rules

Documentation

Index

• Constants

Constants

const (
	AWSIAMPasswordReusePrevention            = "AWS037"
	AWSIAMPasswordReusePreventionDescription = "IAM Password policy should prevent password reuse."
	AWSIAMPasswordReusePreventionImpact      = "Password reuse increase the risk of compromised passwords being abused"
	AWSIAMPasswordReusePreventionResolution  = "Prevent password reuse in the policy"

	AWSIAMPasswordReusePreventionExplanation = `` /* 168-byte string literal not displayed */

	AWSIAMPasswordReusePreventionBadExample = `
resource "aws_iam_account_password_policy" "bad_example" {
	# ...
	password_reuse_prevention = 1
	# ...
}
`
	AWSIAMPasswordReusePreventionGoodExample = `
resource "aws_iam_account_password_policy" "good_example" {
	# ...
	password_reuse_prevention = 5
	# ...
}
`
)

const (
	AWSIAMPasswordExpiry            = "AWS038"
	AWSIAMPasswordExpiryDescription = "IAM Password policy should have expiry less than or equal to 90 days."
	AWSIAMPasswordExpiryImpact      = "Long life password increase the likelihood of a password eventually being compromised"
	AWSIAMPasswordExpiryResolution  = "Limit the password duration with an expiry in the policy"
	AWSIAMPasswordExpiryExplanation = `` /* 155-byte string literal not displayed */

	AWSIAMPasswordExpiryBadExample = `
resource "aws_iam_account_password_policy" "bad_example" {
	# ...
	# max_password_age not set
	# ...
}
`
	AWSIAMPasswordExpiryGoodExample = `
resource "aws_iam_account_password_policy" "good_example" {
	# ...
	max_password_age = 90
	# ...
}
`
)

const (
	AWSIAMPasswordMinimumLength            = "AWS039"
	AWSIAMPasswordMinimumLengthDescription = "IAM Password policy should have minimum password length of 14 or more characters."
	AWSIAMPasswordMinimumLengthImpact      = "Short, simple passwords are easier to compromise"
	AWSIAMPasswordMinimumLengthResolution  = "Enforce longer, more complex passwords in the policy"
	AWSIAMPasswordMinimumLengthExplanation = `` /* 189-byte string literal not displayed */

	AWSIAMPasswordMinimumLengthBadExample = `
resource "aws_iam_account_password_policy" "bad_example" {
	# ...
	# minimum_password_length not set
	# ...
}
`
	AWSIAMPasswordMinimumLengthGoodExample = `
resource "aws_iam_account_password_policy" "good_example" {
	# ...
	minimum_password_length = 14
	# ...
}
`
)

const (
	AWSIAMPasswordRequiresSymbol            = "AWS040"
	AWSIAMPasswordRequiresSymbolDescription = "IAM Password policy should have requirement for at least one symbol in the password."
	AWSIAMPasswordRequiresSymbolImpact      = "Short, simple passwords are easier to compromise"
	AWSIAMPasswordRequiresSymbolResolution  = "Enforce longer, more complex passwords in the policy"
	AWSIAMPasswordRequiresSymbolExplanation = `
IAM account password policies should ensure that passwords content including a symbol.
`
	AWSIAMPasswordRequiresSymbolBadExample = `
resource "aws_iam_account_password_policy" "bad_example" {
	# ...
	# require_symbols not set
	# ...
}
`
	AWSIAMPasswordRequiresSymbolGoodExample = `
resource "aws_iam_account_password_policy" "good_example" {
	# ...
	require_symbols = true
	# ...
}
`
)

const (
	AWSIAMPasswordRequiresNumber            = "AWS041"
	AWSIAMPasswordRequiresNumberDescription = "IAM Password policy should have requirement for at least one number in the password."
	AWSIAMPasswordRequiresNumberImpact      = "Short, simple passwords are easier to compromise"
	AWSIAMPasswordRequiresNumberResolution  = "Enforce longer, more complex passwords in the policy"
	AWSIAMPasswordRequiresNumberExplanation = `
IAM account password policies should ensure that passwords content including at least one number.
`
	AWSIAMPasswordRequiresNumberBadExample = `
resource "aws_iam_account_password_policy" "bad_example" {
	# ...
	# require_numbers not set
	# ...
}
`
	AWSIAMPasswordRequiresNumberGoodExample = `
resource "aws_iam_account_password_policy" "good_example" {
	# ...
	require_numbers = true
	# ...
}
`
)

const (
	AWSIAMPasswordRequiresLowercaseCharacter            = "AWS042"
	AWSIAMPasswordRequiresLowercaseCharacterDescription = "IAM Password policy should have requirement for at least one lowercase character."
	AWSIAMPasswordRequiresLowercaseCharacterImpact      = "Short, simple passwords are easier to compromise"
	AWSIAMPasswordRequiresLowercaseCharacterResolution  = "Enforce longer, more complex passwords in the policy"
	AWSIAMPasswordRequiresLowercaseCharacterExplanation = `
IAM account password policies should ensure that passwords content including at least one lowercase character.
`
	AWSIAMPasswordRequiresLowercaseCharacterBadExample = `
resource "aws_iam_account_password_policy" "bad_example" {
	# ...
	# require_lowercase_characters not set
	# ...
}
`
	AWSIAMPasswordRequiresLowercaseCharacterGoodExample = `
resource "aws_iam_account_password_policy" "good_example" {
	# ...
	require_lowercase_characters = true
	# ...
}
`
)

const (
	AWSIAMPasswordRequiresUppercaseCharacter            = "AWS043"
	AWSIAMPasswordRequiresUppercaseCharacterDescription = "IAM Password policy should have requirement for at least one uppercase character."
	AWSIAMPasswordRequiresUppercaseCharacterImpact      = "Short, simple passwords are easier to compromise"
	AWSIAMPasswordRequiresUppercaseCharacterResolution  = "Enforce longer, more complex passwords in the policy"
	AWSIAMPasswordRequiresUppercaseCharacterExplanation = `
IAM account password policies should ensure that passwords content including at least one uppercase character.
`
	AWSIAMPasswordRequiresUppercaseCharacterBadExample = `
resource "aws_iam_account_password_policy" "bad_example" {
	# ...
	# require_uppercase_characters not set
	# ...
}
`
	AWSIAMPasswordRequiresUppercaseCharacterGoodExample = `
resource "aws_iam_account_password_policy" "good_example" {
	# ...
	require_uppercase_characters = true
	# ...
}
`
)

const AWSALBDropsInvalidHeaders = "AWS083"

const AWSALBDropsInvalidHeadersBadExample = `` /* 278-byte string literal not displayed */

const AWSALBDropsInvalidHeadersDescription = "Load balancers should drop invalid headers"

const AWSALBDropsInvalidHeadersExplanation = `` /* 244-byte string literal not displayed */

const AWSALBDropsInvalidHeadersGoodExample = `` /* 279-byte string literal not displayed */

const AWSALBDropsInvalidHeadersImpact = "Invalid headers being passed through to the target of the load balance may exploit vulnerabilities"

const AWSALBDropsInvalidHeadersResolution = "Set drop_invalid_header_fields to true"

const AWSAPIGatewayHasAccessLoggingEnabled = "AWS061"

const AWSAPIGatewayHasAccessLoggingEnabledBadExample = `` /* 313-byte string literal not displayed */

const AWSAPIGatewayHasAccessLoggingEnabledDescription = "API Gateway stages for V1 and V2 should have access logging enabled"

const AWSAPIGatewayHasAccessLoggingEnabledExplanation = `` /* 169-byte string literal not displayed */

const AWSAPIGatewayHasAccessLoggingEnabledGoodExample = `` /* 473-byte string literal not displayed */

const AWSAPIGatewayHasAccessLoggingEnabledImpact = "Logging provides vital information about access and usage"

const AWSAPIGatewayHasAccessLoggingEnabledResolution = "Enable logging for API Gateway stages"

const AWSAWSWorkspaceVolumesEncrypted = "AWS084"

const AWSAWSWorkspaceVolumesEncryptedBadExample = `` /* 495-byte string literal not displayed */

const AWSAWSWorkspaceVolumesEncryptedDescription = "Root and user volumes on Workspaces should be encrypted"

const AWSAWSWorkspaceVolumesEncryptedExplanation = `
Workspace volumes for both user and root should be encrypted to protect the data stored on them.
`

const AWSAWSWorkspaceVolumesEncryptedGoodExample = `` /* 607-byte string literal not displayed */

const AWSAWSWorkspaceVolumesEncryptedImpact = "Data can be freely read if compromised"

const AWSAWSWorkspaceVolumesEncryptedResolution = "Root and user volume encryption should be enabled"

const AWSApiGatewayDomainNameOutdatedSecurityPolicy = "AWS025"

const AWSApiGatewayDomainNameOutdatedSecurityPolicyBadExample = `
resource "aws_api_gateway_domain_name" "bad_example" {
	security_policy = "TLS_1_0"
}
`

const AWSApiGatewayDomainNameOutdatedSecurityPolicyDescription = "API Gateway domain name uses outdated SSL/TLS protocols."

