FortiCNAPP IaC policies
FortiCNAPP IaC Security is converting existing policies to Rego. You may notice duplicate findings due to checkov or tfsec policies temporarily co-existing. For remediation, FortiCNAPP offers suppression options for both Code Security App and CI/CD integrations.
Assessments
Invoked through Code Security App and CI/CD
In the console, the new FortiCNAPP authored policies are visible as part of your assessment findings. The old policies that have been replaced will no longer be visible and the results will not be part of your assessments.
Note that these new policies have been carefully reviewed and tested by FortiCNAPP, and they may not use the same logic as the checkov or tfsec policies. You may see false positive results disappear and true positive results appear.
Invoked through the CLI
The CLI runs a combined scan using the lacework iac scan command.
Published FortiCNAPP Policies
Policies converted to Rego are released in small batches. In cases where an existing policy is no longer relevant, it is deprecated without replacement.
The following table tracks released Rego policies:
|
Policy Name |
Lacework Policy ID |
|
Publish Date |
|---|---|---|---|
|
EKS should not allow public access to API endpoint |
lacework-iac-aws-network-1 |
ckv-aws-38 |
07/10/2023 |
|
Ensure RDS cluster has IAM authentication enabled |
lacework-iac-aws-iam-1 |
ckv-aws-162 |
07/10/2023 |
|
Pods should not run containers with allowPrivilegeEscalation |
lacework-iac-k8s-security-2 |
ckv-k8s-20 |
07/10/2023 |
|
KMS master keys should not be globally accessible |
lacework-iac-aws-security-1 |
ckv-aws-33 |
07/10/2023 |
|
Container image should be versioned |
lacework-iac-k8s-workload-1 |
ckv-k8s-43 |
07/27/23 |
|
Minimize the execution of container workloads with added capabilities |
lacework-iac-k8s-workload-2 |
ckv-k8s-24 |
07/27/2023 |
|
Minimize the execution of container workloads with the NET_RAW capability |
lacework-iac-k8s-workload-3 |
ckv-k8s-7, ckv-k8s-28 |
07/27/2023 |
|
AWS resources must specify a Security Group |
lacework-iac-aws-network-2 |
ckv2-aws-5 |
07/27/2023 |
|
Apply security context to pods and containers |
lacework-iac-k8s-security-1 |
ckv-k8s-29, ckv-k8s-30 |
07/27/2023 |
|
An inbound firewall rule allows traffic from /0 |
lacework-iac-gcp-network-1 |
|
07/27/2023 |
|
Amazon ALBs should implement HTTPS |
lacework-iac-aws-tls-1 |
ckv-aws-2 |
08/04/2023 |
|
An outdated SSL policy is in use by a load balancer |
lacework-iac-aws-tls-2 |
ckv-aws-103 |
08/04/2023 |
|
CloudFront distribution uses outdated SSL/TLS protocols |
lacework-iac-aws-tls-3 |
|
08/04/2023 |
|
API Gateway domain name uses outdated SSL/TLS protocol |
lacework-iac-aws-tls-4 |
|
08/04/2023 |
|
ElasticSearch domain endpoint uses outdated TLS policy |
lacework-iac-aws-tls-5 |
|
08/04/2023 |
|
Network ACL allows ingress from 0.0.0.0/0 |
lacework-iac-aws-network-3 |
|
08/04/2023 |
|
Network ACL ingress must not permit all ports |
lacework-iac-aws-network-4 |
|
08/04/2023 |
|
S3 bucket does not block public access |
lacework-iac-aws-storage-1 |
cks-aws-53,ckv-aws-54,ckv-aws-55,ckv-aws-56 |
08/04/2023 |
|
DAX Cluster should encrypt data at rest |
lacework-iac-aws-encryption-2 |
|
08/17/2023 |
|
Unencrypted SNS topic |
lacework-iac-aws-encryption-4 |
ckv-aws-26 |
08/17/2023 |
|
A KMS key is not configured to auto-rotate |
lacework-iac-aws-encryption-5 |
|
08/17/2023 |
|
CloudFront viewer protocol policy should be set to https-only or redirect-to-http |
lacework-iac-aws-encryption-6 |
|
08/17/2023 |
|
EKS Clusters should encrypt secrets |
lacework-iac-aws-encryption-10 |
|
08/17/2023 |
|
EKS Cluster should have control plane logging enabled |
lacework-iac-aws-logging-1 |
ckv-aws-37 |
08/17/2023 |
|
S3 bucket does not have access logging |
lacework-iac-aws-storage-2 |
|
08/17/2023 |
|
RDS instance is publicly accessible |
lacework-iac-aws-storage-3 |
|
08/17/2023 |
|
RDS instance does not encrypt Performance Insights |
lacework-iac-aws-storage-4 |
|
08/17/2023 |
|
Athena database not encrypted at rest |
lacework-iac-aws-storage-5 |
ckv-aws-77 |
08/17/2023 |
|
Athena workgroup not encrypted at rest |
lacework-iac-aws-storage-6 |
ckv-aws-159 |
08/17/2023 |
|
S3 Versioning should be enabled |
lacework-iac-aws-storage-7 |
|
08/17/2023 (Replacing |
|
ECR should have immutable image tags |
lacework-iac-aws-storage-8 |
|
08/17/2023 |
|
Launch configuration with unencrypted EBS block device |
lacework-iac-aws-encryption-1 |
ckv-aws-8 |
08/29/2023 |
|
Ensure all data stored in the SQS queue is encrypted |
lacework-iac-aws-encryption-3 |
|
08/29/2023 |
|
A MSK cluster allows unencrypted data in transit |
lacework-iac-aws-encryption-7 |
|
08/29/2023 |
|
Elasticsearch domain is not encrypted at rest |
lacework-iac-aws-encryption-8 |
|
08/29/2023 |
|
CodeBuild artifacts and logs should be encrypted |
lacework-iac-aws-encryption-9 |
ckv-aws-78, ckv-aws-147 |
08/29/2023 |
|
CloudTrail log files should be encrypted with customer managed KMS keys |
lacework-iac-aws-encryption-11 |
ckv-aws-35 |
08/29/2023 |
|
ElasticSearch node-to-node encryption not enabled |
lacework-iac-aws-encryption-12 |
ckv-aws-6 |
08/29/2023 |
|
OpenSearch node-to-node encryption not enabled |
lacework-iac-aws-encryption-13 |
|
08/29/2023 |
|
ElasticSearch domains should enforce HTTPS |
lacework-iac-aws-encryption-14 |
ckv-aws-054 |
08/29/2023 |
|
RDS Cluster should have storage encryption enabled |
lacework-iac-aws-encryption-16 |
ckv-aws-96 |
08/29/2023 |
|
RDS DB instance should have storage encrypted |
lacework-iac-aws-encryption-17 |
ckv-aws-16 |
08/29/2023 |
|
Unencrypted Elasticache Replication Group |
lacework-iac-encryption-18 |
ckv-aws-29 |
08/29/2023 |
|
Elastic File System should be encrypted |
lacework-iac-encryption-19 |
ckv-aws-184 |
09/12/2023 |
|
Enable transit encryption for Elasticache RG |
lacework-iac-aws-encryption-20 |
|
09/12/2023 |
|
Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell |
lacework-iac-aws-encryption-21 |
ckv-aws-192 |
11/21/2023 |
|
SageMaker Notebook is encrypted at rest with KMS CMK |
lacework-iac-aws-encryption-32 |
ckv-aws-22, ckv2-aws-24 |
01/22/2025 |
|
Missing description for security group/security group rule |
lacework-iac-aws-security-9 |
ckv-aws-23 |
01/22/2025 |
|
Ensure Dynamodb point in time recovery is enabled |
lacework-iac-aws-storage-13 |
ckv-aws-28 |
01/22/2025 |
|
IAM Password policy should have minimum password length of 14 or more characters |
lacework-iac-aws-iam-2 |
ckv-aws-10 |
01/22/2025 |
|
IAM Password policy should prevent password reuse |
lacework-iac-aws-iam-3 |
|
01/22/2025 |
|
IAM Password policy should have expiry less than or equal to 90 days |
lacework-iac-aws-iam-4 |
|
01/22/2025 |
|
Ensure QLDB ledger permissions mode is set to STANDARD |
lacework-iac-aws-iam-5 |
ckv-aws-170 |
01/22/2025 |
|
Ensure IAM users are members of an IAM group |
lacework-iac-aws-iam-6 |
ckv2-aws-21 |
01/22/2025 |
|
Ensure IAM policies are attached only to groups |
