Cfngoat is one of Bridgecrew's "Vulnerable by Design" Infrastructure as Code repositories, a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
It's an ideal companion to testing build time Infrastructure as Code scanning tools, such as Bridgecrew & Checkov
Cfngoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.
Cfngoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
aws cloudformation create-stack --stack-name cfngoat --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 --capabilities CAPABILITY_NAMED_IAM
Expect provisioning to take at least 5 minutes.
Multiple stacks can be deployed simultaniously by changing the --stack-name
and adding an Environment
parameter:
aws cloudformation create-stack --stack-name cfngoat2 --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 ParameterKey=Environment,ParameterValue=dev2 --capabilities CAPABILITY_NAMED_IAM
- Where to get help: the Bridgecrew Community Slack
Before you proceed please take a not of these warning:
โ ๏ธ Cfngoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy Cfngoat in a production environment or alongside any sensitive AWS resources.
- aws cli
- CfnGoat - Vulnerable by design Cloudformation template
- TerraGoat - Vulnerable by design Terraform stack
- CDKGoat - Vulnerable by design CDK application
Contribution is welcomed!
We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.
Bridgecrew builds and maintains Cfngoat to encourage the adoption of policy-as-code.
If you need direct support you can contact us at [email protected].
check_id | file | resource | check_name | guideline | |
---|---|---|---|---|---|
0 | CKV_AZURE_141 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS local admin account is disabled | |
1 | CKV_AZURE_116 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses Azure Policies Add-on | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-azure-policies-add-on |
2 | CKV_AZURE_6 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3 |
3 | CKV_AZURE_8 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure Kubernetes Dashboard is disabled | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5 |
4 | CKV_AZURE_4 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS logging to Azure Monitoring is Configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1 |
5 | CKV_AZURE_115 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS enables private clusters | https://docs.bridgecrew.io/docs/ensure-that-aks-enables-private-clusters |
6 | CKV_AZURE_7 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS cluster has Network Policy configured | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4 |
7 | CKV_AZURE_117 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure that AKS uses disk encryption set | https://docs.bridgecrew.io/docs/ensure-that-aks-uses-disk-encryption-set |
8 | CKV_AZURE_5 | /aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure RBAC is enabled on AKS clusters | https://docs.bridgecrew.io/docs/bc_azr_kubernetes_2 |
9 | CKV_AWS_118 | /custom.tf | aws_db_instance.test_rds_instance | Ensure that enhanced monitoring is enabled for Amazon RDS instances | https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances |
10 | CKV_AWS_226 | /custom.tf | aws_db_instance.test_rds_instance | Ensure DB instance gets all minor upgrades automatically | |
11 | CKV_AWS_161 | /custom.tf | aws_db_instance.test_rds_instance | Ensure RDS database has IAM authentication enabled | https://docs.bridgecrew.io/docs/ensure-rds-database-has-iam-authentication-enabled |
12 | CKV_AWS_157 | /custom.tf | aws_db_instance.test_rds_instance | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 |
13 | CKV_AWS_126 | /ec2.tf | aws_instance.web_host | Ensure that detailed monitoring is enabled for EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances |
14 | CKV_AWS_8 | /ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted | https://docs.bridgecrew.io/docs/general_13 |
15 | CKV_AWS_79 | /ec2.tf | aws_instance.web_host | Ensure Instance Metadata Service Version 1 is not enabled | https://docs.bridgecrew.io/docs/bc_aws_general_31 |
16 | CKV_AWS_46 | /ec2.tf | aws_instance.web_host | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 |
17 | CKV_AWS_135 | /ec2.tf | aws_instance.web_host | Ensure that EC2 is EBS optimized | https://docs.bridgecrew.io/docs/ensure-that-ec2-is-ebs-optimized |
18 | CKV_AWS_189 | /ec2.tf | aws_ebs_volume.web_host_storage | Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_109 |
19 | CKV_AWS_3 | /ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume |
20 | CKV_AWS_24 | /ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security |
21 | CKV_AWS_260 | /ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | |
22 | CKV_AWS_23 | /ec2.tf | aws_security_group.web-node | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
23 | CKV_AWS_130 | /ec2.tf | aws_subnet.web_subnet | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
24 | CKV_AWS_130 | /ec2.tf | aws_subnet.web_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
25 | CKV_AWS_130 | /eks.tf | aws_subnet.eks_subnet1 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
26 | CKV_AWS_130 | /eks.tf | aws_subnet.eks_subnet2 | Ensure VPC subnets do not assign public IP by default | https://docs.bridgecrew.io/docs/ensure-vpc-subnets-do-not-assign-public-ip-by-default |
27 | CKV_AWS_37 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_4 |
28 | CKV_AWS_58 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 |
29 | CKV_AWS_39 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint disabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_2 |
30 | CKV_AWS_38 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_1 |
31 | CKV_AWS_186 | /s3.tf | aws_s3_bucket_object.data_object | Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) | https://docs.bridgecrew.io/docs/bc_aws_general_106 |
32 | CKV_AWS_144 | /s3.tf | aws_s3_bucket.financials | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
33 | CKV_AWS_144 | /s3.tf | aws_s3_bucket.data_science | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
34 | CKV_AWS_144 | /s3.tf | aws_s3_bucket.operations | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
35 | CKV_AWS_144 | /s3.tf | aws_s3_bucket.data | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
36 | CKV_AWS_144 | /custom.tf | aws_s3_bucket.cloud-compliance-bucket | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
37 | CKV_AWS_144 | /s3.tf | aws_s3_bucket.logs | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
38 | CKV_AWS_144 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 bucket has cross-region replication enabled | https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled |
39 | CKV2_AWS_6 | /s3.tf | aws_s3_bucket.financials | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
40 | CKV2_AWS_6 | /s3.tf | aws_s3_bucket.data_science | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
41 | CKV2_AWS_6 | /s3.tf | aws_s3_bucket.operations | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
42 | CKV2_AWS_6 | /s3.tf | aws_s3_bucket.data | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
43 | CKV2_AWS_6 | /s3.tf | aws_s3_bucket.logs | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
44 | CKV2_AWS_6 | /custom.tf | aws_s3_bucket.cloud-compliance-bucket | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
45 | CKV2_AWS_6 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 bucket has a Public Access block | https://docs.bridgecrew.io/docs/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached |
46 | CKV2_AWS_11 | /eks.tf | aws_vpc.eks_vpc | Ensure VPC flow logging is enabled in all VPCs | https://docs.bridgecrew.io/docs/logging_9-enable-vpc-flow-logging |
47 | CKV2_AWS_12 | /eks.tf | aws_vpc.eks_vpc | Ensure the default security group of every VPC restricts all traffic | https://docs.bridgecrew.io/docs/networking_4 |
48 | CKV2_AWS_12 | /ec2.tf | aws_vpc.web_vpc | Ensure the default security group of every VPC restricts all traffic | https://docs.bridgecrew.io/docs/networking_4 |
49 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
50 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