const AWSApiGatewayDomainNameOutdatedSecurityPolicyExplanation = `
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
`

const AWSApiGatewayDomainNameOutdatedSecurityPolicyGoodExample = `
resource "aws_api_gateway_domain_name" "good_example" {
	security_policy = "TLS_1_2"
}
`

const AWSApiGatewayDomainNameOutdatedSecurityPolicyImpact = "Outdated SSL policies increase exposure to known vulnerabilities"

const AWSApiGatewayDomainNameOutdatedSecurityPolicyResolution = "Use the most modern TLS/SSL policies available"

const AWSAthenaWorkgroupEnforceConfiguration = "AWS060"

const AWSAthenaWorkgroupEnforceConfigurationBadExample = `` /* 494-byte string literal not displayed */

const AWSAthenaWorkgroupEnforceConfigurationDescription = "Athena workgroups should enforce configuration to prevent client disabling encryption"

const AWSAthenaWorkgroupEnforceConfigurationExplanation = `
Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.
`

const AWSAthenaWorkgroupEnforceConfigurationGoodExample = `` /* 423-byte string literal not displayed */

const AWSAthenaWorkgroupEnforceConfigurationImpact = "Clients can ginore encryption requirements"

const AWSAthenaWorkgroupEnforceConfigurationResolution = "Enforce the configuration to prevent client overrides"

const AWSBadBucketACL = "AWS001"

const AWSBadBucketACLBadExample = `
resource "aws_s3_bucket" "bad_example" {
	acl = "public-read"
}
`

const AWSBadBucketACLDescription = "S3 Bucket has an ACL defined which allows public access."

const AWSBadBucketACLExplanation = `` /* 412-byte string literal not displayed */

const AWSBadBucketACLGoodExample = `
resource "aws_s3_bucket" "good_example" {
	acl = "private"
}
`

const AWSBadBucketACLImpact = "The contents of the bucket can be accessed publicly"

const AWSBadBucketACLResolution = "Apply a more restrictive bucket ACL"

const AWSBlockPublicAclS3 = "AWS074"

const AWSBlockPublicAclS3BadExample = `` /* 228-byte string literal not displayed */

const AWSBlockPublicAclS3Description = "S3 Access block should block public ACL"

const AWSBlockPublicAclS3Explanation = `` /* 142-byte string literal not displayed */

const AWSBlockPublicAclS3GoodExample = `` /* 129-byte string literal not displayed */

const AWSBlockPublicAclS3Impact = "PUT calls with public ACLs specified can make objects public"

const AWSBlockPublicAclS3Resolution = "Enable blocking any PUT calls with a public ACL specified"

const AWSBlockPublicPolicyS3 = "AWS076"

const AWSBlockPublicPolicyS3BadExample = `` /* 230-byte string literal not displayed */

const AWSBlockPublicPolicyS3Description = "S3 Access block should block public policy"

const AWSBlockPublicPolicyS3Explanation = `
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.
`

const AWSBlockPublicPolicyS3GoodExample = `` /* 131-byte string literal not displayed */

const AWSBlockPublicPolicyS3Impact = "Users could put a policy that allows public access"

const AWSBlockPublicPolicyS3Resolution = "Prevent policies that allow public access being PUT"

const AWSCheckLambdaFunctionForSourceARN = "AWS058"

const AWSCheckLambdaFunctionForSourceARNBadExample = `` /* 231-byte string literal not displayed */

const AWSCheckLambdaFunctionForSourceARNDescription = "Ensure that lambda function permission has a source arn specified"

const AWSCheckLambdaFunctionForSourceARNExplanation = `` /* 415-byte string literal not displayed */

const AWSCheckLambdaFunctionForSourceARNGoodExample = `` /* 276-byte string literal not displayed */

const AWSCheckLambdaFunctionForSourceARNImpact = "Not providing the source ARN allows any resource from principal, even from other accounts"

const AWSCheckLambdaFunctionForSourceARNResolution = "Always provide a source arn for Lambda permissions"

const AWSClassicUsage = "AWS003"

const AWSClassicUsageBadExample = `
resource "aws_db_security_group" "bad_example" {
  # ...
}
`

const AWSClassicUsageDescription = "AWS Classic resource usage."

const AWSClassicUsageExplanation = `` /* 144-byte string literal not displayed */

const AWSClassicUsageGoodExample = `
resource "aws_security_group" "good_example" {
  # ...
}
`

const AWSClassicUsageImpact = "Classic resources are running in a shared environment with other customers"

const AWSClassicUsageResolution = "Switch to VPC resources"

const AWSCloudFrontDoesNotHaveAWaf = "AWS045"

const AWSCloudFrontDoesNotHaveAWafBadExample = `` /* 801-byte string literal not displayed */

const AWSCloudFrontDoesNotHaveAWafDescription = "CloudFront distribution does not have a WAF in front."

const AWSCloudFrontDoesNotHaveAWafExplanation = `` /* 157-byte string literal not displayed */

const AWSCloudFrontDoesNotHaveAWafGoodExample = `` /* 657-byte string literal not displayed */

const AWSCloudFrontDoesNotHaveAWafImpact = "Complex web application attacks can more easily be performed without a WAF"

const AWSCloudFrontDoesNotHaveAWafResolution = "Enable WAF for the CloudFront distribution"

const AWSCloudFrontOutdatedProtocol = "AWS021"

const AWSCloudFrontOutdatedProtocolBadExample = `` /* 168-byte string literal not displayed */

const AWSCloudFrontOutdatedProtocolDescription = "CloudFront distribution uses outdated SSL/TLS protocols."

const AWSCloudFrontOutdatedProtocolExplanation = `
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
`

const AWSCloudFrontOutdatedProtocolGoodExample = `` /* 174-byte string literal not displayed */

const AWSCloudFrontOutdatedProtocolImpact = "Outdated SSL policies increase exposure to known vulnerabilities"

const AWSCloudFrontOutdatedProtocolResolution = "Use the most modern TLS/SSL policies available"

const AWSCloudWatchLogGroupsCMKEncrypted = "AWS089"

const AWSCloudWatchLogGroupsCMKEncryptedBadExample = `
resource "aws_cloudwatch_log_group" "bad_example" {
	name = "bad_example"

}
`

const AWSCloudWatchLogGroupsCMKEncryptedDescription = "CloudWatch log groups should be encrypted using CMK"

const AWSCloudWatchLogGroupsCMKEncryptedExplanation = `` /* 158-byte string literal not displayed */

const AWSCloudWatchLogGroupsCMKEncryptedGoodExample = `
resource "aws_cloudwatch_log_group" "good_example" {
	name = "good_example"

	kms_key_id = aws_kms_key.log_key.arn
}
`

const AWSCloudWatchLogGroupsCMKEncryptedImpact = "Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs."

const AWSCloudWatchLogGroupsCMKEncryptedResolution = "Enable CMK encryption of CloudWatch Log Groups"

const AWSCloudfrontDistributionAccessLoggingEnabled = "AWS071"

const AWSCloudfrontDistributionAccessLoggingEnabledBadExample = `
resource "aws_cloudfront_distribution" "bad_example" {
	// other config
	// no logging_config
}
`

const AWSCloudfrontDistributionAccessLoggingEnabledDescription = "Cloudfront distribution should have Access Logging configured"

const AWSCloudfrontDistributionAccessLoggingEnabledExplanation = `` /* 152-byte string literal not displayed */

const AWSCloudfrontDistributionAccessLoggingEnabledGoodExample = `` /* 200-byte string literal not displayed */

const AWSCloudfrontDistributionAccessLoggingEnabledImpact = "Logging provides vital information about access and usage"

const AWSCloudfrontDistributionAccessLoggingEnabledResolution = "Enable logging for CloudFront distributions"

const AWSCloudfrontDistributionViewerProtocolPolicyHTTPS = "AWS072"

const AWSCloudfrontDistributionViewerProtocolPolicyHTTPSBadExample = `` /* 562-byte string literal not displayed */

const AWSCloudfrontDistributionViewerProtocolPolicyHTTPSDescription = "Viewer Protocol Policy in Cloudfront Distribution Cache should always be set to HTTPS"

const AWSCloudfrontDistributionViewerProtocolPolicyHTTPSExplanation = `` /* 250-byte string literal not displayed */

const AWSCloudfrontDistributionViewerProtocolPolicyHTTPSGoodExample = `` /* 298-byte string literal not displayed */

const AWSCloudfrontDistributionViewerProtocolPolicyHTTPSImpact = "HTTP traffic can be read if intercepted"

const AWSCloudfrontDistributionViewerProtocolPolicyHTTPSResolution = "Only use HTTPS in the Viewer Protocol Policy"

const AWSCloudtrailEnabledInAllRegions = "AWS063"

const AWSCloudtrailEnabledInAllRegionsBadExample = `` /* 264-byte string literal not displayed */

const AWSCloudtrailEnabledInAllRegionsDescription = "Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed"

const AWSCloudtrailEnabledInAllRegionsExplanation = `` /* 282-byte string literal not displayed */

const AWSCloudtrailEnabledInAllRegionsGoodExample = `` /* 297-byte string literal not displayed */

const AWSCloudtrailEnabledInAllRegionsImpact = "Activity could be happening in your account in a different region"

const AWSCloudtrailEnabledInAllRegionsResolution = "Enable Cloudtrail in all regions"

const AWSCloudtrailEncryptedAtRest = "AWS065"

const AWSCloudtrailEncryptedAtRestBadExample = `` /* 296-byte string literal not displayed */

const AWSCloudtrailEncryptedAtRestDescription = "Cloudtrail should be encrypted at rest to secure access to sensitive trail data"

const AWSCloudtrailEncryptedAtRestExplanation = `` /* 232-byte string literal not displayed */

const AWSCloudtrailEncryptedAtRestGoodExample = `` /* 359-byte string literal not displayed */

const AWSCloudtrailEncryptedAtRestImpact = "Data can be freely read if compromised"

const AWSCloudtrailEncryptedAtRestResolution = "Enable encryption at rest"

const AWSCloudtrailLogValidationEnabled = "AWS064"

const AWSCloudtrailLogValidationEnabledBadExample = `` /* 296-byte string literal not displayed */