lacework-iac-aws-iam-7 |
ckv-aws-40 |
01/22/2025 |
|
Ensure IAM policies do not allow administrative privileges |
lacework-iac-aws-iam-8 |
ckv-aws-1 |
01/22/2025 |
|
ALB/NLB is exposed to the internet |
lacework-iac-aws-loadbalancers-1 |
|
02/05/2025 |
|
Classic load balancer is exposed to the internet |
lacework-iac-aws-loadbalancers-2 |
|
02/05/2025 |
|
Ensure AppSync has Field-Level logs enabled |
lacework-iac-aws-logging-10 |
ckv-aws-194 |
02/05/2025 |
|
Ensure CloudTrail is enabled in all Regions |
lacework-iac-aws-logging-2 |
ckv-aws-67 |
02/05/2025 |
|
CloudTrail log file validation should be enabled |
lacework-iac-aws-logging-3 |
ckv-aws-36 |
02/05/2025 |
|
Ensure Cloudfront distribution has Access Logging enabled |
lacework-iac-aws-logging-4 |
ckv-aws-86 |
02/05/2025 |
|
Ensure API Gateway has Access Logging enabled |
lacework-iac-aws-logging-5 |
ckv-aws-76 |
02/05/2025 |
|
Ensure API Gateway V2 has Access Logging enabled |
lacework-iac-aws-logging-6 |
ckv-aws-95 |
02/05/2025 |
|
Ensure Neptune logging is enabled |
lacework-iac-aws-logging-8 |
ckv-aws-101 |
02/05/2025 |
|
Ensure DocDB has audit logs enabled |
lacework-iac-aws-logging-9 |
ckv-aws-104 |
02/05/2025 |
|
Ensure that Timestream database is encrypted with KMS CMK |
lacework-iac-aws-encryption-25 |
ckv-aws-160 |
02/24/2025 |
|
Ensure Kinesis Video Stream is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-26 |
ckv-aws-177 |
02/24/2025 |
|
Ensure Image Builder component is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-27 |
ckv-aws-180 |
02/24/2025 |
|
Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-28 |
ckv-aws-181 |
02/24/2025 |
|
Ensure AWS DocumentDB is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-29 |
ckv-aws-182, ckv-aws-74 |
02/24/2025 |
|
Ensure Lambda environment variables are encrypted |
lacework-iac-aws-encryption-37 |
ckv-aws-173 |
02/24/2025 |
|
Ensure Glue Security Configuration Encryption is enabled |
lacework-iac-aws-encryption-39 |
ckv-aws-99 |
02/24/2025 |
|
Ensure data in Sagemaker Endpoint is encrypted at rest |
lacework-iac-aws-encryption-40 |
ckv-aws-98 |
02/24/2025 |
|
Ensure DynamoDB Tables are encrypted using KMS |
lacework-iac-aws-encryption-41 |
ckv-aws-119 |
02/24/2025 |
|
Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-42 |
ckv-aws-178 |
02/24/2025 |
|
Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-43 |
ckv-aws-179 |
02/24/2025 |
|
Ensure Amazon MQ Broker logging is enabled |
lacework-iac-aws-logging-12 |
ckv-aws-48 |
02/24/2025 |
|
Enabling x-ray tracing for lambda functions |
lacework-iac-aws-logging-13 |
ckv-aws-50 |
02/24/2025 |
|
Ensure Global Accelerator accelerator has flow logs enabled |
lacework-iac-aws-logging-15 |
ckv-aws-75 |
02/24/2025 |
|
Ensure Neptune Cluster instance is not publicly available |
lacework-iac-aws-network-10 |
ckv-aws-102 |
02/24/2025 |
|
Ensure Redshift is not deployed outside of a VPC |
lacework-iac-aws-network-6 |
ckv-aws-154 |
02/24/2025 |
|
Ensure Redshift uses SSL |
lacework-iac-aws-security-5 |
ckv-aws-105 |
02/24/2025 |
|
Ensure that Redshift cluster is encrypted by KMS |
lacework-iac-aws-security-7 |
ckv-aws-142, ckv-aws-64, ckv-aws-188 |
02/24/2025 |
|
Ensure that RDS clusters have deletion protection enabled |
lacework-iac-aws-storage-10 |
ckv-aws-139 |
02/24/2025 |
|
Redshift cluster should not be publicly accessible |
lacework-iac-aws-storage-16 |
ckv-aws-87 |
02/24/2025 |
|
Autoscaling groups should supply tags to launch configurations |
lacework-iac-aws-general-10 |
ckv-aws-153 |
02/24/2025 |
|
Ensure Transfer Server is not exposed publicly |
lacework-iac-aws-general-11 |
ckv-aws-164 |
02/24/2025 |
|
Ensure that VPC Endpoint Service is configured for Manual Acceptance |
lacework-iac-aws-general-2 |
ckv-aws-123 |
02/24/2025 |
|
Ensure that CloudFormation stacks are sending event notifications to an SNS topic |
lacework-iac-aws-general-3 |
ckv-aws-124 |
02/24/2025 |
|
Ensure that redshift cluster allows version upgrade by default |
lacework-iac-aws-general-4 |
ckv-aws-141 |
02/24/2025 |
|
It is AWS best practice to not use the default VPC for workflows |
lacework-iac-aws-general-7 |
ckv-aws-148 |
02/24/2025 |
|
Ensure Dynamodb point in time recovery (backup) is enabled for global tables |
lacework-iac-aws-backup-2 |
ckv-aws-165 |
02/24/2025 |
|
Ensure EC2 Instances Are EBS-Optimized for Enhanced Performance |
lacework-iac-aws-compute-6 |
ckv-aws-135 |
02/24/2025 |
|
Ensure API Gateway caching is enabled |
lacework-iac-aws-encryption-23 |
ckv-aws-120 |
02/24/2025 |
|
Ensure API Gateway has X-Ray Tracing enabled |
lacework-iac-aws-gateway-1 |
ckv-aws-73 |
02/24/2025 |
|
AWS Lambda function should have a Dead Letter Queue(DLQ) |
lacework-iac-aws-compute-3 |
ckv-aws-116 |
03/06/2025 |
|
Ensure container insights are enabled on ECS cluster |
lacework-iac-aws-containers-1 |
ckv-aws-65 |
03/06/2025 |
|
Kinesis stream is not encrypted |
lacework-iac-aws-encryption-22 |
ckv-aws-43, ckv-aws-185 |
03/06/2025 |
|
Ensure that CloudWatch Log Group is encrypted by KMS |
lacework-iac-aws-encryption-24 |
ckv-aws-158 |
03/06/2025 |
|
Ensure Sagemaker domain is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-30 |
ckv-aws-187 |
03/06/2025 |
|
Ensure Elasticache replication group has auth token |
lacework-iac-aws-encryption-34 |
ckv-aws-31 |
03/06/2025 |
|
Ensure Elasticache replication group is encrypted by KMS |
lacework-iac-aws-encryption-36 |
ckv-aws-191 |
03/06/2025 |
|
Ensure lustre file systems with persistent deployment are encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-44 |
ckv-aws-190 |
03/06/2025 |
|
Ensure that ECR repositories are encrypted using KMS |
lacework-iac-aws-encryption-45 |
ckv-aws-136 |
03/06/2025 |
|
Ensure that Workspace user volumes are encrypted |
lacework-iac-aws-general-5 |
ckv-aws-155 |
03/06/2025 |
|
Ensure that Workspace root volumes are encrypted |
lacework-iac-aws-general-6 |
ckv-aws-156 |
03/06/2025 |
|
Ensure that S3 bucket has cross-region replication enabled |
lacework-iac-aws-general-9 |
ckv-aws-144 |
03/06/2025 |
|
Load balancers should drop invalid headers |
lacework-iac-aws-loadbalancers-3 |
ckv-aws-131 |
03/06/2025 |
|
Ensure that ELB is cross-zone-load-balancing enabled |
lacework-iac-aws-loadbalancers-6 |
ckv-aws-138 |
03/06/2025 |
|
Ensure AppSync GraphQl Api has logging enabled |
lacework-iac-aws-logging-14 |
ckv-aws-193 |
03/06/2025 |
|
Ensure Redshift Cluster logging is enabled |
lacework-iac-aws-logging-17 |
ckv-aws-71 |
03/06/2025 |
|
Route 53 A Record has an associated resource attached |
lacework-iac-aws-network-7 |
ckv2-aws-23 |
03/06/2025 |
|
Ensure Amazon EKS Node group has implicit SSH access from 0.0.0.0/0 |
lacework-iac-aws-network-9 |
ckv-aws-100 |
03/06/2025 |
|
Ensure MQ Broker is not publicly exposed |
lacework-iac-aws-queues-1 |
ckv-aws-69 |
03/06/2025 |
|
Ensure QLDB ledger has deletion protection enabled |
lacework-iac-aws-security-10 |
ckv-aws-172 |
03/06/2025 |
|
Ensure SQS policy does not allow ALL (*) actions |
lacework-iac-aws-security-11 |
ckv-aws-72 |
03/06/2025 |
|
CloudFront Distribution should have WAF enabled |
lacework-iac-aws-security-13 |
ckv-aws-68 |
03/06/2025 |
|
Ensure that EMR clusters have Kerberos Enabled |
lacework-iac-aws-security-14 |
ckv-aws-114 |
03/06/2025 |
|
Ensure EBS default encryption is enabled |
lacework-iac-aws-security-6 |
ckv-aws-106 |
03/06/2025 |
|
Ensure that Secrets Manager secret is encrypted using KMS |
lacework-iac-aws-security-8 |
ckv-aws-149 |
03/06/2025 |
|
Ensure Backup Vault is encrypted at rest using KMS CMK |
lacework-iac-aws-storage-12 |
ckv-aws-166 |
03/06/2025 |
|
Ensure DocumentDB Logging is enabled |
lacework-iac-aws-storage-15 |
ckv-aws-85 |
03/06/2025 |
|
Athena Workgroup should enforce configuration check |
lacework-iac-aws-storage-17 |
ckv-aws-82 |
03/06/2025 |
|
DMS replication instance should not be publicly accessible |
lacework-iac-aws-storage-18 |
ckv-aws-89 |
03/06/2025 |
|
Ensure Glue Data Catalog Encryption is enabled |
lacework-iac-aws-storage-21 |
ckv-aws-94 |
03/06/2025 |
|
Ensure that RDS instances have Multi-AZ enabled |
lacework-iac-aws-backup-1 |
ckv-aws-157 |
03/13/2025 |
|
Ensure that lambda function permission has a source ARN specified |
lacework-iac-aws-compute-1 |
|
03/13/2025 |
|
Ensure AWS Lambda function is configured inside a VPC |
lacework-iac-aws-compute-4 |
ckv-aws-117 |
03/13/2025 |
|
Ensure all data stored in the EBS is secured |
lacework-iac-aws-encryption-33 |
ckv-aws-3 |
03/13/2025 |
|
Ensure that RDS global clusters are encrypted |
lacework-iac-aws-encryption-46 |
ckv-aws-140 |
03/13/2025 |
|
Ensure S3 bucket Object is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-48 |
ckv-aws-186 |
03/13/2025 |
|
Ensure EBS Snapshot Copy is Encrypted Using a Customer Managed Key (CMK) |
lacework-iac-aws-encryption-51 |
ckv-aws-183 |
03/13/2025 |
|
Ensure that Elastic Load Balancers have deletion protection enabled |
lacework-iac-aws-encryption-52 |
ckv-aws-150 |
03/13/2025 |
|
Ensure Instance Metadata Service Version 1 is not enabled |
lacework-iac-aws-general-1 |
ckv-aws-79 |
03/13/2025 |
|
Ensure AWS Config is enabled in all regions |
lacework-iac-aws-general-12 |
ckv-aws-121 |
03/13/2025 |
|
Ensure RDS database has IAM authentication enabled |
lacework-iac-aws-iam-10 |
ckv-aws-161 |
03/13/2025 |
|
Ensure the ELB has access logging enabled |
lacework-iac-aws-loadbalancers-4 |
ckv-aws-92 |
03/13/2025 |
|
Ensure Amazon ElastiCache Redis clusters have automatic backups enabled |
lacework-iac-aws-loadbalancers-7 |
ckv-aws-134 |
03/13/2025 |
|
Ensure Amazon MSK Cluster logging is enabled |
lacework-iac-aws-logging-16 |
ckv-aws-80 |
03/13/2025 |
|
Audit logging should be enabled for Elastic Search domains |
lacework-iac-aws-logging-18 |
|
03/13/2025 |
|
Audit logging should be enabled for OpenSearch Service domains |
lacework-iac-aws-logging-19 |
|
03/13/2025 |
|
Application Logging Should Be Enabled for OpenSearch Service Domains |
lacework-iac-aws-logging-20 |
|
03/13/2025 |
|
Application Logging Should Be Enabled for Amazon Elasticsearch Service Domains |
lacework-iac-aws-logging-21 |
|
03/13/2025 |
|
Ensure Logging is Enabled for AWS WAF Web Access Control Lists |
lacework-iac-aws-logging-22 |
ckv-aws-176 |
03/13/2025 |
|
Enable Appropriate Logging for Amazon RDS Instances |
lacework-iac-aws-logging-23 |
ckv-aws-129 |
03/13/2025 |
|
Ensure that detailed monitoring is enabled for EC2 instances |
lacework-iac-aws-monitoring-1 |
ckv-aws-126 |
03/13/2025 |
|
Ensure that Amazon Elasticsearch Service domains are configured inside a VPC |
lacework-iac-aws-network-11 |
ckv-aws-137 |
03/13/2025 |
|
Disable Direct Internet Access for Amazon SageMaker Notebook Instances |
lacework-iac-aws-network-13 |
ckv-aws-122 |
03/13/2025 |
|
Ensure VPC Subnets Do Not Automatically Assign Public IP Addresses |
lacework-iac-aws-network-14 |
ckv-aws-130 |
03/13/2025 |
|
Ensure no open access to backend resources through API |
lacework-iac-aws-security-12 |
ckv-aws-59 |
03/13/2025 |
|
Ensure AWS WAF Web ACLs Have Associated Rules |
lacework-iac-aws-security-19 |
ckv-aws-175 |
03/13/2025 |
|
Ensure Neptune Cluster storage is securely encrypted |
lacework-iac-aws-storage-14 |
ckv-aws-44 |
03/13/2025 |
|
Ensure Elastic Load Balancer(s) Use SSL Certificates from AWS Certificate Manager |
lacework-iac-aws-tls-7 |
ckv-aws-127 |
03/13/2025 |
|
Ensure AKS logging to Azure Monitoring is Configured |
lacework-iac-azure-monitoring-1 |
ckv-azure-4 |
03/13/2025 |
|
An inbound network security rule allows traffic from /0 |
lacework-iac-azure-network-1 |
|
03/13/2025 |
| Ensure the ELBv2 has access logging enabled |
lacework-iac-aws-loadbalancers-5 |
ckv-aws-91 |
03/27/2025 |
| Ensure VPC Flow Logging is enabled for all VPCs |
lacework-iac-aws-logging-24 |
ckv2-aws-11 |
03/27/2025 |
| Ensure CloudWatch log groups retains logs for at least 1 year |
lacework-iac-aws-monitoring-2 |
ckv-aws-66 |
03/27/2025 |
| Task definition defines sensitive environment variable(s) |
lacework-iac-aws-secrets-1 |
|
03/27/2025 |
| Ensure ECR image scanning on push is enabled |
lacework-iac-aws-security-2 |
ckv-aws-163 |
03/27/2025 |
| Ensure KMS encryption keys are rotated within a period of 90 days |
lacework-iac-gcp-encryption-2 |
ckv-gcp-43 |
03/27/2025 |
| Ensure only GCP-managed service account keys are used |
lacework-iac-gcp-encryption-3 |
ckv2-gcp-3 |
03/27/2025 |
| Ensure legacy networks do not exist for a project |
lacework-iac-gcp-network-11 |
ckv2-gcp-2 |
03/27/2025 |
| Ensure that Cloud Storage buckets are not anonymously or publicly accessible |
lacework-iac-gcp-storage-18 |
ckv-gcp-28 |
03/27/2025 |
|
Ensure no IAM policies documents allow '*' as a statement's actions |
lacework-iac-aws-iam-13 |
ckv-aws-49 |
07/24/2025 |
|
Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 |
lacework-iac-aws-network-16 |
ckv-aws-25 |
07/24/2025 |
|
S3 Bucket has an ACL defined which allows public READ access |
lacework-iac-aws-storage-23 |
ckv-aws-20 |
07/24/2025 |
|
Ensure that MariaDB server enables geo-redundant backups. |
lacework-iac-azure-backup-1 |
ckv-azure-129 |
07/24/2025 |
|
Ensure that Azure MySQL servers enables geo-redundant backups. |
lacework-iac-azure-backup-2 |
ckv-azure-94 |
07/24/2025 |
|
Enable Geo-Redundant Backups for Azure PostgreSQL Servers |
lacework-iac-azure-backup-3 |
ckv-azure-102 |
07/24/2025 |
|
Ensure Cosmos DB Accounts Use Customer-Managed Keys for Data Encryption at Rest |
lacework-iac-azure-encryption-1 |
ckv-azure-100 |
07/24/2025 |
|
Ensure that Automation account variables are encrypted |
lacework-iac-azure-encryption-2 |
ckv-azure-73 |
07/24/2025 |
|
Ensure that Azure Data Explorer uses disk encryption |
lacework-iac-azure-encryption-3 |
ckv-azure-74 |
07/24/2025 |
|
Ensure that Azure Data Explorer uses double encryption |
lacework-iac-azure-encryption-4 |
ckv-azure-75 |
07/24/2025 |
|
Ensure that Azure Batch account uses key vault to encrypt data |
lacework-iac-azure-encryption-5 |
ckv-azure-76 |
07/24/2025 |
|
