Skip to content
tfsec
Credits
Initializing search
aquasecurity/tfsec
HOME
Guides
Checks
tfsec
aquasecurity/tfsec
HOME
Guides
Guides
Migration
Installation
Signature Verification
Quick Start
Parameters
Credits
Configuration
Configuration
Config File
Custom Checks
Ignoring Checks
GitHub Actions
GitHub Actions
GitHub Action
PR Commenter
Rego
Rego
Writing Custom Rego Policies
Checks
Checks
aws
aws
api-gateway
api-gateway
enable-access-logging
enable-cache-encryption
enable-tracing
no-public-access
use-secure-tls-policy
athena
athena
enable-at-rest-encryption
no-encryption-override
autoscaling
autoscaling
enable-at-rest-encryption
enforce-http-token-imds
no-public-ip
no-secrets-in-user-data
no-sensitive-info
cloudfront
cloudfront
enable-logging
enable-waf
enforce-https
use-secure-tls-policy
cloudtrail
cloudtrail
enable-all-regions
enable-at-rest-encryption
enable-log-validation
ensure-cloudwatch-integration
no-public-log-access
require-bucket-access-logging
cloudwatch
cloudwatch
log-group-customer-key
codebuild
codebuild
enable-encryption
config
config
aggregate-all-regions
documentdb
documentdb
enable-log-export
enable-storage-encryption
encryption-customer-key
dynamodb
dynamodb
enable-at-rest-encryption
enable-recovery
table-customer-key
ebs
ebs
enable-volume-encryption
encryption-customer-key
ec2
ec2
add-description-to-security-group
add-description-to-security-group-rule
enable-at-rest-encryption
enable-launch-config-at-rest-encryption
enable-volume-encryption
enforce-http-token-imds
enforce-launch-config-http-token-imds
no-default-vpc
no-excessive-port-access
no-public-egress-sgr
no-public-ingress-acl
no-public-ingress-sgr
no-public-ip
no-public-ip-subnet
no-secrets-in-launch-template-user-data
no-secrets-in-user-data
no-sensitive-info
volume-encryption-customer-key
ecr
ecr
enable-image-scans
enforce-immutable-repository
no-public-access
repository-customer-key
ecs
ecs
enable-container-insight
enable-in-transit-encryption
no-plaintext-secrets
efs
efs
enable-at-rest-encryption
eks
eks
enable-control-plane-logging
encrypt-secrets
no-public-cluster-access
no-public-cluster-access-to-cidr
elastic-search
elastic-search
enable-domain-encryption
enable-domain-logging
enable-in-transit-encryption
enforce-https
use-secure-tls-policy
elasticache
elasticache
add-description-for-security-group
enable-at-rest-encryption
enable-backup-retention
enable-in-transit-encryption
elb
elb
alb-not-public
drop-invalid-headers
http-not-used
use-secure-tls-policy
emr
emr
enable-at-rest-encryption
enable-in-transit-encryption
enable-local-disk-encryption
iam
iam
enforce-group-mfa
enforce-mfa
no-password-reuse
no-policy-wildcards
no-root-access-keys
no-user-attached-policies
require-lowercase-in-passwords
require-numbers-in-passwords
require-symbols-in-passwords
require-uppercase-in-passwords
set-max-password-age
set-minimum-password-length
aws
kinesis
kinesis
enable-in-transit-encryption
kms
kms
auto-rotate-keys
lambda
lambda
enable-tracing
restrict-source-arn
mq
mq
enable-audit-logging
enable-general-logging
no-public-access
msk
msk
enable-in-transit-encryption
enable-logging
neptune
neptune
enable-log-export
enable-storage-encryption
encryption-customer-key
rds
rds
enable-performance-insights
enable-performance-insights-encryption
encrypt-cluster-storage-data
encrypt-instance-storage-data
no-classic-resources
no-public-db-access
specify-backup-retention
redshift
redshift
encryption-customer-key
use-vpc
s3
s3
block-public-acls
block-public-policy
enable-bucket-encryption
enable-bucket-logging
enable-versioning
encryption-customer-key
ignore-public-acls
no-public-access-with-acl
no-public-buckets
specify-public-access-block
sns
sns
enable-topic-encryption
topic-encryption-use-cmk
sqs
sqs
enable-queue-encryption
no-wildcards-in-policy-documents
queue-encryption-use-cmk
ssm
ssm
avoid-leaks-via-http
secret-use-customer-key
vpc
vpc
add-description-to-security-group
add-description-to-security-group-rule
no-default-vpc
no-excessive-port-access
no-public-egress-sgr
no-public-ingress-acl
no-public-ingress-sgr
workspaces