const AWSCloudtrailLogValidationEnabledDescription = "Cloudtrail log validation should be enabled to prevent tampering of log data"

const AWSCloudtrailLogValidationEnabledExplanation = `` /* 251-byte string literal not displayed */

const AWSCloudtrailLogValidationEnabledGoodExample = `` /* 333-byte string literal not displayed */

const AWSCloudtrailLogValidationEnabledImpact = "Illicit activity could be removed from the logs"

const AWSCloudtrailLogValidationEnabledResolution = "Turn on log validation for Cloudtrail"

const AWSCodeBuildProjectEncryptionNotDisabled = "AWS080"

const AWSCodeBuildProjectEncryptionNotDisabledBadExample = `` /* 414-byte string literal not displayed */

const AWSCodeBuildProjectEncryptionNotDisabledDescription = "CodeBuild Project artifacts encryption should not be disabled"

const AWSCodeBuildProjectEncryptionNotDisabledExplanation = `
All artifacts produced by your CodeBuild project pipeline should always be encrypted
`

const AWSCodeBuildProjectEncryptionNotDisabledGoodExample = `` /* 469-byte string literal not displayed */

const AWSCodeBuildProjectEncryptionNotDisabledImpact = "CodeBuild project artifacts are unencrypted"

const AWSCodeBuildProjectEncryptionNotDisabledResolution = "Enable encryption for CodeBuild project artifacts"

const AWSConfigAggregatorCoveringAllRegions = "AWS085"

const AWSConfigAggregatorCoveringAllRegionsBadExample = `` /* 199-byte string literal not displayed */

const AWSConfigAggregatorCoveringAllRegionsDescription = "Config configuration aggregator should be using all regions for source"

const AWSConfigAggregatorCoveringAllRegionsExplanation = `` /* 191-byte string literal not displayed */

const AWSConfigAggregatorCoveringAllRegionsGoodExample = `` /* 178-byte string literal not displayed */

const AWSConfigAggregatorCoveringAllRegionsImpact = "Sources that aren't covered by the aggregator are not include in the configuration"

const AWSConfigAggregatorCoveringAllRegionsResolution = "Set the aggregator to cover all regions"

const AWSDAXEncryptedAtRest = "AWS081"

const AWSDAXEncryptedAtRestBadExample = `` /* 371-byte string literal not displayed */

const AWSDAXEncryptedAtRestDescription = "DAX Cluster should always encrypt data at rest"

const AWSDAXEncryptedAtRestExplanation = `` /* 182-byte string literal not displayed */

const AWSDAXEncryptedAtRestGoodExample = `` /* 149-byte string literal not displayed */

const AWSDAXEncryptedAtRestImpact = "Data can be freely read if compromised"

const AWSDAXEncryptedAtRestResolution = "Enable encryption at rest for DAX Cluster"

const AWSDontUseDefaultAWSVPC = "AWS082"

const AWSDontUseDefaultAWSVPCBadExample = `
resource "aws_default_vpc" "default" {
	tags = {
	  Name = "Default VPC"
	}
  }
`

const AWSDontUseDefaultAWSVPCDescription = "AWS best practice to not use the default VPC for workflows"

const AWSDontUseDefaultAWSVPCExplanation = `` /* 199-byte string literal not displayed */

const AWSDontUseDefaultAWSVPCGoodExample = `
# no aws default vpc present
`

const AWSDontUseDefaultAWSVPCImpact = "The default VPC does not have critical security features applied"

const AWSDontUseDefaultAWSVPCResolution = "Create a non-default vpc for resources to be created in"

const AWSDynamoDBRecoveryEnabled = "AWS086"

const AWSDynamoDBRecoveryEnabledBadExample = `` /* 284-byte string literal not displayed */

const AWSDynamoDBRecoveryEnabledDescription = "Point in time recovery should be enabled to protect DynamoDB table"

const AWSDynamoDBRecoveryEnabledExplanation = `` /* 238-byte string literal not displayed */

const AWSDynamoDBRecoveryEnabledGoodExample = `` /* 332-byte string literal not displayed */

const AWSDynamoDBRecoveryEnabledImpact = "Accidental or malicious writes and deletes can't be rolled back"

const AWSDynamoDBRecoveryEnabledResolution = "Enable point in time recovery"

const AWSDynamoDBTableEncryption = "AWS092"

const AWSDynamoDBTableEncryptionBadExample = `` /* 378-byte string literal not displayed */

const AWSDynamoDBTableEncryptionDescription = "DynamoDB tables should use at rest encryption with a Customer Managed Key"

const AWSDynamoDBTableEncryptionExplanation = `` /* 200-byte string literal not displayed */

const AWSDynamoDBTableEncryptionGoodExample = `` /* 551-byte string literal not displayed */

const AWSDynamoDBTableEncryptionImpact = "Using AWS managed keys does not allow for fine grained control"

const AWSDynamoDBTableEncryptionResolution = "Enable server side encryption with a customer managed key"

const AWSEC2InstanceSensitiveUserdata = "AWS062"

const AWSEC2InstanceSensitiveUserdataBadExample = `` /* 284-byte string literal not displayed */

const AWSEC2InstanceSensitiveUserdataDescription = "User data for EC2 instances must not contain sensitive AWS keys"

const AWSEC2InstanceSensitiveUserdataExplanation = `` /* 234-byte string literal not displayed */

const AWSEC2InstanceSensitiveUserdataGoodExample = `` /* 290-byte string literal not displayed */

const AWSEC2InstanceSensitiveUserdataImpact = "User data is visible through the AWS Management console"

const AWSEC2InstanceSensitiveUserdataResolution = "Remove sensitive data from the EC2 instance user-data"

const AWSECRRepoCustomerManagedKeys = "AWS093"

const AWSECRRepoCustomerManagedKeysBadExample = `` /* 176-byte string literal not displayed */

const AWSECRRepoCustomerManagedKeysDescription = "ECR Repository should use customer managed keys to allow more control"

const AWSECRRepoCustomerManagedKeysExplanation = `` /* 214-byte string literal not displayed */

const AWSECRRepoCustomerManagedKeysGoodExample = `` /* 340-byte string literal not displayed */

const AWSECRRepoCustomerManagedKeysImpact = "Using AWS managed keys does not allow for fine grained control"

const AWSECRRepoCustomerManagedKeysResolution = "Use customer managed keys"

const AWSECSClusterContainerInsights = "AWS090"

const AWSECSClusterContainerInsightsBadExample = `
resource "aws_ecs_cluster" "bad_example" {
  	name = "services-cluster"
}
`

const AWSECSClusterContainerInsightsDescription = "ECS clusters should have container insights enabled"

const AWSECSClusterContainerInsightsExplanation = `
Cloudwatch Container Insights provide more metrics and logs for container based applications and micro services.
`

const AWSECSClusterContainerInsightsGoodExample = `` /* 143-byte string literal not displayed */

const AWSECSClusterContainerInsightsImpact = "Not all metrics and logs may be gathered for containers when Container Insights isn't enabled"

const AWSECSClusterContainerInsightsResolution = "Enable Container Insights"

const AWSECSTaskDefinitionEncryptionInTransit = "AWS096"

const AWSECSTaskDefinitionEncryptionInTransitBadExample = `` /* 442-byte string literal not displayed */

const AWSECSTaskDefinitionEncryptionInTransitDescription = "ECS Task Definitions with EFS volumes should use in-transit encryption"

const AWSECSTaskDefinitionEncryptionInTransitExplanation = `` /* 165-byte string literal not displayed */

const AWSECSTaskDefinitionEncryptionInTransitGoodExample = `` /* 514-byte string literal not displayed */

const AWSECSTaskDefinitionEncryptionInTransitImpact = "Intercepted traffic to and from EFS may lead to data loss"

const AWSECSTaskDefinitionEncryptionInTransitResolution = "Enable in transit encryption when using efs"

const AWSEKSClusterNotOpenPublicly = "AWS068"

const AWSEKSClusterNotOpenPubliclyBadExample = `` /* 193-byte string literal not displayed */

const AWSEKSClusterNotOpenPubliclyDescription = "EKS cluster should not have open CIDR range for public access"

const AWSEKSClusterNotOpenPubliclyExplanation = `` /* 163-byte string literal not displayed */

const AWSEKSClusterNotOpenPubliclyGoodExample = `` /* 240-byte string literal not displayed */

const AWSEKSClusterNotOpenPubliclyImpact = "EKS can be access from the internet"

const AWSEKSClusterNotOpenPubliclyResolution = "Don't enable public access to EKS Clusters"

const AWSEKSClusterPublicAccessDisabled = "AWS069"

const AWSEKSClusterPublicAccessDisabledBadExample = `` /* 225-byte string literal not displayed */

const AWSEKSClusterPublicAccessDisabledDescription = "EKS Clusters should have the public access disabled"

const AWSEKSClusterPublicAccessDisabledExplanation = `` /* 131-byte string literal not displayed */

const AWSEKSClusterPublicAccessDisabledGoodExample = `` /* 196-byte string literal not displayed */

const AWSEKSClusterPublicAccessDisabledImpact = "EKS can be access from the internet"

const AWSEKSClusterPublicAccessDisabledResolution = "Don't enable public access to EKS Clusters"

const AWSEKSHasControlPlaneLoggingEnabled = "AWS067"

const AWSEKSHasControlPlaneLoggingEnabledBadExample = `` /* 300-byte string literal not displayed */

const AWSEKSHasControlPlaneLoggingEnabledDescription = "EKS Clusters should have cluster control plane logging turned on"

const AWSEKSHasControlPlaneLoggingEnabledExplanation = `` /* 204-byte string literal not displayed */