Enable Infrastructure Encryption for Azure PostgreSQL Servers |
lacework-iac-azure-encryption-6 |
ckv-azure-130 |
07/24/2025 |
|
Ensure Virtual Machine Extensions are not Installed |
lacework-iac-azure-general-1 |
ckv-azure-50 |
07/24/2025 |
|
Ensure that App service enables HTTP logging |
lacework-iac-azure-logging-1 |
ckv-azure-63 |
07/24/2025 |
|
Ensure that App service enables detailed error messages |
lacework-iac-azure-logging-2 |
ckv-azure-65 |
07/24/2025 |
|
Ensure that App service enables failed request tracing |
lacework-iac-azure-logging-3 |
ckv-azure-66 |
07/24/2025 |
|
Ensure 'public network access enabled' is set to 'False' for MariaDB servers. |
lacework-iac-azure-network-10 |
ckv-azure-48 |
07/24/2025 |
|
Ensure MSSQL is using the latest version of TLS encryption |
lacework-iac-azure-network-11 |
ckv-azure-52 |
07/24/2025 |
|
Ensure 'public network access enabled' is set to 'False' for MySQL servers |
lacework-iac-azure-network-12 |
ckv-azure-53 |
07/24/2025 |
|
Ensure MySQL is using the latest version of TLS encryption |
lacework-iac-azure-network-13 |
ckv-azure-54 |
07/24/2025 |
|
Ensure that Azure Synapse workspaces enables managed virtual networks |
lacework-iac-azure-network-14 |
ckv-azure-58 |
07/24/2025 |
|
Ensure that Azure File Sync disables public network access |
lacework-iac-azure-network-15 |
ckv-azure-64 |
07/24/2025 |
|
Ensure that PostgreSQL server disables public network access |
lacework-iac-azure-network-16 |
ckv-azure-68 |
07/24/2025 |
|
Ensure Azure Cosmos DB disables public network access |
lacework-iac-azure-network-17 |
ckv-azure-101 |
07/24/2025 |
|
Disable Public Network Access for Azure Data Factory |
lacework-iac-azure-network-18 |
ckv-azure-104 |
07/24/2025 |
|
Ensure Azure Cognitive Search Disables Public Network Access |
lacework-iac-azure-network-19 |
ckv-azure-124 |
07/24/2025 |
|
Ensure that 'Auditing' is enabled for SQL servers and SQL databases |
lacework-iac-azure-network-6 |
ckv-azure-23 |
07/24/2025 |
|
Ensure that Cognitive Services accounts disable public network access |
lacework-iac-azure-network-8 |
ckv-azure-134 |
07/24/2025 |
|
Ensure 'Enforce SSL connection' is set to true for MariaDB servers |
lacework-iac-azure-network-9 |
ckv-azure-47 |
07/24/2025 |
|
Ensure that CORS disallows every resource to access app services |
lacework-iac-azure-security-10 |
ckv-azure-57 |
07/24/2025 |
|
Ensure that Azure Defender is set to On for App Service |
lacework-iac-azure-security-11 |
ckv-azure-61 |
07/24/2025 |
|
Ensure that Azure Defender is set to On for Azure SQL database servers |
lacework-iac-azure-security-12 |
ckv-azure-69 |
07/24/2025 |
|
Ensure that Managed identity provider is enabled for app services |
lacework-iac-azure-security-13 |
ckv-azure-71 |
07/24/2025 |
|
Ensure that remote debugging is not enabled for app services |
lacework-iac-azure-security-14 |
ckv-azure-72 |
07/24/2025 |
|
Ensure that Azure Defender is set to On for Storage |
lacework-iac-azure-security-17 |
ckv-azure-84 |
07/24/2025 |
|
Ensure that Azure Defender is set to On for Kubernetes |
lacework-iac-azure-security-18 |
ckv-azure-85 |
07/24/2025 |
|
Disable Access Key Metadata Writes in Cosmos DB to Prevent Privilege Escalation |
lacework-iac-azure-security-19 |
ckv-azure-132 |
07/24/2025 |
|
Ensure that Azure Defender is set to On for Container Registries |
lacework-iac-azure-security-20 |
ckv-azure-86 |
07/24/2025 |
|
Ensure that PostgreSQL server enables Threat detection policy |
lacework-iac-azure-security-22 |
ckv-azure-128 |
07/24/2025 |
|
Ensure that MySQL server enables Threat detection policy |
lacework-iac-azure-security-23 |
ckv-azure-127 |
07/24/2025 |
|
Ensure that Active Directory is used for authentication for Service Fabric |
lacework-iac-azure-security-24 |
ckv-azure-126 |
07/24/2025 |
|
Ensure cosmosdb does not allow privileged escalation by restricting management plane changes |
lacework-iac-azure-security-6 |
ckv-azure-132 |
07/24/2025 |
|
Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) |
lacework-iac-azure-security-7 |
ckv-azure-49 |
07/24/2025 |
|
Ensure that function apps enables Authentication |
lacework-iac-azure-security-9 |
ckv-azure-56 |
07/24/2025 |
|
Ensure that Storage accounts disallow public access |
lacework-iac-azure-storage-5 |
ckv-azure-59 |
07/24/2025 |
|
Ensure Compute instances are launched with Shielded VM enabled |
lacework-iac-gcp-compute-10 |
ckv-gcp-39 |
07/24/2025 |
|
Ensure 'Block Project-wide SSH keys' is enabled for VM instances |
lacework-iac-gcp-compute-8 |
ckv-gcp-32 |
07/24/2025 |
|
Google compute instance with full access to cloud APIs |
lacework-iac-gcp-compute-9 |
ckv-gcp-31 |
07/24/2025 |
|
Ensure that the default network does not exist in a project |
lacework-iac-gcp-network-10 |
ckv-gcp-27 |
07/24/2025 |
|
Ensure GKE Control Plane is not publicly accessible |
lacework-iac-gcp-network-4 |
ckv-gcp-18 |
07/24/2025 |
|
Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters |
lacework-iac-gcp-security-5 |
ckv-gcp-10 |
07/24/2025 |
| Ensure Key Vault Keys Are HSM-Protected |
lacework-iac-azure-backup-4 |
ckv-azure-112 |
08/18/2025 |
| Ensure the web app has 'Client Certificates (Incoming client certificates)' set to ON |
lacework-iac-azure-certs-1 |
ckv-azure-17 |
08/18/2025 |
| Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service |
lacework-iac-azure-encryption-10 |
ckv-azure-14 |
08/18/2025 |
| Azure App Services should enforce minimum TLS version 1.2 |
lacework-iac-azure-encryption-11 |
ckv-azure-15 |
08/18/2025 |
| Secure sensitive data in Azure Storage with customer-managed keys |
lacework-iac-azure-encryption-13 |
ckv2-azure-1 |
08/18/2025 |
| Ensure Azure Data Factory is securely integrated with Key Vault through linked services |
lacework-iac-azure-encryption-14 |
ckv2-azure-15 |
08/18/2025 |
| Ensure that PostgreSQL server is configured with customer-managed encryption keys |
lacework-iac-azure-encryption-15 |
ckv2-azure-17 |
08/18/2025 |
| Ensure AKS Clusters Use Disk Encryption Set |
lacework-iac-azure-encryption-7 |
ckv-azure-117 |
08/18/2025 |
| Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption |
lacework-iac-azure-encryption-8 |
ckv-azure-93 |
08/18/2025 |
| Ensure that Virtual machine scale sets have encryption at host enabled |
lacework-iac-azure-encryption-9 |
ckv-azure-97 |
08/18/2025 |
| Azure Key Vault keys should have an expiration date configured |
lacework-iac-azure-general-10 |
ckv-azure-40 |
08/18/2025 |
| Ensure function apps don't allow all origins for CORS |
lacework-iac-azure-general-11 |
ckv-azure-62 |
08/18/2025 |
| Ensure App Service Authentication is set on Azure App Service |
lacework-iac-azure-general-4 |
ckv-azure-13 |
08/18/2025 |
| Ensure Microsoft Defender for Cloud Standard pricing tier is enabled |
lacework-iac-azure-general-5 |
ckv-azure-19 |
08/18/2025 |
| Ensure security contact phone number is configured in Microsoft Defender for Cloud |
lacework-iac-azure-general-6 |
ckv-azure-20 |
08/18/2025 |
| Ensure that email notifications for high severity alerts are enabled with alert_notifications set to 'On' |
lacework-iac-azure-general-7 |
ckv-azure-21 |
08/18/2025 |
| Configure Azure Monitor Log Profile to capture all management activities |
lacework-iac-azure-general-8 |
ckv-azure-38 |
08/18/2025 |
| Avoid creating custom subscription roles with wildcard ("*") permissions |
lacework-iac-azure-general-9 |
ckv-azure-39 |
08/18/2025 |
| Configure Azure Monitor Log Profile with minimum 365-day retention |
lacework-iac-azure-logging-4 |
ckv-azure-37 |
08/18/2025 |
| Ensure Network Interfaces Disable IP Forwarding |
lacework-iac-azure-network-20 |
ckv-azure-118 |
08/18/2025 |
| Ensure AKS Clusters Are Configured as Private |
lacework-iac-azure-network-21 |
ckv-azure-115 |
08/18/2025 |
| Ensure that Azure Container group is deployed into virtual network |
lacework-iac-azure-network-22 |
ckv-azure-98 |
08/18/2025 |
| Ensure that SQL server disables public network access. |
lacework-iac-azure-network-23 |
ckv-azure-113 |
08/18/2025 |
| Ensure that Key Vault enables purge protection. |
lacework-iac-azure-network-24 |
ckv-azure-110 |
08/18/2025 |
| Ensure that Key Vault implements network access restrictions |
lacework-iac-azure-network-25 |
ckv-azure-109 |
08/18/2025 |
| Ensure that Azure IoT Hub disables public network access |
lacework-iac-azure-network-26 |
ckv-azure-108 |
08/18/2025 |
| Ensure API Management services use Virtual Networks. |
lacework-iac-azure-network-27 |
ckv-azure-107 |
08/18/2025 |
| Ensure Application Gateway WAF is Enabled |
lacework-iac-azure-network-29 |
ckv-azure-122 |
08/18/2025 |
| Ensure that UDP Services are restricted from the Internet |
lacework-iac-azure-network-30 |
ckv-azure-77 |
08/18/2025 |
| Ensure AKS Clusters Use Azure Policy Add-on |
lacework-iac-azure-network-31 |
ckv-azure-116 |
08/18/2025 |
| Ensure Cosmos DB Accounts Have Appropriate Network Access Restrictions |
lacework-iac-azure-network-32 |
ckv-azure-99 |
08/18/2025 |
| Ensure that Azure Synapse workspaces have no IP firewall rules attached |
lacework-iac-azure-network-36 |
ckv2-azure-19 |
08/18/2025 |
| Azure Key Vault secrets should have an expiration date configured |
lacework-iac-azure-secrets-1 |
ckv-azure-41 |
08/18/2025 |
| Ensure that Azure Defender is set to On for SQL servers on machines |
lacework-iac-azure-security-16 |
ckv-azure-79 |
8/18/2025 |
| Ensure that Azure Defender is set to On for Key Vaults |
lacework-iac-azure-security-25 |
ckv-azure-87 |
08/18/2025 |
| Ensure that Azure Cache for Redis disables public network access |
lacework-iac-azure-security-26 |
ckv-azure-89 |
08/18/2025 |
| Ensure that only SSL are enabled for Cache for Redis |
lacework-iac-azure-security-27 |
ckv-azure-91 |
08/18/2025 |
| Ensure Key Vault Secrets Have Content Type Defined |
lacework-iac-azure-security-28 |
ckv-azure-114 |
008/18/2025 |
| Ensure Azure web apps are configured to use HTTP/2 protocol |
lacework-iac-azure-security-29 |
ckv-azure-18 |
08/18/2025 |
| Ensure that Security Center email notifications for administrators are enabled |
lacework-iac-azure-security-30 |
ckv-azure-22 |
08/18/2025 |
| Enable managed identity for Azure App Services |
lacework-iac-azure-security-31 |
ckv-azure-16 |
08/18/2025 |
| Ensure that 'HTTP Version' is the latest, if used to run the Function app |
lacework-iac-azure-security-32 |
ckv-azure-67 |
08/18/2025 |
| Ensure that Function apps are only accessible over HTTPS |
lacework-iac-azure-security-33 |
ckv-azure-70 |
08/18/2025 |
| Ensure Azure Data Factory Uses Git Repository for Source Control |
lacework-iac-azure-security-34 |
ckv-azure-103 |
08/18/2025 |
| Ensure that Application Gateway enables WAF |
lacework-iac-azure-security-36 |
ckv-azure-120 |
08/18/2025 |
| Enable log_checkpoints for Azure PostgreSQL Database Servers |
lacework-iac-azure-storage-12 |
ckv-azure-30 |
08/18/2025 |
| Enable connection throttling for Azure PostgreSQL Database Servers |
lacework-iac-azure-storage-13 |
ckv-azure-32 |
08/18/2025 |
| Ensure SQL Server Advanced Threat Protection covers all detection types |
lacework-iac-azure-storage-6 |
ckv-azure-25 |
08/18/2025 |
| Configure Email Recipients for SQL Server Security Alerts |
lacework-iac-azure-storage-7 |
ckv-azure-26 |
08/18/2025 |
| Enable Security Alerts for SQL Server Administrators |
lacework-iac-azure-storage-8 |
ckv-azure-27 |
08/18/2025 |
| Enable SSL/TLS Encryption for MySQL Database Connections |
lacework-iac-azure-storage-9 |
ckv-azure-28 |
08/18/2025 |
| Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK) |
lacework-iac-aws-encryption-53 |
ckv-aws-189 |
09/09/2025 |
| Ensure API Gateway stage has logging level defined |
lacework-iac-aws-logging-11 |
ckv2-aws-4 |
09/09/2025 |
| Ensure AWS Systems Manager Session Manager logs are encrypted in S3 or CloudWatch |
lacework-iac-aws-logging-25 |
ckv-aws-113 |
09/09/2025 |
| Enable cross-zone load balancing for Network and Gateway Load Balancers |
lacework-iac-aws-network-15 |
ckv-aws-152 |
09/09/2025 |
| Ensure that all NACL are attached to subnets |
lacework-iac-aws-network-17 |
ckv2-aws-1 |
09/09/2025 |
| EC2 instances should not have a public IP association (IPv4) |
lacework-iac-aws-network-5 |
ckv-aws-88 |
09/09/2025 |
| An ingress security group rule allows traffic from /0 |
lacework-iac-aws-security-3 |
09/09/2025 | |
| An egress security group rule allows traffic from /0 |
lacework-iac-aws-security-4 |
09/09/2025 | |
| Ensure S3 bucket policies do not allow actions with wildcard Principal |
lacework-iac-aws-storage-25 |
ckv-aws-70 |
09/09/2025 |
| Ensure root user is not locked out in S3 bucket policy |
lacework-iac-aws-storage-26 |
ckv-aws-93 |
09/09/2025 |
| S3 Bucket ACL or Policy Allows Public Write Access |
lacework-iac-aws-storage-27 |
ckv-aws-57 |
09/09/2025 |
| Ensure that MySQL server enables customer-managed key for encryption |
lacework-iac-azure-encryption-16 |
ckv2-azure-16 |
09/09/2025 |
| Ensure that Unattached disks are encrypted |
lacework-iac-azure-encryption-17 |
ckv2-azure-14 |
09/09/2025 |
| Ensure that Azure Data Explorer encryption at rest uses a customer-managed key |
lacework-iac-azure-encryption-18 |
ckv2-azure-11 |
09/09/2025 |
| Ensure Azure Cognitive Services Enables Customer-Managed Keys for Encryption |
lacework-iac-azure-encryption-19 |
ckv2-azure-22 |
09/09/2025 |
| Use the latest supported PHP version for Azure web applications |
lacework-iac-azure-general-13 |
ckv-azure-81 |
09/09/2025 |
| Ensure that 'Python version' is the latest, if used to run the web app |
lacework-iac-azure-general-14 |
ckv-azure-82 |
09/09/2025 |
| Ensure that 'Java version' is the latest, if used to run the web app |
lacework-iac-azure-general-15 |
ckv-azure-83 |
09/09/2025 |
| Configure Azure Active Directory Administrator for SQL Server Authentication |
lacework-iac-azure-general-16 |
ckv2-azure-7 |
09/09/2025 |
| Ensure automatic OS image patching is enabled for Virtual Machine Scale Sets |
lacework-iac-azure-general-17 |
ckv-azure-95 |
09/09/2025 |
| Ensure that app services use Azure Files |
lacework-iac-azure-general-2 |
ckv-azure-88 |
09/09/2025 |
| Network Security Group Flow Log retention period is more than 90 days |
lacework-iac-azure-general-3 |
ckv-azure-12 |
09/09/2025 |
| Ensure Storage logging is enabled for Table service for read requests |
lacework-iac-azure-logging-5 |
ckv2-azure-20 |
09/09/2025 |
| Ensure Storage logging is enabled for Blob service for read requests |
lacework-iac-azure-logging-6 |
ckv2-azure-21 |
09/09/2025 |
| Ensure the storage container storing the activity logs is not publicly accessible |
lacework-iac-azure-logging-7 |
ckv2-azure-8 |
09/09/2025 |
| Ensure Azure Event Grid Domain public network access is disabled |
lacework-iac-azure-network-28 |
ckv-azure-106 |
09/09/2025 |
| Restrict Public Network Access to Azure SQL Databases by Avoiding 0.0.0.0/0 Firewall Rules |
lacework-iac-azure-network-33 |
ckv-azure-11 |
9/9/2025 |
| Ensure RDP access is restricted from the Internet in Azure NSGs |
lacework-iac-azure-network-35 |
ckv-azure-9 |
09/09/2025 |
| Enable purge protection for Azure Key Vaults |
lacework-iac-azure-secrets-2 |
ckv-azure-42 |
09/09/2025 |
| Ensure FTP deployments are disabled |
lacework-iac-azure-security-15 |
ckv-azure-78 |
09/09/2025 |
| Ensure Security Contact Emails are Configured in Azure Security Center |
lacework-iac-azure-security-21 |
ckv-azure-131 |
09/09/2025 |
| Ensure that Network Interfaces don't use public IPs |
lacework-iac-azure-security-35 |
ckv-azure-119 |
09/09/2025 |
| Configure automatic updates for Microsoft Antimalware on Azure Virtual Machines |
lacework-iac-azure-security-37 |
ckv2-azure-10 |
09/09/2025 |
| Ensure Azure SQL servers have data security policies enabled |
lacework-iac-azure-security-38 |
ckv2-azure-13 |
09/09/2025 |
| Ensure that no sensitive credentials are exposed |
lacework-iac-azure-security-39 |
ckv-azure-45 |
09/09/2025 |
| Ensure that Azure Defender is set to On for Servers |
lacework-iac-azure-security-8 |
ckv-azure-55 |
09/09/2025 |
| Enforce SSL Connection for Azure PostgreSQL Database Servers |
lacework-iac-azure-storage-10 |
ckv-azure-29 |
09/09/2025 |
| Enable log_connections for Azure PostgreSQL Database Servers |
lacework-iac-azure-storage-11 |
ckv-azure-31 |
09/09/2025 |
| Ensure that Compute instances do not have public IP addresses |
lacework-iac-gcp-compute-11 |
ckv-gcp-40 |
09/09/2025 |
| An outbound firewall rule allows traffic to /0 |
lacework-iac-gcp-network-12 |
|
09/09/2025 |
| Ensure Kubernetes Cluster is created with Alias IP ranges enabled |
lacework-iac-gcp-network-9 |
ckv-gcp-23 |
09/9/2025 |
| Restrict Google Cloud SQL instances to private IP addresses |
lacework-iac-gcp-storage-12 |
ckv-gcp-60 |
09/09/2025 |
| Ensure that Cloud SQL database Instances are not publicly accessible |
lacework-iac-gcp-storage-3 |
ckv-gcp-11 |
09/09/2025 |
| Enable VPC Flow Logs for All Subnets in GCP VPC Networks |
lacework-iac-gcp-vpc-1 |
ckv-gcp-26 |
09/09/2025 |
| Ensure AKS has an API Server Authorized IP Ranges enabled |
lacework-iac-azure-network-4 |
ckv-azure-6 |
09/29/2025 |
| SSH access should not be accessible from the Internet |
lacework-iac-azure-network-5 |
ckv-azure-10 |
09/29/2025 |
| Ensure AKS cluster has Network Policy configured |
lacework-iac-azure-network-7 |
ckv-azure-7 |
09/29/2025 |
| Ensure HTTPS is enabled on Azure Storage Account |
lacework-iac-azure-security-1 |
ckv-azure-3, ckv-azure-60 |
09/29/2025 |
| Password authentication in use instead of SSH keys |
lacework-iac-azure-security-3 |
ckv-azure-1 |
09/29/2025 |
| Database auditing retention period should be longer than 90 days |
lacework-iac-azure-storage-2 |
ckv-azure-24 |
09/29/2025 |
| Ensure that BigQuery datasets are not anonymously or publicly accessible |
lacework-iac-gcp-bigdata-1 |
ckv-gcp-15 |
09/29/2025 |
| Disable client certificate authentication to KE Clusters |
lacework-iac-gcp-certs-1 |
ckv-gcp-13 |
09/29/2025 |
| Legacy metadata endpoints enabled |
lacework-iac-gcp-compute-1 |
|
09/29/2025 |
| Use Customer-Supplied Encryption Keys (CSEK) for VM Disks |
lacework-iac-gcp-compute-2 |
ckv-gcp-37 |
09/29/2025 |
| Ensure the GKE Metadata Server is Enabled |
lacework-iac-gcp-compute-3 |
ckv-gcp-69 |
09/29/2025 |
| Legacy ABAC permissions are enabled |
lacework-iac-gcp-iam-1 |
ckv-gcp-7 |
09/29/2025 |
| Manage Kubernetes RBAC users with Google Groups for GKE |
lacework-iac-gcp-iam-3 |
ckv-gcp-65 |
09/29/2025 |
| Ensure Shielded GKE Nodes are Enabled |
lacework-iac-gcp-security-1 |
ckv-gcp-71 |
09/29/2025 |
| Ensure minimum Kubernetes version to avoid legacy engine |
lacework-iac-gcp-security-3 |
ckv-gcp-67 |
09/29/2025 |
| Google Compute with weak cipher check |
lacework-iac-gcp-tls-1 |
ckv-gcp-4 |
09/29/2025 |
| An outbound network security rule allows traffic to /0 |
lacework-iac-azure-network-2 |
11/13/2025 | |
| The default action on Storage account network rules should be set to deny |
lacework-iac-azure-network-3 |
11/13/2025 | |
| Ensure RBAC is enabled on AKS clusters |
lacework-iac-azure-security-2 |
ckv-azure-5 |
11/13/2025 |
| Use latest TLS encryption on storage account |
lacework-iac-azure-security-5 |
ckv-azure-44 |
11/13/2025 |
| Trusted Microsoft Services should have bypass access to Storage accounts |
lacework-iac-azure-storage-1 |
ckv-azure-36 |
11/13/2025 |
| Enable logging for Queue Services |
lacework-iac-azure-storage-3 |
ckv-azure-33 |
11/13/2025 |
| Storage containers should not allow anonymous access |
lacework-iac-azure-storage-4 |
ckv-azure-34 |
11/13/2025 |
| Unrestricted RDP Access in Google Cloud Firewall |
lacework-iac-gcp-compute-4 |
ckv-gcp-2 |
11/13/2025 |
| Ensure no roles that enable to impersonate and manage all service accounts are used at a project level |
lacework-iac-gcp-iam-11 |
ckv-gcp-49 |
11/13/2025 |
| Ensure permissions are not directly granted to users |
lacework-iac-gcp-iam-2 |
ckv-gcp-48 |
11/13/2025 |
| Use a minimally privileged service account for GKE |
lacework-iac-gcp-iam-4 |
|
11/13/2025 |
| Google IAM user project level check |
lacework-iac-gcp-iam-5 |
ckv-gcp-41 |
11/13/2025 |
| Ensure that Service Account has no Admin privileges |
lacework-iac-gcp-iam-6 |
ckv-gcp-42 |
11/13/2025 |
| Ensure Default Service account is not used at a project level |
lacework-iac-gcp-iam-9 |
ckv-gcp-46 |
11/13/2025 |
| Ensure Stackdriver Logging is Enabled on GKE |
lacework-iac-gcp-logging-1 |
ckv-gcp-1 |
11/13/2025 |
| Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters |
lacework-iac-gcp-logging-2 |
ckv-gcp-8 |
11/13/2025 |
| Ensure Storage Bucket Logging is Enabled |
lacework-iac-gcp-logging-3 |
ckv-gcp-62 |
11/13/2025 |
| Enable Network Policy on Kubernetes Engine Clusters |
lacework-iac-gcp-network-2 |
ckv-gcp-12 |
11/13/2025 |
| Ensure master authorized networks is enabled in GKE clusters |
lacework-iac-gcp-network-5 |
ckv-gcp-20 |
11/13/2025 |
| Disable IP Forwarding on GCP Instances |
lacework-iac-gcp-network-6 |
ckv-gcp-36 |
11/13/2025 |
