logo
tfsec
OpenStack Checks
Initializing search
    aquasecurity/tfsec
    • HOME
    • Getting Started
    • Checks
    aquasecurity/tfsec
    • HOME
      • Installation
      • Signature Verification
      • Quick Start
      • Parameters
      • Credits
        • Config File
        • Custom Checks
        • Ignoring Checks
        • GitHub Action
        • PR Commenter
          • enable-access-logging
          • enable-cache-encryption
          • enable-tracing
          • no-public-access
          • use-secure-tls-policy
          • enable-at-rest-encryption
          • no-encryption-override
          • enable-at-rest-encryption
          • no-public-ip
          • enable-logging
          • enable-waf
          • enforce-https
          • use-secure-tls-policy
          • enable-all-regions
          • enable-at-rest-encryption
          • enable-log-validation
          • log-group-customer-key
          • enable-encryption
          • aggregate-all-regions
          • enable-log-export
          • enable-storage-encryption
          • encryption-customer-key
          • enable-at-rest-encryption
          • enable-recovery
          • table-customer-key
          • enable-volume-encryption
          • encryption-customer-key
          • enforce-http-token-imds
          • no-secrets-in-user-data
          • enable-image-scans
          • enforce-immutable-repository
          • no-public-access
          • repository-customer-key
          • enable-container-insight
          • enable-in-transit-encryption
          • no-plaintext-secrets
          • enable-at-rest-encryption
          • enable-control-plane-logging
          • encrypt-secrets
          • no-public-cluster-access-to-cidr
          • no-public-cluster-access
          • enable-domain-logging
          • enable-in-transit-encryption
          • enable-logging
          • encrypt-replication-group
          • enforce-https
          • use-secure-tls-policy
          • enable-domain-encryption
          • add-description-for-security-group
          • enable-backup-retention
          • enable-in-transit-encryption
          • drop-invalid-headers
          • alb-not-public
          • http-not-used
        • aws
          • block-kms-policy-wildcard
          • no-password-reuse
          • no-policy-wildcards
          • require-lowercase-in-passwords
          • require-numbers-in-passwords
          • require-symbols-in-passwords
          • require-uppercase-in-passwords
          • set-max-password-age
          • set-minimum-password-length
          • enable-in-transit-encryption
          • auto-rotate-keys
          • enable-tracing
          • restrict-source-arn
          • no-sensitive-info
          • no-exposing-plaintext-credentials
          • enable-audit-logging
          • enable-general-logging
          • no-public-access
          • enable-in-transit-encryption
          • enable-logging
          • enable-log-export
          • enable-storage-encryption
          • backup-retention-specified
          • enable-performance-insights
          • encrypt-cluster-storage-data
          • encrypt-instance-storage-data
          • no-classic-resources
          • no-public-db-access
          • add-description-to-security-group
          • encryption-customer-key
          • non-default-vpc-deployment
          • block-public-acls
          • block-public-policy
          • enable-bucket-encryption
          • enable-bucket-logging
          • enable-versioning
          • ignore-public-acls
          • no-public-access-with-acl
          • no-public-buckets
          • specify-public-access-block
          • enable-topic-encryption
          • enable-queue-encryption
          • no-wildcards-in-policy-documents
          • secret-use-customer-key
          • add-decription-to-security-group
          • add-description-to-security-group
          • disallow-mixed-sgr
          • no-default-vpc
          • no-excessive-port-access
          • no-public-egress-sg
          • no-public-egress-sgr
          • no-public-ingress-sg
          • no-public-ingress-sgr
          • no-public-ingress
          • use-secure-tls-policy
          • enable-disk-encryption
          • account-identity-registered
          • authentication-enabled
          • detailed-error-messages-enabled
          • dotnet-framework-version
          • enable-http2
          • enable-https-only
          • enforce-https
          • failed-request-tracing-enabled
          • ftp-deployments-disabled
          • http-logs-enabled
          • php-version
          • python-version
          • require-client-cert
          • use-secure-tls-policy
          • limit-role-actions
          • disable-password-authentication
          • enable-disk-encryption
          • no-secrets-in-custom-data
          • ssh-authentication
          • configured-network-policy
          • limit-authorized-ips
          • logging
          • use-rbac-permissions
          • enable-audit
          • enable-ssl-enforcement
          • mysql-threat-detection-enabled
          • no-public-access
          • no-public-firewall-access
          • postgres-configuration-log-checkpoints
          • postgres-configuration-log-connection-throttling
          • postgres-configuration-log-connections
          • retention-period-set
          • secure-tls-policy
          • no-public-access
          • enable-at-rest-encryption
          • authentication-enabled
          • enable-http2
        • azure
          • content-type-for-secret
          • ensure-key-expiry
          • ensure-secret-expiry
          • no-purge
          • specify-network-acl
          • activity-log-retention-set
          • capture-all-activities
          • capture-all-regions
          • all-threat-alerts-enabled
          • threat-alert-email-set
          • threat-alert-email-to-owner
          • disable-rdp-from-internet
          • no-public-egress
          • no-public-ingress
          • retention-policy-set
          • ssh-blocked-from-internet
          • alert-on-severe-notifications
          • defender-on-appservices
          • defender-on-container-registry
          • defender-on-keyvault
          • defender-on-kubernetes
          • defender-on-servers
          • defender-on-sql-servers-vms
          • defender-on-sql-servers
          • defender-on-storage
          • enable-standard-subscription
          • set-required-contact-details
          • allow-microsoft-service-bypass
          • container-activity-logs-not-public
          • default-action-deny
          • enforce-https
          • no-public-access
          • queue-services-logging-enabled
          • use-secure-tls-policy
          • virtual-network-enabled
          • no-sensitive-info
        • cloudstack
          • no-public-egress
          • no-public-ingress
          • use-ssh-keys
        • digitalocean
          • enforce-https
          • acl-no-public-read
          • disable-force-destroy
          • versioning-enabled
        • general
          • sensitive-in-attribute-value
          • sensitive-in-attribute
          • sensitive-in-local
          • sensitive-in-variable
        • github
          • private
          • require-signed-commits
          • vulnerability-alerts
          • no-public-access
          • disk-encryption-customer-key
          • disk-encryption-customer-keys
          • disk-encryption-required
          • enable-shielded-vm
          • enable-vpc-flow-logs
          • no-default-service-account
          • no-ip-forwarding
          • no-oslogin-override
          • no-plaintext-disk-keys
          • no-plaintext-vm-disk-keys
          • no-project-wide-ssh-keys
          • no-public-egress
          • no-public-ingress
          • no-public-ip
          • no-serial-port
          • project-level-oslogin
          • use-secure-tls-policy
          • vm-disk-encryption-customer-key
          • enable-dnssec
          • no-rsa-sha1
          • enable-auto-repair
          • enable-auto-upgrade
          • enable-ip-aliasing
          • enable-master-networks
          • enable-network-policy
          • enable-private-cluster
          • enable-stackdriver-logging
          • enable-stackdriver-monitoring
          • enforce-pod-security-policy
          • metadata-endpoints-disabled
          • no-legacy-auth
          • no-legacy-authentication
          • no-public-control-plane
          • node-metadata-security
          • node-pool-uses-cos
          • node-shielding-enabled
          • use-cluster-labels
          • use-rbac-permissions
          • use-service-account
        • google
          • no-folder-level-default-service-account-assignment
          • no-folder-level-service-account-impersonation
          • no-org-level-default-service-account-assignment
          • no-org-level-service-account-impersonation
          • no-privileged-service-accounts
          • no-project-level-default-service-account-assignment
          • no-project-level-service-account-impersonation
          • no-user-granted-permissions
          • rotate-kms-keys
          • no-default-network
          • enable-backup
          • enable-pg-temp-file-logging
          • encrypt-in-transit-data
          • mysql-no-local-infile
          • no-contained-db-auth
          • no-cross-db-ownership-chaining
          • no-public-access
          • pg-log-checkpoints
          • pg-log-connections
          • pg-log-disconnections
          • pg-log-errors
          • pg-log-lock-waits
          • pg-no-min-statement-logging
          • enable-ubla
          • no-public-access
        • kubernetes
          • no-public-egress
          • no-public-ingress
          • no-plaintext-password
          • no-public-access
        • openstack
          • no-public-ip
        • oracle

    openstack

    The included OpenStack checks are listed below. For more information about each check, see the link provided.

    Checks
    openstack-compute-no-plaintext-password
    No plaintext password for compute instance
    openstack-fw-no-public-access
    A firewall rule allows traffic from/to the public internet
    Previous no-public-access
    Next no-public-ip