const AWSEKSHasControlPlaneLoggingEnabledGoodExample = `` /* 400-byte string literal not displayed */

const AWSEKSHasControlPlaneLoggingEnabledImpact = "Logging provides valuable information about access and usage"

const AWSEKSHasControlPlaneLoggingEnabledResolution = "Enable logging for the EKS control plane"

const AWSEKSSecretsEncryptionEnabled = "AWS066"

const AWSEKSSecretsEncryptionEnabledBadExample = `` /* 173-byte string literal not displayed */

const AWSEKSSecretsEncryptionEnabledDescription = "EKS should have the encryption of secrets enabled"

const AWSEKSSecretsEncryptionEnabledExplanation = `
EKS cluster resources should have the encryption_config block set with protection of the secrets resource.
`

const AWSEKSSecretsEncryptionEnabledGoodExample = `` /* 302-byte string literal not displayed */

const AWSEKSSecretsEncryptionEnabledImpact = "EKS secrets could be read if compromised"

const AWSEKSSecretsEncryptionEnabledResolution = "Enable encryption of EKS secrets"

const AWSESDomainLoggingEnabled = "AWS070"

const AWSESDomainLoggingEnabledBadExample = `` /* 278-byte string literal not displayed */

const AWSESDomainLoggingEnabledDescription = "AWS ES Domain should have logging enabled"

const AWSESDomainLoggingEnabledExplanation = `
AWS ES domain should have logging enabled by default.
`

const AWSESDomainLoggingEnabledGoodExample = `` /* 263-byte string literal not displayed */

const AWSESDomainLoggingEnabledImpact = "Logging provides vital information about access and usage"

const AWSESDomainLoggingEnabledResolution = "Enable logging for ElasticSearch domains"

const AWSEcrImageScanNotEnabled = "AWS023"

const AWSEcrImageScanNotEnabledBadExample = `` /* 178-byte string literal not displayed */

const AWSEcrImageScanNotEnabledDescription = "ECR repository has image scans disabled."

const AWSEcrImageScanNotEnabledExplanation = `` /* 126-byte string literal not displayed */

const AWSEcrImageScanNotEnabledGoodExample = `` /* 178-byte string literal not displayed */

const AWSEcrImageScanNotEnabledImpact = "The ability to scan images is not being used and vulnerabilities will not be highlighted"

const AWSEcrImageScanNotEnabledResolution = "Enable ECR image scanning"

const AWSEcrImagesHaveImmutableTags = "AWS078"

const AWSEcrImagesHaveImmutableTagsBadExample = `` /* 177-byte string literal not displayed */

const AWSEcrImagesHaveImmutableTagsDescription = "ECR images tags shouldn't be mutable."

const AWSEcrImagesHaveImmutableTagsExplanation = `` /* 178-byte string literal not displayed */

const AWSEcrImagesHaveImmutableTagsGoodExample = `` /* 180-byte string literal not displayed */

const AWSEcrImagesHaveImmutableTagsImpact = "Image tags could be overwritten with compromised images"

const AWSEcrImagesHaveImmutableTagsResolution = "Only use immutable images in ECR"

const AWSEfsEncryptionNotEnabled = "AWS048"

const AWSEfsEncryptionNotEnabledBadExample = `
resource "aws_efs_file_system" "bad_example" {
  name       = "bar"
  encrypted  = false
  kms_key_id = ""
}`

const AWSEfsEncryptionNotEnabledDescription = "EFS Encryption has not been enabled"

const AWSEfsEncryptionNotEnabledExplanation = `` /* 254-byte string literal not displayed */

const AWSEfsEncryptionNotEnabledGoodExample = `
resource "aws_efs_file_system" "good_example" {
  name       = "bar"
  encrypted  = true
  kms_key_id = "my_kms_key"
}`

const AWSEfsEncryptionNotEnabledImpact = "Data can be read from the EFS if compromised"

const AWSEfsEncryptionNotEnabledResolution = "Enable encryption for EFS"

const AWSElasticSearchHasDomainLogging = "AWS057"

const AWSElasticSearchHasDomainLoggingBadExample = `` /* 434-byte string literal not displayed */

const AWSElasticSearchHasDomainLoggingDescription = "Domain logging should be enabled for Elastic Search domains"

const AWSElasticSearchHasDomainLoggingExplanation = `` /* 355-byte string literal not displayed */

const AWSElasticSearchHasDomainLoggingGoodExample = `` /* 622-byte string literal not displayed */

const AWSElasticSearchHasDomainLoggingImpact = "Logging provides vital information about access and usage"

const AWSElasticSearchHasDomainLoggingResolution = "Enable logging for ElasticSearch domains"

const AWSEnsureAthenaDbEncrypted = "AWS059"

const AWSEnsureAthenaDbEncryptedBadExample = `` /* 404-byte string literal not displayed */

const AWSEnsureAthenaDbEncryptedDescription = "Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encrypted"

const AWSEnsureAthenaDbEncryptedExplanation = `` /* 206-byte string literal not displayed */

const AWSEnsureAthenaDbEncryptedGoodExample = `` /* 655-byte string literal not displayed */

const AWSEnsureAthenaDbEncryptedImpact = "Data can be read if the Athena Database is compromised"

const AWSEnsureAthenaDbEncryptedResolution = "Enable encryption at rest for Athena databases and workgroup configurations"

const AWSExternallyExposedLoadBalancer = "AWS005"

const AWSExternallyExposedLoadBalancerBadExample = `
resource "aws_alb" "bad_example" {
	internal = false
}
`

const AWSExternallyExposedLoadBalancerDescription = "Load balancer is exposed to the internet."

const AWSExternallyExposedLoadBalancerExplanation = `` /* 250-byte string literal not displayed */

const AWSExternallyExposedLoadBalancerGoodExample = `
resource "aws_alb" "good_example" {
	internal = true
}
`

const AWSExternallyExposedLoadBalancerImpact = "The load balancer is exposed on the internet"

const AWSExternallyExposedLoadBalancerResolution = "Switch to an internal load balancer or add a tfsec ignore"

const AWSIAMPolicyShouldUsePrincipleOfLeastPrivilege = "AWS099"

const AWSIAMPolicyShouldUsePrincipleOfLeastPrivilegeBadExample = `` /* 684-byte string literal not displayed */

const AWSIAMPolicyShouldUsePrincipleOfLeastPrivilegeDescription = "IAM policy should avoid use of wildcards and instead apply the principle of least privilege"

const AWSIAMPolicyShouldUsePrincipleOfLeastPrivilegeExplanation = `` /* 267-byte string literal not displayed */

const AWSIAMPolicyShouldUsePrincipleOfLeastPrivilegeGoodExample = `` /* 714-byte string literal not displayed */

const AWSIAMPolicyShouldUsePrincipleOfLeastPrivilegeImpact = "Overly permissive policies may grant access to sensitive resources"

const AWSIAMPolicyShouldUsePrincipleOfLeastPrivilegeResolution = "Specify the exact permissions required, and to which resources they should apply instead of using wildcards."

const AWSIamPolicyWildcardActions = "AWS046"

const AWSIamPolicyWildcardActionsBadExample = `
data "aws_iam_policy_document" "bad_example" {
	statement {
		sid = "1"

        actions = [
      		"*"
    	]
	}
}
`

const AWSIamPolicyWildcardActionsDescription = "AWS IAM policy document has wildcard action statement."

const AWSIamPolicyWildcardActionsExplanation = `
IAM profiles should be configured with the specific, minimum set of permissions required.
`

const AWSIamPolicyWildcardActionsGoodExample = `` /* 170-byte string literal not displayed */

const AWSIamPolicyWildcardActionsImpact = "IAM policies with wildcard actions allow more that is required"

const AWSIamPolicyWildcardActionsResolution = "Keep policy scope to the minimum that is required to be effective"

const AWSIngorePublicAclS3 = "AWS073"

const AWSIngorePublicAclS3BadExample = `` /* 229-byte string literal not displayed */

const AWSIngorePublicAclS3Description = "S3 Access Block should Ignore Public Acl"

const AWSIngorePublicAclS3Explanation = `` /* 191-byte string literal not displayed */

const AWSIngorePublicAclS3GoodExample = `` /* 130-byte string literal not displayed */

const AWSIngorePublicAclS3Impact = "PUT calls with public ACLs specified can make objects public"

const AWSIngorePublicAclS3Resolution = "Enable ignoring the application of public ACLs in PUT calls"

const AWSInstanceMetadataChec = "AWS079"

const AWSInstanceMetadataChecBadExample = `
resource "aws_instance" "bad_example" {
  ami           = "ami-005e54dee72cc1d00"
  instance_type = "t2.micro"
}
`

const AWSInstanceMetadataChecDescription = "aws_instance should activate session tokens for Instance Metadata Service."