| Enable VPC Flow Logs and Intranode Visibility |
lacework-iac-gcp-network-7 |
ckv-gcp-61 |
11/13/2025 |
| Ensure Secure Boot for Shielded GKE Nodes is Enabled |
lacework-iac-gcp-security-2 |
ckv-gcp-68 |
11/13/2025 |
| Ensure 'Automatic node repair' is enabled for Kubernetes Clusters |
lacework-iac-gcp-security-4 |
ckv-gcp-9 |
11/13/2025 |
| Ensure GKE Clusters Are Created with Private Nodes |
lacework-iac-gcp-security-6 |
ckv-gcp-64, ckv-gcp-25 |
11/13/2025 |
| Enable Integrity Monitoring for Shielded GKE Nodes |
lacework-iac-gcp-security-7 |
ckv-gcp-72 |
11/13/2025 |
| Ensure Service Fabric Clusters Use Highest Protection Level (EncryptAndSign) |
lacework-iac-azure-encryption-12 |
ckv-azure-125 |
01/27/2026 |
| '.NET Framework' version is at least the current LTS version, if used as part of the web app |
lacework-iac-azure-general-12 |
ckv-azure-80 |
01/27/2026 |
| Google compute instance OSLogin check |
lacework-iac-gcp-compute-6 |
ckv-gcp-34 |
01/27/2026 |
| Enable OS Login for Google Cloud Platform Projects |
lacework-iac-gcp-compute-7 |
ckv-gcp-33 |
01/27/2026 |
| Ensure Cloud Storage Buckets Use Separate Logging Destinations |
lacework-iac-gcp-logging-4 |
ckv-gcp-63 |
01/27/2026 |
| Google sql database log_disconnections flag check |
lacework-iac-gcp-storage-10 |
ckv-gcp-53 |
01/27/2026 |
| Google sql database log_lock_waits flag check |
lacework-iac-gcp-storage-11 |
ckv-gcp-54 |
01/27/2026 |
| Google SQL database log_min_messages flag check |
lacework-iac-gcp-storage-13 |
ckv-gcp-55 |
01/27/2026 |
| Google sql database log_temp_files flag check |
lacework-iac-gcp-storage-14 |
ckv-gcp-56 |
01/27/2026 |
| Googleg sql database log_min_duration_statement flag check |
lacework-iac-gcp-storage-15 |
ckv-gcp-57 |
01/27/2026 |
| Google sql database cross db ownership chaining flag check |
lacework-iac-gcp-storage-16 |
ckv-gcp-58 |
01/27/2026 |
| Google SQL Server database contains database authentication flag check |
lacework-iac-gcp-storage-17 |
ckv-gcp-59 |
01/27/2026 |
| Enforce SSL for Incoming Connections to Google Cloud SQL Database Instances |
lacework-iac-gcp-storage-2 |
ckv-gcp-6 |
01/27/2026 |
| Google SQL database local_infile flag check |
lacework-iac-gcp-storage-7 |
ckv-gcp-50 |
01/27/2026 |
| Enable log_checkpoints for Google Cloud SQL PostgreSQL instances |
lacework-iac-gcp-storage-8 |
ckv-gcp-51 |
01/27/2026 |
| Enable PostgreSQL database 'log_connections' flag |
lacework-iac-gcp-storage-9 |
ckv-gcp-52 |
01/27/2026 |
Policy deprecation
The following tables track policies that have been deprecated without a replacement FortiCNAPP policy. Policies may be deprecated for various reasons including but not limited to:
-
The resource, service or feature targeted by the policy being deprecated
-
Lack of security rationale
checkov policies
AWS
|
Policy ID |
Policy Name |
Deprecation Date |
|---|---|---|
|
ckv-aws-11 |
Ensure IAM password policy requires at least one lowercase letter |
09/11/2023 |
|
ckv-aws-12 |
Ensure IAM password policy requires at least one number |
09/11/2023 |
|
ckv-aws-14 |
Ensure IAM password policy requires at least one symbol |
09/11/2023 |
|
ckv-aws-15 |
Ensure IAM password policy requires at least one uppercase letter |
09/11/2023 |
|
ckv-aws-21 |
S3 Versioning should be enabled |
09/19/2023 |
|
ckv-aws-19 |
Ensure all data stored in the S3 bucket is securely encrypted at rest |
07/03/2023 |
|
ckv-aws-145 |
Ensure that S3 buckets are encrypted with KMS by default |
07/03/2023 |
|
ckv-aws-52 |
Ensure S3 bucket has MFA delete enabled | 01/27/2026 |
|
ckv-aws-84 |
Ensure Elasticsearch Domain Logging is enabled | 01/27/2026 |
|
ckv2-aws-19 |
Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances | 01/27/2026 |
Google Cloud
|
Policy ID |
Policy Name |
Deprecation Date |
|---|---|---|
|
ckv-gcp-24 |
GKE is enabled with PodSecurityPolicy check |
08/10/2023 |
|
ckv-gcp-5 |
Ensure Google storage bucket have encryption enabled | 01/27/2026 |
|
ckv-gcp-19 |
Ensure GKE basic auth is disabled | 01/27/2026 |
|
ckv-gcp-22 |
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image | 01/27/2026 |
Azure
|
Policy ID |
Policy Name |
Deprecation Date |
|---|---|---|
|
ckv-azure-2 |
Ensure Azure managed disk have encryption enabled | 01/27/2026 |
|
ckv-azure-8 |
Ensure Kubernetes Dashboard is disabled | 01/27/2026 |
|
ckv-azure-92 |
Ensure that Virtual Machines use managed disks | 01/27/2026 |
|
ckv-azure-96 |
Ensure that MySQL server enables infrastructure encryption | 01/27/2026 |
|
ckv-azure-105 |
Ensure that Data Lake Store accounts enables encryption | 01/27/2026 |
|
ckv-azure-111 |
Ensure that key vault enables soft delete | 01/27/2026 |
|
ckv-azure-121 |
Ensure that Azure Front Door enables WAF | 01/27/2026 |
|
ckv-azure-123 |
Ensure that Application Gateway uses WAF in 'Detection' or 'Prevention' modes | 01/27/2026 |
Kubernetes (K8s)
|
Policy ID |
Policy Name |
Deprecation Date |
|---|---|---|
|
ckv-k8s-1 |
Minimize the admission of containers wishing to share the host process ID namespace |
08/10/2023 |
|
ckv-k8s-2 |
Minimize the admission of privileged containers in PodSecurityPolicy |
08/10/2023 |
|
ckv-k8s-3 |
Minimize the admission of containers wishing to share the host IPC namespace |
08/10/2023 |
|
ckv-k8s-4 |
Minimize the admission of containers wishing to share the host network namespace |
08/10/2023 |
|
ckv-k8s-5 |
Minimize the admission of containers with allowPrivilegeEscalation |
08/10/2023 |
|
ckv-k8s-6 |
Minimize the admission of root containers |
08/10/2023 |
|
ckv-k8s-7 |
Minimize the admission of containers with the NET_RAW capability |
08/10/2023 |
|
ckv-k8s-11 |
CPU limits should be set |
08/16/2023 |
|
ckv-k8s-16 |
Minimize the admission of privileged containers |
08/10/2023 |
|
ckv-k8s-17 |
CronJob containers should not share the host process ID namespace |
08/10/2023 |
|
ckv-k8s-18 |
CronJob containers should not share the host IPC namespace |
08/10/2023 |
|
ckv-k8s-19 |
CronJob containers should not share the host network namespace |
08/10/2023 |
|
ckv-k8s-23 |
Minimize the admission of root containers |
08/10/2023 |
|
ckv-k8s-36 |
Minimize the admission of containers with capabilities assigned |
08/10/2023 |
|
ckv-k8s-39 |
Do not use the CAP_SYS_ADMIN linux capability |
08/10/2023 |
|
ckv-k8s-40 |
Containers should run as a high UID to avoid host conflict |
08/10/2023 |
|
ckv-k8s-84 |
Ensure that the admission control plugin PodSecurityPolicy is set |
08/10/2023 |
tfsec policies
AWS
|
Policy ID |
Policy Name |
Deprecation Date |
|---|---|---|
|
tfsec-aws017 |
Unencrypted S3 bucket |
07/03/2023 |
|
tfsec-aws041 |
IAM Password policy should have requirement for at least one number in the password |
09/11/2023 |
|
tfsec-aws042 |
IAM Password policy should have requirement for at least one lowercase character |
09/11/2023 |
|
tfsec-aws043 |
IAM Password policy should have requirement for at least one uppercase character |
09/11/2023 |
|
tfsec-aws068, tfsec-aws069 |
EKS should not allow public access to API endpoint | 01/27/2026 |