51 | CKV_AWS_21 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket have versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
52 | CKV2_AWS_2 | /ec2.tf | aws_ebs_volume.web_host_storage | Ensure that only encrypted EBS volumes are attached to EC2 instances | https://docs.bridgecrew.io/docs/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances |
53 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.financials | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
54 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.operations | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
55 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.data | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
56 | CKV_AWS_18 | /custom.tf | aws_s3_bucket.cloud-compliance-bucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
57 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.logs | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
58 | CKV_AWS_18 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
59 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
60 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data_science | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
61 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.operations | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
62 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
63 | CKV_AWS_19 | /custom.tf | aws_s3_bucket.cloud-compliance-bucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
64 | CKV_AWS_19 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
65 | CKV_AWS_145 | /s3.tf | aws_s3_bucket.financials | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
66 | CKV_AWS_145 | /s3.tf | aws_s3_bucket.data_science | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
67 | CKV_AWS_145 | /s3.tf | aws_s3_bucket.operations | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
68 | CKV_AWS_145 | /s3.tf | aws_s3_bucket.data | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
69 | CKV_AWS_145 | /custom.tf | aws_s3_bucket.cloud-compliance-bucket | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
70 | CKV_AWS_145 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure that S3 buckets are encrypted with KMS by default | https://docs.bridgecrew.io/docs/ensure-that-s3-buckets-are-encrypted-with-kms-by-default |
71 | CKV_AWS_20 | /s3.tf | aws_s3_bucket.data | S3 Bucket has an ACL defined which allows public READ access. | https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone |
check_id | file | resource | check_name | guideline | |
---|---|---|---|---|---|
0 | CKV_AWS_58 | /eks.yaml | AWS::EKS::Cluster.EKSCluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 |
1 | CKV_AWS_46 | /cfngoat.yaml | AWS::EC2::Instance.EC2Instance | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 |
2 | CKV_AWS_3 | /cfngoat.yaml | AWS::EC2::Volume.WebHostStorage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume |
3 | CKV_AWS_24 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security |
4 | CKV_AWS_260 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure no security groups allow ingress from 0.0.0.0:0 to port 80 | |
5 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
6 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |
7 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |
8 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |
9 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
10 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
11 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |
12 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
13 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration |
14 | CKV_AWS_110 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow privilege escalation | https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation |
15 | CKV_AWS_40 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1 |
16 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |
17 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint |
18 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure |
19 | CKV_AWS_7 | /cfngoat.yaml | AWS::KMS::Key.LogsKey | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 |
20 | CKV_AWS_118 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure that enhanced monitoring is enabled for Amazon RDS instances | https://docs.bridgecrew.io/docs/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances |
21 | CKV_AWS_16 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 |
22 | CKV_AWS_157 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 |
23 | CKV_AWS_17 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 |
24 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.DefaultSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |
25 | CKV_AWS_115 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit |
26 | CKV_AWS_117 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure that AWS Lambda function is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 |
27 | CKV_AWS_45 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 |
28 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq |
29 | CKV_AWS_173 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Check encryption settings for Lambda environmental variable | https://docs.bridgecrew.io/docs/bc_aws_serverless_5 |
30 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |
31 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |
32 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |
33 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
34 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
35 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |
36 | CKV_AWS_20 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket does not allow READ permissions to everyone | https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone |
37 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
38 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |
39 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |
40 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |
41 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
42 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |
43 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |
44 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
45 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |
46 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |
47 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |
48 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
49 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |
50 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
51 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |
52 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |
53 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |
54 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |
55 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |
56 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |
57 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |
58 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |
59 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |
60 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |
61 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration |
62 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |
63 | CKV_AWS_115 | /cfngoat.yaml | AWS::Lambda::Function.CleanBucketFunction | Ensure that AWS Lambda function is configured for function-level concurrent execution limit | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit |
64 | CKV_AWS_117 | /cfngoat.yaml | AWS::Lambda::Function.CleanBucketFunction | Ensure that AWS Lambda function is configured inside a VPC | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 |
65 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.CleanBucketFunction | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq |
check_id | file | resource | check_name | guideline | |
---|---|---|---|---|---|
0 | CKV_SECRET_2 | /cfngoat.yaml | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.bridgecrew.io/docs/git_secrets_2 |
1 | CKV_SECRET_6 | /cfngoat.yaml | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |