Skip to content

Rules List⚓︎

To view the Rego code for the rules below, see our GitHub repo.

Tip

Click on a column to sort alphabetically by that category, and click it again to reverse the sort order.

AWS⚓︎

Summary Resource Types Severity Rule ID
IAM password policies should prevent reuse of previously used passwords MULTIPLE Medium FG_R00002
IAM password policies should expire passwords within 90 days MULTIPLE Medium FG_R00003
IAM policies should not be attached to users MULTIPLE Low FG_R00007
IAM policies should not be attached directly to users MULTIPLE Low FG_R00007
CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only MULTIPLE Medium FG_R00010
CloudFront viewer protocol policy should be set to https-only or redirect-to-https aws_cloudfront_distribution Medium FG_R00011
ELBv1 listener protocol should not be set to http MULTIPLE High FG_R00013
Auto Scaling groups should span two or more availability zones MULTIPLE Medium FG_R00014
EBS volume encryption should be enabled AWS::EC2::Volume High FG_R00016
EBS volume encryption should be enabled aws_ebs_volume High FG_R00016
CloudFront distributions should have geo-restrictions specified MULTIPLE Medium FG_R00018
IAM password policies should require at least one uppercase character MULTIPLE Medium FG_R00021
IAM password policies should require at least one lowercase character MULTIPLE Medium FG_R00022
IAM password policies should require at least one symbol MULTIPLE Medium FG_R00023
IAM password policies should require at least one number MULTIPLE Medium FG_R00024
IAM password policies should require a minimum length of 14 MULTIPLE Medium FG_R00025
CloudTrail log file validation should be enabled AWS::CloudTrail::Trail Medium FG_R00027
CloudTrail log file validation should be enabled aws_cloudtrail Medium FG_R00027
S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files MULTIPLE Critical FG_R00028
S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files MULTIPLE Critical FG_R00028
CloudTrail trails should have CloudWatch log integration enabled AWS::CloudTrail::Trail Medium FG_R00029
CloudTrail trails should have CloudWatch log integration enabled MULTIPLE Medium FG_R00029
S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files MULTIPLE Medium FG_R00031
S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files MULTIPLE Medium FG_R00031
CloudTrail log files should be encrypted using KMS CMKs AWS::CloudTrail::Trail High FG_R00035
CloudTrail log files should be encrypted using KMS CMKs MULTIPLE High FG_R00035
KMS CMK rotation should be enabled AWS::KMS::Key Medium FG_R00036
KMS CMK rotation should be enabled aws_kms_key Medium FG_R00036
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5900 (Virtual Network Computing) MULTIPLE High FG_R00037
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5800 (Virtual Network Computing), unless from ELBs MULTIPLE High FG_R00038
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5500 (Virtual Network Computing) MULTIPLE High FG_R00039
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 23 (Telnet) MULTIPLE High FG_R00040
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 80 (HTTP), unless from ELBs MULTIPLE High FG_R00041
ELBv1 load balancer cross zone load balancing should be enabled MULTIPLE Medium FG_R00043
VPC security group inbound rules should not permit ingress from a public address to all ports and protocols aws_security_group High FG_R00044
VPC security group inbound rules should not permit ingress from '0.0.0.0/0' to all ports and protocols MULTIPLE High FG_R00045
SQS access policies should not have global "." access MULTIPLE Critical FG_R00049
SNS subscriptions should deny access via HTTP MULTIPLE Medium FG_R00052
VPC flow logging should be enabled MULTIPLE Medium FG_R00054
VPC flow logging should be enabled MULTIPLE Medium FG_R00054
Load balancer access logging should be enabled MULTIPLE Medium FG_R00066
CloudFront access logging should be enabled MULTIPLE Medium FG_R00067
CloudWatch log groups should be encrypted with KMS CMKs MULTIPLE Medium FG_R00068
DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs MULTIPLE Medium FG_R00069
SQS queue server-side encryption should be enabled (AWS-managed keys) MULTIPLE High FG_R00070
CloudFront distributions should be protected by WAFs MULTIPLE Medium FG_R00073
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 22 (SSH) MULTIPLE High FG_R00085
VPC security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) aws_security_group High FG_R00085
IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters MULTIPLE Medium FG_R00086
VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) MULTIPLE High FG_R00087
VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) aws_security_group High FG_R00087
IAM password policies should prevent reuse of the four previously used passwords MULTIPLE Medium FG_R00088
VPC default security group should restrict all traffic MULTIPLE Medium FG_R00089
VPC default security group should restrict all traffic MULTIPLE Medium FG_R00089
IAM policies should not have full ":" administrative privileges MULTIPLE High FG_R00092
IAM policies should not have full ":" administrative privileges MULTIPLE High FG_R00092
RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs) MULTIPLE High FG_R00093
RDS instances should have FedRAMP approved database engines MULTIPLE Low FG_R00094
S3 bucket server side encryption should be enabled AWS::S3::Bucket High FG_R00099
S3 bucket server side encryption should be enabled aws_s3_bucket High FG_R00099
S3 bucket policies should only allow requests that use HTTPS MULTIPLE Medium FG_R00100
S3 bucket policies should only allow requests that use HTTPS MULTIPLE Medium FG_R00100
S3 bucket versioning and lifecycle policies should be enabled aws_s3_bucket Medium FG_R00101
ELB listener security groups should not be set to TCP all MULTIPLE High FG_R00102
VPC security groups attached to EC2 instances should not permit ingress from '0.0.0.0/0' to all ports MULTIPLE High FG_R00103
VPC security groups attached to RDS instances should not permit ingress from '0.0.0.0/0' to all ports MULTIPLE High FG_R00104
ElastiCache transport encryption should be enabled MULTIPLE Medium FG_R00105
DynamoDB tables Point in Time Recovery should be enabled MULTIPLE Medium FG_R00106