const AWSInstanceMetadataChecExplanation = `` /* 389-byte string literal not displayed */

const AWSInstanceMetadataChecGoodExample = `` /* 167-byte string literal not displayed */

const AWSInstanceMetadataChecImpact = "Instance metadata service can be interacted with freely"

const AWSInstanceMetadataChecResolution = "Enable HTTP token requirement for IMDS"

const AWSKMSManagedPoliciesShouldNotAllowDecryptionActionsOnAllKMSKeys = "AWS097"

const AWSKMSManagedPoliciesShouldNotAllowDecryptionActionsOnAllKMSKeysBadExample = `` /* 688-byte string literal not displayed */

const AWSKMSManagedPoliciesShouldNotAllowDecryptionActionsOnAllKMSKeysDescription = "IAM customer managed policies should not allow decryption actions on all KMS keys"

const AWSKMSManagedPoliciesShouldNotAllowDecryptionActionsOnAllKMSKeysExplanation = `` /* 344-byte string literal not displayed */

const AWSKMSManagedPoliciesShouldNotAllowDecryptionActionsOnAllKMSKeysGoodExample = `` /* 707-byte string literal not displayed */

const AWSKMSManagedPoliciesShouldNotAllowDecryptionActionsOnAllKMSKeysImpact = "Identities may be able to decrypt data which they should not have access to"

const AWSKMSManagedPoliciesShouldNotAllowDecryptionActionsOnAllKMSKeysResolution = "Scope down the resources of the IAM policy to specific keys"

const AWSLaunchConfigurationWithUnencryptedBlockDevice = "AWS014"

const AWSLaunchConfigurationWithUnencryptedBlockDeviceBadExample = `
resource "aws_launch_configuration" "bad_example" {
	root_block_device {
		encrypted = false
	}
}
`

const AWSLaunchConfigurationWithUnencryptedBlockDeviceDescription = "Launch configuration with unencrypted block device."

const AWSLaunchConfigurationWithUnencryptedBlockDeviceExplanation = `
Blocks devices should be encrypted to ensure sensitive data is held securely at rest.
`

const AWSLaunchConfigurationWithUnencryptedBlockDeviceGoodExample = `
resource "aws_launch_configuration" "good_example" {
	root_block_device {
		encrypted = true
	}
}
`

const AWSLaunchConfigurationWithUnencryptedBlockDeviceImpact = "The block device is could be compromised and read from"

const AWSLaunchConfigurationWithUnencryptedBlockDeviceResolution = "Turn on encryption for all block devices"

const AWSNoBucketLogging = "AWS002"

const AWSNoBucketLoggingBadExample = `
resource "aws_s3_bucket" "bad_example" {

}
`

const AWSNoBucketLoggingDescription = "S3 Bucket does not have logging enabled."

const AWSNoBucketLoggingExplanation = `
Buckets should have logging enabled so that access can be audited. 
`

const AWSNoBucketLoggingGoodExample = `
resource "aws_s3_bucket" "good_example" {
	logging {
		target_bucket = "target-bucket"
	}
}
`

const AWSNoBucketLoggingImpact = "There is no way to determine the access to this bucket"

const AWSNoBucketLoggingResolution = "Add a logging block to the resource to enable access logging"

const AWSNoDescriptionInSecurityGroup = "AWS018"

const AWSNoDescriptionInSecurityGroupBadExample = `` /* 233-byte string literal not displayed */

const AWSNoDescriptionInSecurityGroupDescription = "Missing description for security group/security group rule."

const AWSNoDescriptionInSecurityGroupExplanation = `` /* 157-byte string literal not displayed */

const AWSNoDescriptionInSecurityGroupGoodExample = `` /* 279-byte string literal not displayed */

const AWSNoDescriptionInSecurityGroupImpact = "Descriptions provide context for the firewall rule reasons"

const AWSNoDescriptionInSecurityGroupResolution = "Add descriptions for all security groups and rules"

const AWSNoKMSAutoRotate = "AWS019"

const AWSNoKMSAutoRotateBadExample = `
resource "aws_kms_key" "bad_example" {
	enable_key_rotation = false
}
`

const AWSNoKMSAutoRotateDescription = "A KMS key is not configured to auto-rotate."

const AWSNoKMSAutoRotateExplanation = `
You should configure your KMS keys to auto rotate to maintain security and defend against compromise.
`

const AWSNoKMSAutoRotateGoodExample = `
resource "aws_kms_key" "good_example" {
	enable_key_rotation = true
}
`

const AWSNoKMSAutoRotateImpact = "Long life KMS keys increase the attack surface when compromised"

const AWSNoKMSAutoRotateResolution = "Configure KMS key to auto rotate"

const AWSOpenAllIngressNetworkACLRule = "AWS050"

const AWSOpenAllIngressNetworkACLRuleBadExample = `` /* 159-byte string literal not displayed */

const AWSOpenAllIngressNetworkACLRuleDescription = "An ingress Network ACL rule allows ALL ports from /0."

const AWSOpenAllIngressNetworkACLRuleExplanation = `` /* 207-byte string literal not displayed */

const AWSOpenAllIngressNetworkACLRuleGoodExample = `` /* 204-byte string literal not displayed */

const AWSOpenAllIngressNetworkACLRuleImpact = "All ports exposed for egressing data to the internet"

const AWSOpenAllIngressNetworkACLRuleResolution = "Set a more restrictive cidr range"

const AWSOpenEgressSecurityGroupInlineRule = "AWS009"

const AWSOpenEgressSecurityGroupInlineRuleBadExample = `
resource "aws_security_group" "bad_example" {
	egress {
		cidr_blocks = ["0.0.0.0/0"]
	}
}
`

const AWSOpenEgressSecurityGroupInlineRuleDescription = "An inline egress security group rule allows traffic to /0."

const AWSOpenEgressSecurityGroupInlineRuleExplanation = `` /* 165-byte string literal not displayed */

const AWSOpenEgressSecurityGroupInlineRuleGoodExample = `
resource "aws_security_group" "good_example" {
	egress {
		cidr_blocks = ["1.2.3.4/32"]
	}
}
`

const AWSOpenEgressSecurityGroupInlineRuleImpact = "The port is exposed for egressing data to the internet"

const AWSOpenEgressSecurityGroupInlineRuleResolution = "Set a more restrictive cidr range"

const AWSOpenEgressSecurityGroupRule = "AWS007"

const AWSOpenEgressSecurityGroupRuleBadExample = `
resource "aws_security_group_rule" "bad_example" {
	type = "egress"
	cidr_blocks = ["0.0.0.0/0"]
}
`

const AWSOpenEgressSecurityGroupRuleDescription = "An egress security group rule allows traffic to /0."

const AWSOpenEgressSecurityGroupRuleExplanation = `` /* 182-byte string literal not displayed */

const AWSOpenEgressSecurityGroupRuleGoodExample = `
resource "aws_security_group_rule" "good_example" {
	type = "egress"
	cidr_blocks = ["10.0.0.0/16"]
}
`

const AWSOpenEgressSecurityGroupRuleImpact = "Your port is egressing data to the internet"

const AWSOpenEgressSecurityGroupRuleResolution = "Set a more restrictive cidr range"

const AWSOpenIngressNetworkACLRule = "AWS049"

const AWSOpenIngressNetworkACLRuleBadExample = `` /* 203-byte string literal not displayed */

const AWSOpenIngressNetworkACLRuleDescription = "An ingress Network ACL rule allows specific ports from /0."

const AWSOpenIngressNetworkACLRuleExplanation = `` /* 163-byte string literal not displayed */

const AWSOpenIngressNetworkACLRuleGoodExample = `` /* 206-byte string literal not displayed */

const AWSOpenIngressNetworkACLRuleImpact = "The ports are exposed for ingressing data to the internet"

const AWSOpenIngressNetworkACLRuleResolution = "Set a more restrictive cidr range"

const AWSOpenIngressSecurityGroupInlineRule = "AWS008"

const AWSOpenIngressSecurityGroupInlineRuleBadExample = `
resource "aws_security_group" "bad_example" {
	ingress {
		cidr_blocks = ["0.0.0.0/0"]
	}
}
`

const AWSOpenIngressSecurityGroupInlineRuleDescription = "An inline ingress security group rule allows traffic from /0."

const AWSOpenIngressSecurityGroupInlineRuleExplanation = `` /* 165-byte string literal not displayed */

const AWSOpenIngressSecurityGroupInlineRuleGoodExample = `
resource "aws_security_group" "good_example" {
	ingress {
		cidr_blocks = ["1.2.3.4/32"]
	}
}
`

const AWSOpenIngressSecurityGroupInlineRuleImpact = "The port is exposed for ingress from the internet"

const AWSOpenIngressSecurityGroupInlineRuleResolution = "Set a more restrictive cidr range"

const AWSOpenIngressSecurityGroupRule = "AWS006"

const AWSOpenIngressSecurityGroupRuleBadExample = `
resource "aws_security_group_rule" "bad_example" {
	type = "ingress"
	cidr_blocks = ["0.0.0.0/0"]
}
`

const AWSOpenIngressSecurityGroupRuleDescription = "An ingress security group rule allows traffic from /0."

const AWSOpenIngressSecurityGroupRuleExplanation = `` /* 165-byte string literal not displayed */

const AWSOpenIngressSecurityGroupRuleGoodExample = `
resource "aws_security_group_rule" "good_example" {
	type = "ingress"
	cidr_blocks = ["10.0.0.0/16"]
}
`

const AWSOpenIngressSecurityGroupRuleImpact = "Your port exposed to the internet"

const AWSOpenIngressSecurityGroupRuleResolution = "Set a more restrictive cidr range"

const AWSOutdatedSSLPolicy = "AWS010"

const AWSOutdatedSSLPolicyBadExample = `
resource "aws_alb_listener" "bad_example" {
	ssl_policy = "ELBSecurityPolicy-TLS-1-1-2017-01"
	protocol = "HTTPS"
}
`

const AWSOutdatedSSLPolicyDescription = "An outdated SSL policy is in use by a load balancer."

const AWSOutdatedSSLPolicyExplanation = `
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. 
`

const AWSOutdatedSSLPolicyGoodExample = `
resource "aws_alb_listener" "good_example" {
	ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
	protocol = "HTTPS"
}
`

const AWSOutdatedSSLPolicyImpact = "The SSL policy is outdated and has known vulnerabilities"

const AWSOutdatedSSLPolicyResolution = "Use a more recent TLS/SSL policy for the load balancer"

const AWSOutdatedTLSPolicyElasticsearchDomainEndpoint = "AWS034"

const AWSOutdatedTLSPolicyElasticsearchDomainEndpointBadExample = `` /* 197-byte string literal not displayed */

const AWSOutdatedTLSPolicyElasticsearchDomainEndpointDescription = "Elasticsearch domain endpoint is using outdated TLS policy."

