cross-region encryption should be enabled
- DLM schedule cross-region encryption with KMS CMK should be enabled
- DMS replication instances should be encrypted with KMS CMK
- DMS replication instances should have automatic minor version upgrade enabled
- DMS replication instances should not be publicly accessible
- DMS S3 endpoints should be encrypted with KMS CMK
- DocDB cluster audit logging should be enabled
- DocDB cluster backup retention period should be at least 7 days
- DocDB cluster should be encrypted using KMS
- DocDB cluster should have log export enabled
- DocDB Global Cluster encryption at rest enabled
- DocDB parameter group should have audit logs enabled
- DocDB TLS should be enabled
- Double encryption should be enabled on Azure Data Explorer
- DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- DynamoDB table point-in-time recovery should be enabled
- DynamoDB table should be encrypted with AWS KMS
- DynamoDB table should have encryption enabled
- DynamoDB VPC endpoint should be enabled in all route tables in use in a VPC
- EBS default encryption should be enabled
- EBS snapshots should be encrypted with KMS CMK
- EBS volumes should have encryption enabled
- EC2 AMI copy should be encrypted
- EC2 AMI copy should be encrypted with KMS CMK
- EC2 AMI image builder components should be encrypted with KMS CMK
- EC2 AMI image builder distribution configurations should be encrypted with KMS CMK
- EC2 AMI image builder image recipes should be encrypted with KMS CMK
- EC2 AMI launch permission should be restricted
- EC2 AMI should be encrypted
- EC2 instance detailed monitoring should be enabled
- EC2 instance EBS encryption should be enabled
- EC2 instance should have EBS optimization enabled
- EC2 instances should not contain secrets in user data
- EC2 instances should not have a public IP address
- EC2 instances should not use multiple ENIs
- EC2 instances should use IMDSv2
- EC2 instances termination protection should be enabled
- EC2 launch configuration EBS encryption should be enabled
- EC2 launch configuration should not have a metadata response hop limit greater than 1
- EC2 launch template should not have a metadata response hop limit greater than 1
- ECR repository policy should prohibit public access
- ECR repository should be encrypted with KMS
- ECR repository should use image scanning
- ECR repository tags should be immutable
- ECS cluster container insights should be enabled
- ECS cluster logging should be enabled
- ECS cluster logging should be encrypted with KMS CMK
- ECS containers should be limited to read-only access to root filesystems
- ECS containers should run in non-privileged mode
- ECS Fargate services should run on the latest Fargate platform version
- ECS task definition encryption in transit should be enabled
- ECS Task definition should have different Execution Role ARN and Task Role ARN
- ECS task definitions should not share the host's process namespace
- EFS access point should have a root directory
- EFS access point should have a user identity
- EFS file system encryption at rest should be enabled
- EFS file system should be encrypted with KMS CMK
- EFS file systems should be in a backup plan
- EKS cluster control plane logging should be enabled for all log types
- EKS cluster log types should be enabled
- EKS cluster node group should be configured to restrict SSH access from 0.0.0.0/0
- EKS cluster should run on supported Kubernetes version
- EKS clusters endpoint should restrict public access
- EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- Elastic Beanstalk enhanced health reporting should be enabled
- Elastic Beanstalk managed platform updates should be enabled
- ElastiCache cluster should have subnet group
- ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- ElastiCache Redis cluster should have auto minor version upgrade enabled
- ElastiCache replication group should be encrypted at rest
- ElastiCache replication group should be encrypted at transit
- ElastiCache replication group should be encrypted at transit
- ElastiCache replication group should be encrypted with KMS CMK
- Elasticsearch domain error logging to CloudWatch Logs should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- Elasticsearch domain should be encrypted with KMS CMK
- Elasticsearch domain should enforces HTTPS
- Elasticsearch domain should not use the default security group
- Elasticsearch domain should send logs to cloudWatch
- Elasticsearch domains should be configured with at least three dedicated master nodes
- Elasticsearch domains should have at least three data nodes
- Elasticsearch domains should have audit logging enabled
- ELB application and classic load balancer logging should be enabled
- ELB application load balancer deletion protection should be enabled
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should have drop invalid header fields configured
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB application, network and gateway load balancer should have cross-zone load balancing enabled
- ELB application, network and gateway load balancers should have defensive or strictest desync mitigation mode configured