workspaces
enable-disk-encryption
azure
azure
appservice
appservice
account-identity-registered
authentication-enabled
enable-http2
enforce-https
require-client-cert
use-secure-tls-policy
authorization
authorization
limit-role-actions
compute
compute
disable-password-authentication
enable-disk-encryption
no-secrets-in-custom-data
container
container
configured-network-policy
limit-authorized-ips
logging
use-rbac-permissions
database
database
all-threat-alerts-enabled
enable-audit
enable-ssl-enforcement
no-public-access
no-public-firewall-access
postgres-configuration-connection-throttling
postgres-configuration-log-checkpoints
postgres-configuration-log-connections
retention-period-set
secure-tls-policy
threat-alert-email-set
threat-alert-email-to-owner
datafactory
datafactory
no-public-access
datalake
datalake
enable-at-rest-encryption
azure
keyvault
keyvault
content-type-for-secret
ensure-key-expiry
ensure-secret-expiry
no-purge
specify-network-acl
monitor
monitor
activity-log-retention-set
capture-all-activities
capture-all-regions
network
network
disable-rdp-from-internet
no-public-egress
no-public-ingress
retention-policy-set
ssh-blocked-from-internet
security-center
security-center
alert-on-severe-notifications
enable-standard-subscription
set-required-contact-details
storage
storage
allow-microsoft-service-bypass
default-action-deny
enforce-https
no-public-access
queue-services-logging-enabled
use-secure-tls-policy
synapse
synapse
virtual-network-enabled
cloudstack
cloudstack
compute
compute
no-sensitive-info
cloudstack
digitalocean
digitalocean
compute
compute
enforce-https
kubernetes-auto-upgrades-not-enabled
no-public-egress
no-public-ingress
surge-upgrades-not-enabled
use-ssh-keys
digitalocean
spaces
spaces
acl-no-public-read
disable-force-destroy
versioning-enabled
general
general
general
secrets
secrets
no-plaintext-exposure
github
github
actions
actions
no-plain-text-action-secrets
branch_protections
branch_protections
require_signed_commits
github
repositories
repositories
enable_vulnerability_alerts
private
google
google
bigquery
bigquery
no-public-access
compute
compute
disk-encryption-customer-key
disk-encryption-no-plaintext-key
enable-shielded-vm-im
enable-shielded-vm-vtpm
enable-vpc-flow-logs
no-default-service-account
no-ip-forwarding
no-oslogin-override
no-project-wide-ssh-keys
no-public-egress
no-public-ingress
no-public-ip
no-serial-port
project-level-oslogin
use-secure-tls-policy
vm-disk-encryption-customer-key
dns
dns
enable-dnssec
no-rsa-sha1
gke
gke
enable-auto-repair
enable-auto-upgrade
enable-ip-aliasing
enable-master-networks
enable-network-policy
enable-private-cluster
enable-stackdriver-logging
enable-stackdriver-monitoring
enforce-pod-security-policy
metadata-endpoints-disabled
no-legacy-authentication
no-public-control-plane
node-metadata-security
node-pool-uses-cos
node-shielding-enabled
use-cluster-labels
use-rbac-permissions
use-service-account
iam
iam
no-default-network
no-folder-level-default-service-account-assignment
no-folder-level-service-account-impersonation
no-org-level-default-service-account-assignment
no-org-level-service-account-impersonation
no-privileged-service-accounts
no-project-level-default-service-account-assignment
no-project-level-service-account-impersonation
no-user-granted-permissions
google
kms
kms
rotate-kms-keys
sql
sql
enable-backup
enable-pg-temp-file-logging
encrypt-in-transit-data
mysql-no-local-infile
no-contained-db-auth
no-cross-db-ownership-chaining
no-public-access
pg-log-checkpoints
pg-log-connections
pg-log-disconnections
pg-log-errors
pg-log-lock-waits
pg-no-min-statement-logging
storage
storage
enable-ubla
no-public-access
kubernetes
kubernetes
kubernetes
network
network
no-public-egress
no-public-ingress
openstack
openstack
compute
compute
no-plaintext-password
no-public-access
openstack
networking
networking
describe-security-group
no-public-egress
no-public-ingress
oracle
oracle
compute
compute
no-public-ip
oracle
Authors
Liam Galvin
(liamg)
Owen Rumney
(owenrumney)
Contributors
Thanks to all
contributors