|
tfsec-aws004 |
Amazon ALBs should implement HTTPS | 01/27/2026 |
|
tfsec-aws010 |
An outdated SSL policy is in use by a load balancer | 01/27/2026 |
|
tfsec-aws021 |
CloudFront distribution uses outdated SSL/TLS protocols | 01/27/2026 |
|
tfsec-aws025 |
API Gateway domain name uses outdated SSL/TLS protocol | 01/27/2026 |
|
tfsec-aws034 |
ElasticSearch domain endpoint uses outdated TLS policy | 01/27/2026 |
|
tfsec-aws049 |
Network ACL allows ingress from 0.0.0.0/0 | 01/27/2026 |
|
tfsec-aws050 |
Network ACL ingress must not permit all ports | 01/27/2026 |
|
tfsec-aws001,tfsec-aws074,tfsec-aws075,tfsec-aws076 |
S3 bucket does not block public access | 01/27/2026 |
|
tfsec-aws081 |
DAX Cluster should encrypt data at rest | 01/27/2026 |
|
tfsec-aws016 |
Unencrypted SNS topic | 01/27/2026 |
|
tfsec-aws019 |
A KMS key is not configured to auto-rotate | 01/27/2026 |
|
tfsec-aws020 |
CloudFront viewer protocol policy should be set to https-only or redirect-to-http | 01/27/2026 |
|
tfsec-aws066 |
EKS Clusters should encrypt secrets | 01/27/2026 |
|
tfsec-aws067 |
EKS Cluster should have control plane logging enabled | 01/27/2026 |
|
tfsec-aws002 |
S3 bucket does not have access logging | 01/27/2026 |
|
tfsec-aws011 |
RDS instance is publicly accessible | 01/27/2026 |
|
tfsec-aws053 |
RDS instance does not encrypt Performance Insights | 01/27/2026 |
|
tfsec-aws059 |
Athena database not encrypted at rest | 01/27/2026 |
|
tfsec-aws060 |
Athena workgroup not encrypted at rest | 01/27/2026 |
|
tfsec-aws077 |
S3 Versioning should be enabled | 01/27/2026 |
|
tfsec-aws078 |
ECR should have immutable image tags | 01/27/2026 |
|
tfsec-aws014 |
Launch configuration with unencrypted EBS block device | 01/27/2026 |
|
tfsec-aws015 |
Ensure all data stored in the SQS queue is encrypted | 01/27/2026 |
|
tfsec-aws022 |
A MSK cluster allows unencrypted data in transit | 01/27/2026 |
|
tfsec-aws031 |
Elasticsearch domain is not encrypted at rest | 01/27/2026 |
|
tfsec-aws080 |
CodeBuild artifacts and logs should be encrypted | 01/27/2026 |
|
tfsec-aws065 |
CloudTrail log files should be encrypted with customer managed KMS keys | 01/27/2026 |
|
tfsec-aws055, tfsec-aws032 |
ElasticSearch node-to-node encryption not enabled | 01/27/2026 |
|
tfsec-aws033,tfsec-aws054 |
ElasticSearch domains should enforce HTTPS | 01/27/2026 |
|
tfsec-aws051 |
RDS Cluster should have storage encryption enabled | 01/27/2026 |
|
tfsec-aws052 |
RDS DB instance should have storage encrypted | 01/27/2026 |
|
tfsec-aws035 |
Unencrypted Elasticache Replication Group | 01/27/2026 |
|
tfsec-aws048 |
Elastic File System should be encrypted | 01/27/2026 |
|
tfsec-aws036 |
Enable transit encryption for Elasticache RG | 01/27/2026 |
|
tfsec-aws018 |
Missing description for security group/security group rule | 01/27/2026 |
|
tfsec-aws039, tfsec-aws040 |
IAM Password policy should have minimum password length of 14 or more characters | 01/27/2026 |
|
tfsec-aws037 |
IAM Password policy should prevent password reuse | 01/27/2026 |
|
tfsec-aws038 |
IAM Password policy should have expiry less than or equal to 90 days | 01/27/2026 |
|
tfsec-aws046 |
Ensure IAM policies do not allow administrative privileges | 01/27/2026 |
|
tfsec-aws005 |
ALB/NLB is exposed to the internet | 01/27/2026 |
|
tfsec-aws063 |
Ensure CloudTrail is enabled in all Regions | 01/27/2026 |
|
tfsec-aws064 |
CloudTrail log file validation should be enabled | 01/27/2026 |
|
tfsec-aws071 |
Ensure Cloudfront distribution has Access Logging enabled | 01/27/2026 |
|
tfsec-aws082 |
It is AWS best practice to not use the default VPC for workflows | 01/27/2026 |
|
tfsec-aws024 |
Kinesis stream is not encrypted | 01/27/2026 |
|
tfsec-aws083 |
Load balancers should drop invalid headers | 01/27/2026 |
|
tfsec-aws047 |
Ensure SQS policy does not allow ALL (*) actions | 01/27/2026 |
|
tfsec-aws045 |
CloudFront Distribution should have WAF enabled | 01/27/2026 |
|
tfsec-aws060 |
Athena Workgroup should enforce configuration check | 01/27/2026 |
|
tfsec-aws058 |
Ensure that lambda function permission has a source ARN specified | 01/27/2026 |
|
tfsec-aws079 |
Ensure Instance Metadata Service Version 1 is not enabled | 01/27/2026 |
|
tfsec-aws013 |
Task definition defines sensitive environment variable(s) | 01/27/2026 |
|
tfsec-aws023 |
Ensure ECR image scanning on push is enabled | 01/27/2026 |
|
tfsec-aws012 |
EC2 instances should not have a public IP association (IPv4) | 01/27/2026 |
|
tfsec-aws006, tfsec-aws008 |
An ingress security group rule allows traffic from /0 | 01/27/2026 |
|
tfsec-aws007, tfsec-aws009 |
An egress security group rule allows traffic from /0 | 01/27/2026 |
Google Cloud
|
Policy ID |
Policy Name |
Deprecation Date |
|---|---|---|
|
tfsec-gcp009 |
Pod security policy enforcement not defined |
08/10/23 |
|
tfsec-gcp003 |
An inbound firewall rule allows traffic from /0 | 01/27/2026 |
|
tfsec-gcp004 |
An outbound firewall rule allows traffic to /0 | 01/27/2026 |
|
tfsec-gcp007 |
Legacy metadata endpoints enabled | 01/27/2026 |
|
tfsec-gcp001 |
Use Customer-Supplied Encryption Keys (CSEK) for VM Disks | 01/27/2026 |
|
tfsec-gcp006 |
Ensure the GKE Metadata Server is Enabled | 01/27/2026 |
|
tfsec-gcp005 |
Legacy ABAC permissions are enabled | 01/27/2026 |
|
tfsec-gcp010 |
Ensure Shielded GKE Nodes are Enabled | 01/27/2026 |
|
tfsec-gcp011 |
Ensure permissions are not directly granted to users | 01/27/2026 |
|
tfsec-gcp012 |
Use a minimally privileged service account for GKE | 01/27/2026 |
Azure
|
Policy ID |
Policy Name |
Deprecation Date |
|---|---|---|
|
tfsec-azu009 |
Ensure AKS logging to Azure Monitoring is Configured | 01/27/2026 |
|
tfsec-azu001 |
An inbound network security rule allows traffic from /0 | 01/27/2026 |
|
tfsec-azu018 |
Ensure that 'Auditing' is enabled for SQL servers and SQL databases | 01/27/2026 |
|
tfsec-azu008 |
Ensure AKS has an API Server Authorized IP Ranges enabled | 01/27/2026 |
|
tfsec-azu017 |
SSH access should not be accessible from the Internet | 01/27/2026 |
|
tfsec-azu006 |
Ensure AKS cluster has Network Policy configured | 01/27/2026 |
|
tfsec-azu10, tfsec-azu014 |
Ensure HTTPS is enabled on Azure Storage Account | 01/27/2026 |
|
tfsec-azu005 |
Password authentication in use instead of SSH keys | 01/27/2026 |
|
tfsec-azu019 |
Database auditing retention period should be longer than 90 days | 01/27/2026 |
|
tfsec-azu002 |
An outbound network security rule allows traffic to /0 | 01/27/2026 |
|
tfsec-azu012 |
The default action on Storage account network rules should be set to deny | 01/27/2026 |
|
tfsec-azu007 |
Ensure RBAC is enabled on AKS clusters | 01/27/2026 |
|
tfsec-azu015 |
Use latest TLS encryption on storage account | 01/27/2026 |
|
tfsec-azu013 |
Trusted Microsoft Services should have bypass access to Storage accounts | 01/27/2026 |
|
tfsec-azu016 |
Enable logging for Queue Services | 01/27/2026 |
|
tfsec-azu011 |
Storage containers should not allow anonymous access | 01/27/2026 |