RDS instances should have backup retention periods configured MULTIPLE Medium FG_R00107
RDS Aurora cluster multi-AZ should be enabled MULTIPLE Medium FG_R00209
S3 bucket policies should not allow all actions for all IAM principals and public users MULTIPLE High FG_R00210
S3 bucket policies should not allow list actions for all IAM principals and public users MULTIPLE High FG_R00211
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9200 (Elasticsearch) MULTIPLE High FG_R00212
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 9300 (Elasticsearch) MULTIPLE High FG_R00213
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2379 (etcd) MULTIPLE High FG_R00214
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27017 (MongoDB) MULTIPLE High FG_R00215
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27018 (MongoDB) MULTIPLE High FG_R00216
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 27019 (MongoDB) MULTIPLE High FG_R00217
IAM policies should not allow broad list actions on S3 buckets MULTIPLE Medium FG_R00218
IAM role trust policies should not allow all principals to assume the role MULTIPLE Medium FG_R00219
IAM roles attached to instance profiles should not allow broad list actions on S3 buckets MULTIPLE Medium FG_R00220
S3 buckets should have all block public access options enabled AWS::S3::Bucket High FG_R00229
S3 buckets should have all block public access options enabled MULTIPLE High FG_R00229
VPC security groups attached to EC2 instances should not permit ingress from '0.0.0.0/0' to TCP/UDP port 389 (LDAP) MULTIPLE High FG_R00234
CloudTrail trails should be configured to log management events aws_cloudtrail Medium FG_R00237
CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled aws_cloudwatch_metric_alarm Medium FG_R00240
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11214 (Memcached SSL) aws_security_group High FG_R00242
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 11215 (Memcached SSL) aws_security_group High FG_R00243
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 135 (MSSQL Debugger) aws_security_group High FG_R00244
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 137 (NetBIOS Name Service) aws_security_group High FG_R00245
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 138 (NetBios Datagram Service) aws_security_group High FG_R00246
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 139 (NetBios Session Service) aws_security_group High FG_R00247
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1433 (MSSQL Server) aws_security_group High FG_R00248
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 1434 (MSSQL Admin) aws_security_group High FG_R00249
Require Multi Availability Zones turned on for RDS Instances MULTIPLE Medium FG_R00251
KMS master keys should not be publicly accessible aws_kms_key Critical FG_R00252
EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests aws_instance High FG_R00253
IAM roles used for trust relationships should have MFA or external IDs aws_iam_role High FG_R00255
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2382 (SQL Server Analysis Services browser) aws_security_group High FG_R00256
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2383 (SQL Server Analysis Services) aws_security_group High FG_R00257
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 2484 (Oracle DB SSL) aws_security_group High FG_R00258
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3000 (Ruby on Rails web server) aws_security_group High FG_R00259
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3020 (CIFS / SMB) aws_security_group High FG_R00260
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 3306 (MySQL) aws_security_group High FG_R00261
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4505 (SaltStack Master) aws_security_group High FG_R00262
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 4506 (SaltStack Master) aws_security_group High FG_R00263
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 5432 (PostgreSQL) aws_security_group High FG_R00264
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 61621 (Cassandra OpsCenter Agent) aws_security_group High FG_R00265
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 636 (LDAP SSL) aws_security_group High FG_R00266
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP port 7001 (Cassandra) aws_security_group High FG_R00267
VPC security group rules should not permit ingress from '0.0.0.0/0' to TCP/UDP port 8000 (HTTP Alternate) aws_security_group High FG_R00268
Redshift cluster 'Publicly Accessible' should not be enabled aws_redshift_cluster Critical FG_R00270
EC2 instances should not have a public IP association (IPv4) aws_instance Medium FG_R00271
IAM users should be members of at least one group MULTIPLE Low FG_R00272
S3 bucket access logging should be enabled aws_s3_bucket Medium FG_R00274
S3 bucket replication (cross-region or same-region) should be enabled aws_s3_bucket Medium FG_R00275
Lambda function policies should not allow global access MULTIPLE High FG_R00276
Lambda function policies should not allow global access MULTIPLE High FG_R00276
S3 buckets should not be publicly readable MULTIPLE Critical FG_R00277
RDS instance 'Publicly Accessible' should not be enabled aws_db_instance High FG_R00278
S3 bucket policies and ACLs should not be configured for public read access MULTIPLE High FG_R00279
RDS instance 'Deletion Protection' should be enabled aws_db_instance Medium FG_R00280
VPC security group inbound rules should not permit ingress from any address to all ports and protocols aws_security_group Medium FG_R00350
S3 bucket object-level logging for write events should be enabled MULTIPLE Low FG_R00354
S3 bucket object-level logging for read events should be enabled MULTIPLE Low FG_R00355
VPC network ACLs should not allow ingress from 0.0.0.0/0 to port 22 MULTIPLE High FG_R00357
VPC network ACLs should not allow ingress from 0.0.0.0/0 to port 3389 MULTIPLE High FG_R00359
API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above) MULTIPLE Medium FG_R00375
API Gateway v2 custom domains should use secure TLS protocol versions (1.2 and above) MULTIPLE Medium FG_R00376
VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443 aws_security_group FG_R00377