- ELB classic load balancers should have cross-zone load balancing enabled
- ELB classic load balancers should have defensive or strictest desync mitigation mode configured
- ELB classic load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should use SSL certificates
- ELB HTTP HTTPS target group should be configured with Healthcheck
- ELB load balancer listeners should use a secure protocol
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- EMR cluster Kerberos should be enabled
- EMR cluster security configurations should have EBS encryption enabled
- EMR cluster security configurations should have encryption in transit enabled
- EMR cluster security configurations should have local disk encryption enabled
- EMR cluster security configurations should use SSE-KMS
- Enable connection_throttling on PostgreSQL Servers
- Enable log_checkpoints on PostgreSQL Servers
- Enable log_connections on PostgreSQL Servers
- Enable log_disconnections on PostgreSQL Servers
- Enable log_retention_days on PostgreSQL Servers
- Enforce SSL connection should be enabled for MySQL database servers
- Enforce SSL connection should be enabled for PostgreSQL database servers
- Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'Block Project-wide SSH keys' is enabled for VM instances
- Ensure 'Enable connecting to serial ports' is not enabled for VM Instance
- Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately
- Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'
- Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'
- Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured
- Ensure App Service Authentication is set on Azure App Service
- Ensure automatic node repair is enabled on all node pools in a GKE cluster
- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
- Ensure basic roles are not used at folder level
- Ensure basic roles are not used at organization level
- Ensure basic roles are not used at project level
- Ensure Cloud Guard is enabled in the root compartment of the tenancy
- Ensure CloudTrail is enabled in all regions
- Ensure CloudWatch Logs destination policy has no wildcards
- Ensure Compute instances are launched with Shielded VM enabled
- Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters
- Ensure Default Service account is not used at a folder level
- Ensure Default Service account is not used at a organization level
- Ensure Default Service account is not used at a project level
- Ensure EC2 instances do not use default VPC
- Ensure FTP deployments are disabled
- Ensure IAM password policy expires passwords within 90 days or less
- Ensure IAM password policy prevents password reuse
- Ensure IAM password policy requires a minimum length of 8 or greater
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one uppercase letter
- Ensure IAM password policy requires minimum length of 14 or greate
- Ensure IAM password policy requires minimum length of 14 or greater
- Ensure KMS encryption keys are rotated within a period of 90 days
- Ensure Legacy Authorization is disabled on Kubernetes Engine Clusters
- Ensure legacy networks do not exist for a project
- Ensure MFA Delete is enabled on S3 buckets
- Ensure Network Security Group has stateless ingress security rules
- Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22
- Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 3389
- Ensure no Object Storage buckets are publicly visible
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- Ensure no security lists allow ingress from 0.0.0.0/0 to port 22
- Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389
- Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- Ensure OS login is enabled for a project
- Ensure Private Google Access is enabled for all subnetworks in VPC
- Ensure roles do not impersonate or manage Service Accounts used at folder level
- Ensure roles do not impersonate or manage Service Accounts used at organization level
- Ensure roles do not impersonate or manage Service Accounts used at project level
- Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- Ensure subnets are not publicly accessible
- Ensure that 'HTTP Version' is the latest, if used to run the Function app
- Ensure that 'HTTP Version' is the latest, if used to run the Web app
- Ensure that 'Java version' is the latest, if used as a part of the Function app
- Ensure that 'Java version' is the latest, if used as a part of the Web app
- Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- Ensure that 'Public access level' is set to Private for blob containers
- Ensure that 'Python version' is the latest, if used as a part of the Function app
- Ensure that 'Python version' is the latest, if used as a part of the Web app
- Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets
- Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)
- Ensure that Azure Active Directory Admin is configured
- Ensure that Azure Defender is set to On for App Service
- Ensure that Azure Defender is set to On for Azure SQL database servers
- Ensure that Azure Defender is set to On for Container Registries