const AWSOutdatedTLSPolicyElasticsearchDomainEndpointExplanation = `
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
`

const AWSOutdatedTLSPolicyElasticsearchDomainEndpointGoodExample = `` /* 198-byte string literal not displayed */

const AWSOutdatedTLSPolicyElasticsearchDomainEndpointImpact = "Outdated SSL policies increase exposure to known vulnerabilities"

const AWSOutdatedTLSPolicyElasticsearchDomainEndpointResolution = "Use the most modern TLS/SSL policies available"

const AWSPlainHTTP = "AWS004"

const AWSPlainHTTPBadExample = `
resource "aws_alb_listener" "bad_example" {
	protocol = "HTTP"
}
`

const AWSPlainHTTPDescription = "Use of plain HTTP."

const AWSPlainHTTPExplanation = `` /* 309-byte string literal not displayed */

const AWSPlainHTTPGoodExample = `
resource "aws_alb_listener" "good_example" {
	protocol = "HTTPS"
}
`

const AWSPlainHTTPImpact = "Your traffic is not protected"

const AWSPlainHTTPResolution = "Switch to HTTPS to benefit from TLS security features"

const AWSPlaintextNodeToNodeElasticsearchTraffic = "AWS032"

const AWSPlaintextNodeToNodeElasticsearchTrafficBadExample = `` /* 137-byte string literal not displayed */

const AWSPlaintextNodeToNodeElasticsearchTrafficDescription = "Elasticsearch domain uses plaintext traffic for node to node communication."

const AWSPlaintextNodeToNodeElasticsearchTrafficExplanation = `
Traffic flowing between Elasticsearch nodes should be encrypted to ensure sensitive data is kept private.
`

const AWSPlaintextNodeToNodeElasticsearchTrafficGoodExample = `` /* 137-byte string literal not displayed */

const AWSPlaintextNodeToNodeElasticsearchTrafficImpact = "In transit data between nodes could be read if intercepted"

const AWSPlaintextNodeToNodeElasticsearchTrafficResolution = "Enable encrypted node to node communication"

const AWSProviderHasAccessCredentials = "AWS044"

const AWSProviderHasAccessCredentialsBadExample = `
provider "aws" {
  access_key = "AKIAABCD12ABCDEF1ABC"
  secret_key = "s8d7ghas9dghd9ophgs9"
}
`

const AWSProviderHasAccessCredentialsDescription = "AWS provider has access credentials specified."

const AWSProviderHasAccessCredentialsExplanation = `` /* 138-byte string literal not displayed */

const AWSProviderHasAccessCredentialsGoodExample = `
provider "aws" {
}
`

const AWSProviderHasAccessCredentialsImpact = "Exposing the credentials in the Terraform provider increases the risk of secret leakage"

const AWSProviderHasAccessCredentialsResolution = "Don't include access credentials in plain text"

const AWSPubliclyAccessibleResource = "AWS011"

const AWSPubliclyAccessibleResourceBadExample = `
resource "aws_db_instance" "bad_example" {
	publicly_accessible = true
}
`

const AWSPubliclyAccessibleResourceDescription = "A database resource is marked as publicly accessible."

const AWSPubliclyAccessibleResourceExplanation = `` /* 146-byte string literal not displayed */

const AWSPubliclyAccessibleResourceGoodExample = `
resource "aws_db_instance" "good_example" {
	publicly_accessible = false
}
`

const AWSPubliclyAccessibleResourceImpact = "The database instance is publicly accessible"

const AWSPubliclyAccessibleResourceResolution = "Set the database to not be publicly accessible"

const AWSRDSAuroraClusterEncryptionDisabled = "AWS051"

const AWSRDSAuroraClusterEncryptionDisabledBadExample = `
resource "aws_rds_cluster" "bad_example" {
  name       = "bar"
  kms_key_id = ""
}`

const AWSRDSAuroraClusterEncryptionDisabledDescription = "There is no encryption specified or encryption is disabled on the RDS Cluster."

const AWSRDSAuroraClusterEncryptionDisabledExplanation = `` /* 160-byte string literal not displayed */

const AWSRDSAuroraClusterEncryptionDisabledGoodExample = `` /* 195-byte string literal not displayed */

const AWSRDSAuroraClusterEncryptionDisabledImpact = "Data can be read from the RDS cluster if it is compromised"

const AWSRDSAuroraClusterEncryptionDisabledResolution = "Enable encryption for RDS clusters and instances"

const AWSRDSEncryptionNotEnabled = "AWS052"

const AWSRDSEncryptionNotEnabledBadExample = `
resource "aws_db_instance" "bad_example" {
	
}
`

const AWSRDSEncryptionNotEnabledDescription = "RDS encryption has not been enabled at a DB Instance level."

const AWSRDSEncryptionNotEnabledExplanation = `
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id. 
`

const AWSRDSEncryptionNotEnabledGoodExample = `
resource "aws_db_instance" "good_example" {
	storage_encrypted  = true
}
`

const AWSRDSEncryptionNotEnabledImpact = "Data can be read from the RDS instances if it is compromised"

const AWSRDSEncryptionNotEnabledResolution = "Enable encryption for RDS clusters and instances"

const AWSRDSPerformanceInsughtsEncryptionNotEnabled = "AWS053"

const AWSRDSPerformanceInsughtsEncryptionNotEnabledBadExample = `` /* 163-byte string literal not displayed */

const AWSRDSPerformanceInsughtsEncryptionNotEnabledDescription = "Encryption for RDS Performance Insights should be enabled."

const AWSRDSPerformanceInsughtsEncryptionNotEnabledExplanation = `
When enabling Performance Insights on an RDS cluster or RDS DB Instance, and encryption key should be provided.

The encryption key specified in ` + "`" + `performance_insights_kms_key_id` + "`" + ` references a KMS ARN
`

const AWSRDSPerformanceInsughtsEncryptionNotEnabledGoodExample = `` /* 239-byte string literal not displayed */

const AWSRDSPerformanceInsughtsEncryptionNotEnabledImpact = "Data can be read from the RDS Performance Insights if it is compromised"

const AWSRDSPerformanceInsughtsEncryptionNotEnabledResolution = "Enable encryption for RDS clusters and instances"

const AWSRDSRetentionPeriod = "AWS091"

const AWSRDSRetentionPeriodBadExample = `` /* 745-byte string literal not displayed */

const AWSRDSRetentionPeriodDescription = "RDS Cluster and RDS instance should have backup retention longer than default 1 day"

const AWSRDSRetentionPeriodExplanation = `` /* 210-byte string literal not displayed */

const AWSRDSRetentionPeriodGoodExample = `` /* 807-byte string literal not displayed */

const AWSRDSRetentionPeriodImpact = "Potential loss of data and short opportunity for recovery"

const AWSRDSRetentionPeriodResolution = "Explicitly set the retention period to greater than the default"

const AWSRedisClusterBackupRetention = "AWS088"

const AWSRedisClusterBackupRetentionBadExample = `` /* 300-byte string literal not displayed */

const AWSRedisClusterBackupRetentionDescription = "Redis cluster should have backup retention turned on"

const AWSRedisClusterBackupRetentionExplanation = `
Redis clusters should have a snapshot retention time to ensure that they are backed up and can be restored if required.
`

const AWSRedisClusterBackupRetentionGoodExample = `` /* 332-byte string literal not displayed */

const AWSRedisClusterBackupRetentionImpact = "Without backups of the redis cluster recovery is made difficult"

const AWSRedisClusterBackupRetentionResolution = "Configure snapshot retention for redis cluster"

const AWSRedshiftAtRestEncryption = "AWS094"

const AWSRedshiftAtRestEncryptionBadExample = `` /* 270-byte string literal not displayed */

const AWSRedshiftAtRestEncryptionDescription = "Redshift clusters should use at rest encryption"

const AWSRedshiftAtRestEncryptionExplanation = `` /* 170-byte string literal not displayed */

const AWSRedshiftAtRestEncryptionGoodExample = `` /* 417-byte string literal not displayed */

const AWSRedshiftAtRestEncryptionImpact = "Data may be leaked if infrastructure is compromised"

const AWSRedshiftAtRestEncryptionResolution = "Enable encryption using CMK"

const AWSRedshiftNotDeployedInEC2Classic = "AWS087"

const AWSRedshiftNotDeployedInEC2ClassicBadExample = `` /* 264-byte string literal not displayed */

const AWSRedshiftNotDeployedInEC2ClassicDescription = "Redshift cluster should be deployed into a specific VPC"

const AWSRedshiftNotDeployedInEC2ClassicExplanation = `` /* 288-byte string literal not displayed */

const AWSRedshiftNotDeployedInEC2ClassicGoodExample = `` /* 313-byte string literal not displayed */

const AWSRedshiftNotDeployedInEC2ClassicImpact = "Redshift cluster does not benefit from VPC security if it is deployed in EC2 classic mode"

const AWSRedshiftNotDeployedInEC2ClassicResolution = "Deploy Redshift cluster into a non default VPC"

const AWSResourceHasPublicIP = "AWS012"

const AWSResourceHasPublicIPBadExample = `
resource "aws_launch_configuration" "bad_example" {
	associate_public_ip_address = true
}
`

const AWSResourceHasPublicIPDescription = "A resource has a public IP address."