Azure⚓︎

Summary Resource Types Severity Rule ID
Storage Accounts 'Secure transfer required' should be enabled azurerm_storage_account Medium FG_R00152
Storage accounts should deny access from all networks by default azurerm_storage_account High FG_R00154
Network security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) MULTIPLE High FG_R00190
Network security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) MULTIPLE High FG_R00191
SQL Server firewall rules should not permit ingress from 0.0.0.0/0 to all ports and protocols azurerm_sql_firewall_rule High FG_R00192
Virtual Machines data disks (non-boot volumes) should be encrypted MULTIPLE High FG_R00196
Virtual Machines unattached disks should be encrypted MULTIPLE High FG_R00197
Blob Storage containers should have public access disabled azurerm_storage_container Critical FG_R00207
Storage accounts 'Trusted Microsoft Services' access should be enabled azurerm_storage_account Medium FG_R00208
SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0 MULTIPLE High FG_R00221
MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0 MULTIPLE High FG_R00222
PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0 MULTIPLE High FG_R00223
Ensure Azure Application Gateway Web application firewall (WAF) is enabled MULTIPLE Medium FG_R00224
MySQL Database server 'enforce SSL connection' should be enabled azurerm_mysql_server Medium FG_R00225
PostgreSQL Database server 'enforce SSL connection' should be enabled azurerm_postgresql_server Medium FG_R00226
Key Vault 'Enable Soft Delete' and 'Enable Purge Protection' should be enabled azurerm_key_vault Medium FG_R00227
SQL Server auditing should be enabled MULTIPLE Medium FG_R00282
SQL Server auditing retention should be greater than 90 days MULTIPLE Medium FG_R00283
Virtual Network security group flow log retention period should be set to 90 days or greater MULTIPLE Medium FG_R00286
Active Directory custom subscription owner roles should not be created azurerm_role_definition Medium FG_R00288
PostgreSQL Database configuration 'log_checkpoints' should be on MULTIPLE Medium FG_R00317
PostgreSQL Database configuration 'log_connections' should be on MULTIPLE Medium FG_R00318
Azure Kubernetes Service instances should have RBAC enabled azurerm_kubernetes_cluster Medium FG_R00329
PostgreSQL Database configuration 'log_disconnections' should be on MULTIPLE Medium FG_R00331
PostgreSQL Database configuration 'log_duration' should be on MULTIPLE Medium FG_R00333
PostgreSQL Database configuration 'connection_throttling' should be on MULTIPLE Medium FG_R00335
PostgreSQL Database configuration 'log_retention days' should be greater than 3 MULTIPLE Medium FG_R00337
Monitor 'Activity Log Retention' should be 365 days or greater azurerm_monitor_log_profile Medium FG_R00340
Monitor audit profile should log all activities azurerm_monitor_log_profile Medium FG_R00341
Monitor log profile should have activity logs for global services and all regions MULTIPLE Medium FG_R00342
Key Vault logging should be enabled MULTIPLE Medium FG_R00344
App Service web app authentication should be enabled MULTIPLE Medium FG_R00345
App Service web apps should have 'HTTPS only' enabled azurerm_app_service High FG_R00346
App Service web apps should have 'Minimum TLS Version' set to '1.2' azurerm_app_service Medium FG_R00347
App Service web apps should have 'Incoming client certificates' enabled azurerm_app_service Medium FG_R00348