- Ensure that Azure Defender is set to On for Key Vault
- Ensure that Azure Defender is set to On for Kubernetes
- Ensure that Azure Defender is set to On for Servers
- Ensure that Azure Defender is set to On for Storage
- Ensure that BigQuery datasets are not anonymously or publicly accessible
- Ensure that Cloud SQL database instances are configured with automated backups
- Ensure that Cloud Storage bucket is not anonymously or publicly accessible
- Ensure that Cloud Storage buckets have uniform bucket-level access enabled
- Ensure that Compute instances do not have public IP addresses
- Ensure that Compute instances have Confidential Computing enabled
- Ensure that DNSSEC is enabled for Cloud DNS
- Ensure that instances are not configured to use the default service account
- Ensure that instances are not configured to use the default service account with full access to all Cloud APIs
- Ensure that IP forwarding is not enabled on Instances
- Ensure that Register with Azure Active Directory is enabled on App Service
- Ensure that retention policies on log buckets are configured using Bucket Lock
- Ensure that RSASHA1 is not used for key-signing key in Cloud DNS
- Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS
- Ensure that Service Account has no admin privileges
- Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'
- Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'
- Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'
- Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'
- Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)
- Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'
- Ensure that the Cloud SQL database instance requires all incoming connections to use SSL
- Ensure that the default network does not exist in a project
- Ensure that there are only GCP-managed service account keys for each service account
- Ensure that users are not assigned the Service Account User or Service Account Token Creator roles at project level
- Ensure the Network default security list of every VCN restricts all traffic except ICMP
- Ensure the storage container storing the activity logs is not publicly accessible
- Ensure VCN has at least one inbound security list configured
- Ensure VCN inbound security lists are stateless
- Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)
- Ensure VPC Flow logs is enabled for every subnet in VPC Network
- Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'
- ES domain encryption at rest should be enabled
- Event Grid domains should disable public network access
- Event Grid domains should have local authentication disabled
- Event Grid domains should use managed identity
- Event Grid topics should disable public network access
- Event Grid topics should have local authentication disabled
- Event Grid topics should use managed identity
- Event Hub namespaces 'Minimum TLS version' should be set to 'Version 1.2'
- Event Hub namespaces should be encrypted
- Event Hub namespaces should be zone redundant
- Event Hub should use a virtual network service endpoint
- EventBridge Scheduler Schedule should be encrypted with KMS CMK
- File Storage file system encryption should be enabled
- Firewall has firewall policy set
- Firewall policy intrusion detection mode set to deny
- Firewall threat intel mode set to deny
- Front Door firewall policy should restricts message lookup in Log4j2
- FSx Lustre File System should be encrypted with KMS CMK
- FSx ONTAP File System should be encrypted with KMS CMK
- FSx OpenZFS File System should be encrypted with KMS CMK
- FSx Windows File System should be encrypted with KMS CMK
- FTPS only should be required in your Function App
- FTPS should be required in your Web App
- Function App should only be accessible over HTTPS
- Function Apps builtin logging should be enabled
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Function apps should restrict public network access
- Gateway subnets should not be configured with a network security group
- GCP SQL instance should be using latest major database version
- GCP SQL instance should not be publicly accessible
- GCP SQL instance should not have public IP address
- GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower
- GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value
- GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'
- GCP SQL PostgreSQL instance should log SQL statements
- Geo-redundant backup should be enabled for Azure Database for MariaDB
- Geo-redundant backup should be enabled for Azure Database for MySQL
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- GKE clusters alias IP ranges should be enabled
- GKE clusters authenticator group should be configured to manage RBAC users
- GKE clusters client binary authorizationn should be enabled
- GKE clusters client certificate authentication should be disabled
- GKE clusters control plane should restrict public access
- GKE clusters GKE metadata server should be enabled
- GKE clusters integrity monitoring should be enabled for shielded nodes
- GKE clusters intranodal visibility should be enabled
- GKE clusters master authorized networks should be enabled