const AWSResourceHasPublicIPExplanation = `` /* 218-byte string literal not displayed */

const AWSResourceHasPublicIPGoodExample = `
resource "aws_launch_configuration" "good_example" {
	associate_public_ip_address = false
}
`

const AWSResourceHasPublicIPImpact = "The instance or configuration is publicly accessible"

const AWSResourceHasPublicIPResolution = "Set the instance to not be publicly accessible"

const AWSRestrictPublicBucketS3 = "AWS075"

const AWSRestrictPublicBucketS3BadExample = `` /* 234-byte string literal not displayed */

const AWSRestrictPublicBucketS3Description = "S3 Access block should restrict public bucket to limit access"

const AWSRestrictPublicBucketS3Explanation = `` /* 179-byte string literal not displayed */

const AWSRestrictPublicBucketS3GoodExample = `` /* 135-byte string literal not displayed */

const AWSRestrictPublicBucketS3Impact = "Public buckets can be accessed by anyone"

const AWSRestrictPublicBucketS3Resolution = "Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)"

const AWSS3BucketShouldHavePublicAccessBlock = "AWS098"

const AWSS3BucketShouldHavePublicAccessBlockBadExample = `
resource "aws_s3_bucket" "example" {
	bucket = "example"
	acl = "private-read"
}
`

const AWSS3BucketShouldHavePublicAccessBlockDescription = "S3 buckets should each define an aws_s3_bucket_public_access_block"

const AWSS3BucketShouldHavePublicAccessBlockExplanation = `` /* 337-byte string literal not displayed */

const AWSS3BucketShouldHavePublicAccessBlockGoodExample = `` /* 235-byte string literal not displayed */

const AWSS3BucketShouldHavePublicAccessBlockImpact = "Public access policies may be applied to sensitive data buckets"

const AWSS3BucketShouldHavePublicAccessBlockResolution = "Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies"

const AWSS3DataShouldBeVersioned = "AWS077"

const AWSS3DataShouldBeVersionedBadExample = `
resource "aws_s3_bucket" "bad_example" {

}
`

const AWSS3DataShouldBeVersionedDescription = "S3 Data should be versioned"

const AWSS3DataShouldBeVersionedExplanation = `` /* 331-byte string literal not displayed */

const AWSS3DataShouldBeVersionedGoodExample = `
resource "aws_s3_bucket" "good_example" {

	versioning {
		enabled = true
	}
}
`

const AWSS3DataShouldBeVersionedImpact = "Deleted or modified data would not be recoverable"

const AWSS3DataShouldBeVersionedResolution = "Enable versioning to protect against accidental/malicious removal or modification"

const AWSSecretsManagerSecretEncryption = "AWS095"

const AWSSecretsManagerSecretEncryptionBadExample = `
resource "aws_secretsmanager_secret" "bad_example" {
  name       = "lambda_password"
}
`

const AWSSecretsManagerSecretEncryptionDescription = "Secrets Manager should use customer managed keys"

const AWSSecretsManagerSecretEncryptionExplanation = `` /* 170-byte string literal not displayed */

const AWSSecretsManagerSecretEncryptionGoodExample = `` /* 195-byte string literal not displayed */

const AWSSecretsManagerSecretEncryptionImpact = "Using AWS managed keys reduces the flexibility and control over the encryption key"

const AWSSecretsManagerSecretEncryptionResolution = "Use customer managed keys"

const AWSSqsPolicyWildcardActions = "AWS047"

const AWSSqsPolicyWildcardActionsBadExample = `` /* 218-byte string literal not displayed */

const AWSSqsPolicyWildcardActionsDescription = "AWS SQS policy document has wildcard action statement."

const AWSSqsPolicyWildcardActionsExplanation = `` /* 216-byte string literal not displayed */

const AWSSqsPolicyWildcardActionsGoodExample = `` /* 233-byte string literal not displayed */

const AWSSqsPolicyWildcardActionsImpact = "SQS policies with wildcard actions allow more that is required"

const AWSSqsPolicyWildcardActionsResolution = "Keep policy scope to the minimum that is required to be effective"

const AWSTaskDefinitionWithSensitiveEnvironmentVariables = "AWS013"

const AWSTaskDefinitionWithSensitiveEnvironmentVariablesBadExample = `` /* 313-byte string literal not displayed */

const AWSTaskDefinitionWithSensitiveEnvironmentVariablesDescription = "Task definition defines sensitive environment variable(s)."

const AWSTaskDefinitionWithSensitiveEnvironmentVariablesExplanation = `` /* 178-byte string literal not displayed */

const AWSTaskDefinitionWithSensitiveEnvironmentVariablesGoodExample = `` /* 255-byte string literal not displayed */

const AWSTaskDefinitionWithSensitiveEnvironmentVariablesImpact = "Sensitive data could be exposed in the AWS Management Console"

const AWSTaskDefinitionWithSensitiveEnvironmentVariablesResolution = "Use secrets for the task definition"

const AWSUnencryptedAtRestElasticacheReplicationGroup = "AWS035"

const AWSUnencryptedAtRestElasticacheReplicationGroupBadExample = `` /* 202-byte string literal not displayed */

const AWSUnencryptedAtRestElasticacheReplicationGroupDescription = "Unencrypted Elasticache Replication Group."

const AWSUnencryptedAtRestElasticacheReplicationGroupExplanation = `` /* 139-byte string literal not displayed */

const AWSUnencryptedAtRestElasticacheReplicationGroupGoodExample = `` /* 202-byte string literal not displayed */

const AWSUnencryptedAtRestElasticacheReplicationGroupImpact = "Data in the replication group could be readable if compromised"

const AWSUnencryptedAtRestElasticacheReplicationGroupResolution = "Enable encryption for replication group"

const AWSUnencryptedCloudFrontCommunications = "AWS020"

const AWSUnencryptedCloudFrontCommunicationsBadExample = `` /* 131-byte string literal not displayed */

const AWSUnencryptedCloudFrontCommunicationsDescription = "CloudFront distribution allows unencrypted (HTTP) communications."

const AWSUnencryptedCloudFrontCommunicationsExplanation = `` /* 309-byte string literal not displayed */

const AWSUnencryptedCloudFrontCommunicationsGoodExample = `` /* 140-byte string literal not displayed */

const AWSUnencryptedCloudFrontCommunicationsImpact = "CloudFront is available through an unencrypted connection"

const AWSUnencryptedCloudFrontCommunicationsResolution = "Only allow HTTPS for CloudFront distribution communication"

const AWSUnencryptedElasticsearchDomain = "AWS031"

const AWSUnencryptedElasticsearchDomainBadExample = `` /* 129-byte string literal not displayed */

const AWSUnencryptedElasticsearchDomainDescription = "Elasticsearch domain isn't encrypted at rest."

const AWSUnencryptedElasticsearchDomainExplanation = `` /* 142-byte string literal not displayed */

const AWSUnencryptedElasticsearchDomainGoodExample = `` /* 129-byte string literal not displayed */

const AWSUnencryptedElasticsearchDomainImpact = "Data will be readable if compromised"

const AWSUnencryptedElasticsearchDomainResolution = "Enable ElasticSearch domain encryption"

const AWSUnencryptedInTransitElasticacheReplicationGroup = "AWS036"

const AWSUnencryptedInTransitElasticacheReplicationGroupBadExample = `` /* 202-byte string literal not displayed */

const AWSUnencryptedInTransitElasticacheReplicationGroupDescription = "Elasticache Replication Group uses unencrypted traffic."

const AWSUnencryptedInTransitElasticacheReplicationGroupExplanation = `
Traffic flowing between Elasticache replication nodes should be encrypted to ensure sensitive data is kept private.
`

const AWSUnencryptedInTransitElasticacheReplicationGroupGoodExample = `` /* 202-byte string literal not displayed */

const AWSUnencryptedInTransitElasticacheReplicationGroupImpact = "In transit data in the Replication Group could be read if intercepted"

const AWSUnencryptedInTransitElasticacheReplicationGroupResolution = "Enable in transit encryptuon for replication group"

const AWSUnencryptedKinesisStream = "AWS024"

const AWSUnencryptedKinesisStreamBadExample = `
resource "aws_kinesis_stream" "bad_example" {
	encryption_type = "NONE"
}
`

const AWSUnencryptedKinesisStreamDescription = "Kinesis stream is unencrypted."

const AWSUnencryptedKinesisStreamExplanation = `` /* 178-byte string literal not displayed */

const AWSUnencryptedKinesisStreamGoodExample = `
resource "aws_kinesis_stream" "good_example" {
	encryption_type = "KMS"
	kms_key_id = "my/special/key"
}
`

const AWSUnencryptedKinesisStreamImpact = "Intercepted data can be read in transit"

const AWSUnencryptedKinesisStreamResolution = "Enable in transit encryption"

const AWSUnencryptedMSKBroker = "AWS022"

const AWSUnencryptedMSKBrokerBadExample = `` /* 154-byte string literal not displayed */

const AWSUnencryptedMSKBrokerDescription = "A MSK cluster allows unencrypted data in transit."

const AWSUnencryptedMSKBrokerExplanation = `` /* 136-byte string literal not displayed */

const AWSUnencryptedMSKBrokerGoodExample = `` /* 145-byte string literal not displayed */

const AWSUnencryptedMSKBrokerImpact = "Intercepted data can be read in transit"

const AWSUnencryptedMSKBrokerResolution = "Enable in transit encryption"

const AWSUnencryptedS3Bucket = "AWS017"

const AWSUnencryptedS3BucketBadExample = `
resource "aws_s3_bucket" "bad_example" {
  bucket = "mybucket"
}
`

const AWSUnencryptedS3BucketDescription = "Unencrypted S3 bucket."