Google⚓︎

Summary Resource Types Severity Rule ID
KMS keys should be rotated every 90 days or less google_kms_crypto_key Medium FG_R00378
Service accounts should only have Google-managed service account keys MULTIPLE Medium FG_R00383
User-managed service accounts should not have admin privileges MULTIPLE High FG_R00384
IAM users should not have project-level 'Service Account User' or 'Service Account Token Creator' roles MULTIPLE High FG_R00385
KMS keys should not be anonymously or publicly accessible MULTIPLE Critical FG_R00386
IAM users should not have both KMS admin and any of the KMS encrypter/decrypter roles MULTIPLE Medium FG_R00388
IAM default audit log config should include 'DATA_READ' and 'DATA_WRITE' log types MULTIPLE Medium FG_R00389
IAM default audit log config should not exempt any users MULTIPLE Medium FG_R00391
Logging storage bucket retention policies and Bucket Lock should be configured MULTIPLE Medium FG_R00393
DNS managed zone DNSSEC should be enabled google_dns_managed_zone Medium FG_R00404
DNS managed zone DNSSEC key-signing keys should not use RSASHA1 google_dns_managed_zone High FG_R00405
DNS managed zone DNSSEC zone-signing keys should not use RSASHA1 google_dns_managed_zone High FG_R00406
Network firewall rules should not permit ingress from 0.0.0.0/0 to port 22 (SSH) google_compute_firewall High FG_R00407
Network firewall rules should not permit ingress from 0.0.0.0/0 to port 3389 (RDP) google_compute_firewall High FG_R00408
Network subnet flow logs should be enabled google_compute_subnetwork Medium FG_R00409
Load balancer HTTPS or SSL proxy SSL policies should not have weak cipher suites MULTIPLE Medium FG_R00410
Compute instances should not use the default service account google_compute_instance Medium FG_R00411
Compute instances should not use the default service account with full access to all Cloud APIs google_compute_instance High FG_R00412
Compute instance 'block-project-ssh-keys' should be enabled MULTIPLE Medium FG_R00413
Compute instances 'Enable connecting to serial ports' should not be enabled MULTIPLE High FG_R00415
Compute instances 'IP forwarding' should not be enabled google_compute_instance Low FG_R00416
Compute instance disks should be encrypted with customer-supplied encryption keys (CSEKs) MULTIPLE Medium FG_R00417
Compute instance Shielded VM should be enabled google_compute_instance Medium FG_R00418
Compute instances should not have public IP addresses google_compute_instance Medium FG_R00419
Storage buckets should not be anonymously or publicly accessible MULTIPLE Critical FG_R00420
Storage bucket uniform access control should be enabled google_storage_bucket Medium FG_R00421
MySQL database instance 'local_infile' database flag should be set to 'off' MULTIPLE Medium FG_R00423
PostgreSQL database instance 'log_checkpoints' database flag should be set to 'on' MULTIPLE Medium FG_R00424
PostgreSQL database instance 'log_connections' database flag should be set to 'on' MULTIPLE Medium FG_R00425
PostgreSQL database instance 'log_disconnections' database flag should be set to 'on' MULTIPLE Medium FG_R00426
PostgreSQL database instance 'log_lock_waits' database flag should be set to 'on' MULTIPLE Medium FG_R00427
PostgreSQL database instance 'log_min_error_statement' database flag should be set appropriately MULTIPLE Medium FG_R00428
PostgreSQL database instance 'log_temp_files' database flag should be set to '0' (on) MULTIPLE Medium FG_R00429
PostgreSQL database instance 'log_min_duration_statement' database flag should be set to '-1' (disabled) MULTIPLE Medium FG_R00430
SQL Server database instance 'cross db ownership chaining' database flag should be set to 'off' MULTIPLE Medium FG_R00431
SQL Server database instance 'contained database authentication' database flag should be set to 'off' MULTIPLE Medium FG_R00432
SQL database instances should require incoming connections to use SSL google_sql_database_instance Medium FG_R00433
SQL database instances should not permit access from 0.0.0.0/0 google_sql_database_instance High FG_R00434
SQL database instances should not have public IPs google_sql_database_instance Medium FG_R00435
SQL database instance automated backups should be enabled google_sql_database_instance Medium FG_R00436
BigQuery datasets should not be anonymously or publicly accessible google_bigquery_dataset Critical FG_R00437
VPC subnet 'Private Google Access' should be enabled google_compute_subnetwork Low FG_R00438