- GKE clusters release channel should be configured
- GKE clusters resource labels should be configured
- GKE clusters secure boot should be enabled for shielded nodes
- GKE clusters shielded nodes should be enabled
- GKE clusters should not use cluster level node pool
- GKE clusters should use Container-Optimized OS(cos) node image
- GKE clusters stackdriver logging should be enabled
- GKE clusters stackdriver monitoring should be enabled
- Glacier vault should restrict public access
- Global Accelerator flow logs should be enabled
- Glue crawler security configuration should be enabled
- Glue data catalog encryption should be enabled
- Glue dev endpoint security configuration should be enabled
- Glue job security configuration should be enabled
- Glue security configuration encryption should be enabled
- Google compute firewall ingress does not allow unrestricted FTP port 20 access
- Google compute firewall ingress does not allow unrestricted FTP port 21 access
- Google compute firewall ingress does not allow unrestricted HTTP port 80 access
- Google compute firewall ingress does not allow unrestricted MySQL port 3306 access
- Google compute firewall ingress does not allow unrestricted RDP port 3389 access
- Google compute firewall ingress does not allow unrestricted SSH port 22 access
- GuardDuty should be enabled
- Guest Configuration extension should be installed on your machines
- IAM authentication should be configured for RDS clusters
- IAM password policy should contain at least one lowercase character
- IAM password policy should contain at least one numeric character
- IAM password policy should contain at least one special character
- IAM password policy should contain at least one uppercase character
- IAM workload identity pool provider should be restricted
- Infrastructure encryption should be enabled for Azure Database for MySQL servers
- Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- IoT Hubs should disable public network access
- IP Forwarding on your virtual machine should be disabled
- Kendra indexes should use KMS CMKs for server-side encryption
- Key Vault keys should have an expiration date
- Key Vault secrets should have a content type
- Key Vault secrets should have an expiration date
- Key Vault should use a virtual network service endpoint
- Key vaults should have purge protection enabled
- Keyspaces tables should be encrypted with KMS CMK
- Kinesis firehose delivery streams should be encrypted with KMS CMK
- Kinesis firehose delivery streams should have server side encryption enabled
- Kinesis stream encryption at rest should be enabled
- Kinesis streams should be encrypted with KMS CMK
- Kinesis vidoe streams should be encrypted with KMS CMK
- KMS CMK rotation should be enabled
- KMS Crypto keys should have prevent destroy enabled
- KMS keys should not be publicly accessible
- Kubernetes cluster nodes should restrict public access
- Kubernetes clusters key vault secret rotation should be enabled
- Kubernetes clusters local admin should be disabled
- Kubernetes clusters only critical system pods should run on system nodes
- Kubernetes clusters should have logging enabled
- Kubernetes clusters should have network policy enabled
- Kubernetes clusters should restrict public access
- Kubernetes clusters should use a minimum number of 50 pods
- Kubernetes clusters should use scale sets type nodes
- Kubernetes clusters should use standard SKU
- Kubernetes clusters should use type ephemeral OS disk
- Kubernetes clusters upgrade channel should be configured
- Kusto clusters should use managed identities
- Kusto clusters should use SKU with an SLA
- Lambda functions concurrent execution limit configured
- Lambda functions should be configured with a dead-letter queue
- Lambda functions should be in a VPC
- Lambda functions should have code signing configured
- Lambda functions should not have URLs AuthType as 'None'
- Lambda functions should use latest runtimes
- Lambda functions variable encryption should be enabled
- Lambda functions variable should not have any sensitive data
- Lambda functions xray tracing should be enabled
- Lambda permissions should restrict service permission by source account or source arn
- Latest TLS version should be used in your Function App
- Latest TLS version should be used in your Web App
- Linux Virtual machines and scale sets should enable SSH key authentication
- Linux virtual machines scale sets should disable password authentication
- Linux virtual machines should disable password authentication
- Log group encryption at rest should be enabled
- Log group retention period should be at least 365 days
- Log group retention period should be set
- Long-term geo-redundant backup should be enabled for Azure SQL Databases
- Machine Learning Compute Clusters local authentication should be disabled
- Machine Learning Compute Clusters minimum node count should be set to zero
- Machine Learning workspaces should restrict public access
- Managed disks should be encrypted
- Managed identity should be used in your Function App
- Managed identity should be used in your Web App
- MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'
- MemoryDB clusters should be encrypted with KMS CMK
- MemoryDB clusters should have encryption in transit enabled
- MemoryDB snapshots should be encrypted with KMS CMK
- Monitor log profiles should have retention set to 365 days or greater
- MQ Broker should be encrypted with KMS CMK
- MQ Broker should have audit logging enabled
- MQ Broker should have automatic minor version upgrade enabled
- MQ Broker should have general logging enabled
- MQ Broker should not be publicly accessible
- MQ Broker should use correct engine version for their engine type
- MSK Cluster Nodes should have be encrypted with KMS CMK
- MSK Cluster Nodes should have encryption in transt enabled
- MSK Cluster Nodes should have logging enabled
- MSK Cluster Nodes should not be publicly accessible
- MWAA environment should have scheduler logs enabled
- MWAA environment should have webserver logs enabled
- MWAA environment should have worker logs enabled
- MySQL servers should have threat detection enabled
- MySQL servers should use customer-managed keys to encrypt data at rest
- Neptune cluster backup retention period should be at least 7 days
- Neptune cluster encryption at rest should be enabled
- Neptune cluster instance should not be publicly accessible
- Neptune cluster should be encrypted with KMS CMK
- Neptune clusters should be configured to copy tags to snapshots
- Neptune clusters should have IAM authentication enabled
- Neptune logging should be enabled
- Neptune snapshot should be encrypted with KMS CMK
- Neptune snapshot storage encryption should be enabled
- Network ACL ingress rule should not allow access to all ports
- Network ACL should not allow unrestricted FTP port 20 access
- Network ACL should not allow unrestricted FTP port 21 access
- Network ACL should not allow unrestricted RDP port 3389 access
- Network ACL should not allow unrestricted SSH port 22 access
- Network DNS server should have at least two connected DNS Endpoint
- Network Security Groups HTTP Services are restricted from the Internet
- Network Security Groups RDP Services are restricted from the Internet
- Network Security Groups SSH Services are restricted from the Internet
- Network Security Groups UDP Services are restricted from the Internet
- Network Security Rules HTTP Services are restricted from the Internet
- Network Security Rules RDP Services are restricted from the Internet
- Network Security Rules SSH Services are restricted from the Internet
- Network Security Rules UDP Services are restricted from the Internet
- Network should have at least two connected DNS Endpoints
- Network Watcher flow logs should have retention set to 90 days or greater
- Object Storage bucket encryption should be enabled
- Object Storage bucket object events should be enabled
- Object Storage bucket versioning should be enabled
- Only secure connections to your Azure Cache for Redis should be enabled
- OpenSearch domain should be encrypted with KMS CMK
- OpenSearch domain should enforces HTTPS
- OpenSearch domain should not use the default security group
- Password policies for IAM users should have strong configurations
- PostgreSQL flexible serves Geo-redundant backup should be enabled
- PostgreSQL Servers should use at least TLS 1.2 version
- PostgreSQL servers should use customer-managed keys to encrypt data at rest
- PostgreSQL Servers threat detection policy should be enabled
- Public network access on Azure SQL Database should be disabled
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Public network access should be disabled for PostgreSQL servers
- PubSub Topic encrypted with KMS CMK
- PubSub Topic Repository not publicly accessible
- QLDB ledger permission mode should be set to 'STANDARD'
- QLDB ledger should have deletion protection enabled
- RDS clusters should have deletion protection enabled
- RDS databases and clusters should not use a database engine default port
- RDS DB cluster activity stream should be encrypted with KMS CMK
- RDS DB cluster instances should have auto minor version upgrade enabled
- RDS DB cluster instances should have performance insights enabled
- RDS DB cluster instances should have performance insights encrypted with KMS CMK
- RDS DB clusters should be configured for multiple Availability Zones
- RDS DB clusters should be configured to copy tags to snapshots
- RDS DB clusters should be encrypted using KMS CMK
- RDS DB clusters should have encryption at rest enabled
- RDS DB instance and cluster enhanced monitoring should be enabled
- RDS DB instance automatic minor version upgrade should be enabled
- RDS DB instance backup should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB instance multiple az should be enabled
- RDS DB instances should be configured to copy tags to snapshots
- RDS DB instances should have deletion protection enabled
- RDS DB instances should have iam authentication enabled
- RDS DB instances should have performance insights enabled
- RDS DB instances should have performance insights encrypted with KMS CMK
- RDS DB instances should prohibit public access
- RDS DB instances should use recent CA certificates
- RDS DB snapshots should be encrypted with KMS CMK
- RDS DB snapshots should not be publicly accessible
- RDS Global Cluster (MySQl & PostgreSQL) should have encryption enabled
- RDS MySQL DB clusters should have audit logging enabled
- Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'
- Redis Caches should restrict public access
- Redis Caches standard replication should be enabled
- Redis instances encryption in transit should be enabled
- Redis instances should have auth enabled
- Redshift cluster audit logging and encryption should be enabled
- Redshift clusters should be encrypted
- Redshift clusters should not be using EC2 classic mode
- Redshift clusters should not use the default database name
- Redshift clusters should prohibit public access
- Redshift serverless namespaces should be encrypted with KMS CMK
- Redshift snapshot copy grant should be encrypted with KMS CMK
- Remote debugging should be turned off for Web Applications
- Require encryption on Data Lake Store accounts
- Resource logs in Azure Key Vault Managed HSM should be enabled
- Resource logs in Batch accounts should be enabled
- Resource logs in IoT Hub should be enabled
- Resource logs in Key Vault should be enabled
- Resource logs in Logic Apps should be enabled
- Role-Based Access Control (RBAC) should be used on Kubernetes Services
- S3 Block Public Access setting should be enabled at the bucket level
- S3 bucket cross-region replication should enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 bucket lifecycle configuration should abort incomplete multipart uploads
- S3 bucket logging should be enabled
- S3 bucket object copy should be encrypted with KMS CMK
- S3 bucket object lock should be enabled
- S3 bucket object should be encrypted with KMS CMK
- S3 bucket should have block public policy enabled
- S3 bucket should ignore public ACLs
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- SageMaker domain should be encypted using KMS CMK
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instance encryption should be enabled
- SageMaker notebook instances root access should be disabled
- SageMaker notebook instances should be in a VPC
- SageMaker notebook instances should not have direct internet access
- Secrets Manager secrets should be encrypted with KMS CMK
- Secrets Manager secrets should be rotated within a specified number of days
- Secrets Manager secrets should have automatic rotation enabled
- Secure transfer to storage accounts should be enabled
- Security Center should use the standard pricing tier
- Service Bus namespaces should have infrastructure encryption enabled
- Service bus namespaces should have local authentication disabled
- Service bus namespaces should restrict public access
- Service Bus namespaces should use a customer-managed key for encryption
- Service bus namespaces should use managed identity
- Service bus namespaces should use the latest TLS version
- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Service Fabric clusters should only use Azure Active Directory for client authentication
- SES configuration set should enforce TLS usage
- SignalR services should use paid SKU
- SNS topic policies should prohibit public access
- SNS topics should be encrypted at rest
- Spanner databases deletion protection should be enabled
- Spanner databases drop protection should be enabled
- Spanner databases should be encrypted with a KMS CMK
- Spring Cloud API should not be publicly accessible
- Spring Cloud API should only be accessible over HTTPS
- SQL databases ledger should be enabled
- SQL databases should be zone redundant
- SQL databases should have log monitoring enabled
- SQL servers should have Administrator Email Security Alert enabled
- SQL servers should have all Security Alerts enabled
- SQL servers should have Email Security Alert enabled
- SQL servers should use the latest TLS version 1.2
- SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- SQS queue policies should not allow ALL (*) actions
- SQS queue policies should not allow ALL (*) principal
- SSM documents should not be publicly accessible
- SSM parameter should be encypted using KMS CMK
- Step Functions state machine should have execution history logging enabled
- Step Functions state machine should have X-Ray tracing enabled
- Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Storage account public access should be disallowed
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should have infrastructure encryption
- Storage accounts should have replication type set
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage Accounts should use a virtual network service endpoint
- Storage accounts should use customer-managed key for encryption
- Storage accounts should use latest minimum TLS version
- Storage accounts should use private link
- Storage buckets logging should be enabled
- Storage buckets public access prevention should be enforced
- Storage buckets self logging should be disabled
- Storage buckets versioning should be enabled
- Storage container public access should be disabled
- Subnets should be associated with a Network Security Group
- Subscriptions should have a contact email address for security issues
- Subscriptions should have a contact phone number for security issues
- Synapse workspaces should have data exfiltration protection enabled
- System updates should be installed on your machines
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- Timestream databases should be encrypted using KMS CMK
- Unused network access control lists should be removed
- Verify all GKE clusters are Private Clusters
- Vertex AI datasets should be encrypted with KMS CMK
- Vertex AI notebook instances should restrict public access
- Virtual machines and scale sets should have agent installed
- Virtual machines and virtual machine scale sets should have encryption at host enabled
- Virtual machines should be migrated to new Azure Resource Manager resources
- Virtual machines should disable password authentication
- Virtual machines should not allow extension operations
- VPC default security group should not allow inbound and outbound traffic
- VPC EC2 transit gateway should not automatically accept VPC attachment requests
- VPC EIPs should be associated with an EC2 instance or ENI
- VPC Endpoint for SQS should be enabled in all Availability Zones in use a VPC
- VPC endpoint service acceptance should be enabled
- VPC flow logs should be enabled
- VPC internet gateways should be attached to authorized VPC
- VPC network firewall policy should define a encryption configuration that uses KMS CMK
- VPC network firewall rule group should be encrypted with KMS CMK
- VPC network firewall should be encrypted with KMS CMK
- VPC network firewall should have deletion protection enabled
- VPC security group rule should have description for rules
- VPC security group should have description for rules
- VPC security groups should be associated with at least one ENI
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC subnet auto-assign public IP should be disabled
- VPC transfer server should allow only secure protocols
- VPC transfer server should not be publicly accessible
- WAF regional web ACL logging should be enabled
- WAF regional web ACL should have at least one rule or rule group attached
- WAF regional web ACLs should have rules with actions
- WAF web ACL logging should be enabled
- WAF web ACL should have at least one rule or rule group
- WAF web ACLs should have rules with actions
- WAFV2 web ACL should have at least one rule or rule group attached
- Web app slots remote debugging should be disabled
- Web app slots should only be accessible over HTTPS
- Web app slots should use the latest TLS version
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
- Web Application should only be accessible over HTTPS
- Web apps detailed error messages should be enabled
- Web apps failed request tracing should be enabled
- Web apps HTTP logs should be enabled
- Web apps should be configured to always be on
- Web apps should have health check enabled
- Web apps should have more than one worker
- Web apps should restrict public network access
- Web apps should use Azure files
- Web apps should use the latest 'Net Framework' version
- Web PubSubs should use managed identity
- Web PubSubs should use SKU with an SLA
- Windows Virtual machines and scale sets should have automatic updates enabled
Schema for terraform_resource
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
address | text | The absolute resource address. | |
arguments | jsonb | Resource arguments. | |
attributes | jsonb | Resource attributes. The value will populate only for the resources that come from a state file. | |
attributes_std | jsonb | Resource attributes. Contains the value from either the arguments or the attributes property. | |
count | bigint | The integer value for the count meta-argument if it's set as a number in a literal expression. | |
count_src | jsonb | The count meta-argument accepts a whole number, and creates that many instances of the resource or module. | |
depends_on | jsonb | Use the depends_on meta-argument to handle hidden resource or module dependencies that Terraform can't automatically infer. | |
end_line | bigint | Ending line number. | |
for_each | jsonb | The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set. | |
lifecycle | jsonb | The lifecycle meta-argument is a nested block that can appear within a resource block. | |
mode | text | The type of resource Terraform creates, either a resource (managed) or data source (data). | |
name | text | Resource name. | |
path | text | = | Path to the file. |
provider | text | The provider meta-argument specifies which provider configuration to use for a resource, overriding Terraform's default behavior of selecting one based on the resource type name. | |
source | text | The block source code. | |
start_line | bigint | Starting line number. | |
type | text | Resource type. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- terraform
You can pass the configuration to the command with the --config
argument:
steampipe_export_terraform --config '<your_config>' terraform_resource