const AWSUnencryptedS3BucketExplanation = `` /* 165-byte string literal not displayed */

const AWSUnencryptedS3BucketGoodExample = `` /* 258-byte string literal not displayed */

const AWSUnencryptedS3BucketImpact = "The bucket objects could be read if compromised"

const AWSUnencryptedS3BucketResolution = "Configure bucket encryption"

const AWSUnencryptedSNSTopic = "AWS016"

const AWSUnencryptedSNSTopicBadExample = `
resource "aws_sns_topic" "bad_example" {
	# no key id specified
}
`

const AWSUnencryptedSNSTopicDescription = "Unencrypted SNS topic."

const AWSUnencryptedSNSTopicExplanation = `` /* 160-byte string literal not displayed */

const AWSUnencryptedSNSTopicGoodExample = `
resource "aws_sns_topic" "good_example" {
	kms_master_key_id = "/blah"
}
`

const AWSUnencryptedSNSTopicImpact = "The SNS topic messages could be read if compromised"

const AWSUnencryptedSNSTopicResolution = "Turn on SNS Topic encryption"

const AWSUnencryptedSQSQueue = "AWS015"

const AWSUnencryptedSQSQueueBadExample = `
resource "aws_sqs_queue" "bad_example" {
	# no key specified
}
`

const AWSUnencryptedSQSQueueDescription = "Unencrypted SQS queue."

const AWSUnencryptedSQSQueueExplanation = `` /* 160-byte string literal not displayed */

const AWSUnencryptedSQSQueueGoodExample = `
resource "aws_sqs_queue" "good_example" {
	kms_master_key_id = "/blah"
}
`

const AWSUnencryptedSQSQueueImpact = "The SQS queue messages could be read if compromised"

const AWSUnencryptedSQSQueueResolution = "Turn on SQS Queue encryption"

const AWSUnenforcedHTTPSElasticsearchDomainEndpoint = "AWS033"

const AWSUnenforcedHTTPSElasticsearchDomainEndpointBadExample = `` /* 143-byte string literal not displayed */

const AWSUnenforcedHTTPSElasticsearchDomainEndpointDescription = "Elasticsearch doesn't enforce HTTPS traffic."

const AWSUnenforcedHTTPSElasticsearchDomainEndpointExplanation = `` /* 309-byte string literal not displayed */

const AWSUnenforcedHTTPSElasticsearchDomainEndpointGoodExample = `` /* 143-byte string literal not displayed */

const AWSUnenforcedHTTPSElasticsearchDomainEndpointImpact = "HTTP traffic can be intercepted and the contents read"

const AWSUnenforcedHTTPSElasticsearchDomainEndpointResolution = "Enforce the use of HTTPS for ElasticSearch"

const AZUAKSAPIServerAuthorizedIPRanges = "AZU008"

const AZUAKSAPIServerAuthorizedIPRangesBadExample = `
resource "azurerm_kubernetes_cluster" "bad_example" {

}
`

const AZUAKSAPIServerAuthorizedIPRangesDescription = "Ensure AKS has an API Server Authorized IP Ranges enabled"

const AZUAKSAPIServerAuthorizedIPRangesExplanation = `` /* 206-byte string literal not displayed */

const AZUAKSAPIServerAuthorizedIPRangesGoodExample = `
resource "azurerm_kubernetes_cluster" "good_example" {
    api_server_authorized_ip_ranges = [
		"1.2.3.4/32"
	]
}
`

const AZUAKSAPIServerAuthorizedIPRangesImpact = "Any IP can interact with the API server"

const AZUAKSAPIServerAuthorizedIPRangesResolution = "Limit the access to the API server to a limited IP range"

const AZUAKSAzureMonitor = "AZU009"

const AZUAKSAzureMonitorBadExample = `
resource "azurerm_kubernetes_cluster" "bad_example" {
    addon_profile {}
}
`

const AZUAKSAzureMonitorDescription = "Ensure AKS logging to Azure Monitoring is Configured"

const AZUAKSAzureMonitorExplanation = `
Ensure AKS logging to Azure Monitoring is configured for containers to monitor the performance of workloads.
`

const AZUAKSAzureMonitorGoodExample = `
resource "azurerm_kubernetes_cluster" "good_example" {
    addon_profile {
		oms_agent {
			enabled = true
		}
	}
}
`

const AZUAKSAzureMonitorImpact = "Logging provides valuable information about access and usage"

const AZUAKSAzureMonitorResolution = "Enable logging for AKS"

const AZUAKSClusterNetworkPolicy = "AZU006"

const AZUAKSClusterNetworkPolicyBadExample = `
resource "azurerm_kubernetes_cluster" "bad_example" {
	network_profile {
	  }
}
`

const AZUAKSClusterNetworkPolicyDescription = "Ensure AKS cluster has Network Policy configured"

const AZUAKSClusterNetworkPolicyExplanation = `` /* 253-byte string literal not displayed */

const AZUAKSClusterNetworkPolicyGoodExample = `
resource "azurerm_kubernetes_cluster" "good_example" {
	network_profile {
	  network_policy = "calico"
	  }
}
`

const AZUAKSClusterNetworkPolicyImpact = "No network policy is protecting the AKS cluster"

const AZUAKSClusterNetworkPolicyResolution = "Configure a network policy"

const AZUAKSClusterRBACenabled = "AZU007"

const AZUAKSClusterRBACenabledBadExample = `
resource "azurerm_kubernetes_cluster" "bad_example" {
	role_based_access_control {
		enabled = false
	}
}
`

const AZUAKSClusterRBACenabledDescription = "Ensure RBAC is enabled on AKS clusters"

const AZUAKSClusterRBACenabledExplanation = `` /* 142-byte string literal not displayed */

const AZUAKSClusterRBACenabledGoodExample = `
resource "azurerm_kubernetes_cluster" "good_example" {
	role_based_access_control {
		enabled = true
	}
}
`

const AZUAKSClusterRBACenabledImpact = "No role based access control is in place for the AKS cluster"

const AZUAKSClusterRBACenabledResolution = "Enable RBAC"

const AZUBlobStorageContainerNoPublicAccess = "AZU011"

const AZUBlobStorageContainerNoPublicAccessBadExample = `` /* 188-byte string literal not displayed */

const AZUBlobStorageContainerNoPublicAccessDescription = "Storage containers in blob storage mode should not have public access"

const AZUBlobStorageContainerNoPublicAccessExplanation = `` /* 248-byte string literal not displayed */

const AZUBlobStorageContainerNoPublicAccessGoodExample = `` /* 188-byte string literal not displayed */

const AZUBlobStorageContainerNoPublicAccessImpact = "Data in the storage container could be exposed publicly"

const AZUBlobStorageContainerNoPublicAccessResolution = "Disable public access to storage containers"

const AZUDataFactoryPublicNetwork = "AZU025"

const AZUDataFactoryPublicNetworkBadExample = `` /* 209-byte string literal not displayed */

const AZUDataFactoryPublicNetworkDescription = "Data Factory should have public access disabled, the default is enabled."

const AZUDataFactoryPublicNetworkExplanation = `` /* 245-byte string literal not displayed */

const AZUDataFactoryPublicNetworkGoodExample = `` /* 243-byte string literal not displayed */

const AZUDataFactoryPublicNetworkImpact = "Data factory is publicly accessible"

const AZUDataFactoryPublicNetworkResolution = "Set public access to disabled for Data Factory"

const AZUDatabaseAuditingRetention90Days = "AZU019"

const AZUDatabaseAuditingRetention90DaysBadExample = `` /* 445-byte string literal not displayed */

const AZUDatabaseAuditingRetention90DaysDescription = "Database auditing rentention period should be longer than 90 days"

const AZUDatabaseAuditingRetention90DaysExplanation = `` /* 212-byte string literal not displayed */

const AZUDatabaseAuditingRetention90DaysGoodExample = `` /* 847-byte string literal not displayed */

const AZUDatabaseAuditingRetention90DaysImpact = "Short logging retention could result in missing valuable historical information"

const AZUDatabaseAuditingRetention90DaysResolution = "Set retention periods of database auditing to greater than 90 days"

const AZUDefaultActionOnNetworkRuleSetToDeny = "AZU012"

const AZUDefaultActionOnNetworkRuleSetToDenyBadExample = `` /* 254-byte string literal not displayed */

const AZUDefaultActionOnNetworkRuleSetToDenyDescription = "The default action on Storage account network rules should be set to deny"

const AZUDefaultActionOnNetworkRuleSetToDenyExplanation = `` /* 138-byte string literal not displayed */

const AZUDefaultActionOnNetworkRuleSetToDenyGoodExample = `` /* 254-byte string literal not displayed */

const AZUDefaultActionOnNetworkRuleSetToDenyImpact = "Network rules that allow could cause data to be exposed publicly"

const AZUDefaultActionOnNetworkRuleSetToDenyResolution = "Set network rules to deny"

const AZUFunctionAppHTTPS = "AZU028"

const AZUFunctionAppHTTPSBadExample = `` /* 499-byte string literal not displayed */

const AZUFunctionAppHTTPSDescription = "Ensure the Function App can only be accessed via HTTPS. The default is false."

const AZUFunctionAppHTTPSExplanation = `` /* 233-byte string literal not displayed */

const AZUFunctionAppHTTPSGoodExample = `` /* 536-byte string literal not displayed */

const AZUFunctionAppHTTPSImpact = "Anyone can access the Function App using HTTP."

const AZUFunctionAppHTTPSResolution = "You can redirect all HTTP requests to the HTTPS port."

const AZUKeyVaultKeyExpirationDate = "AZU026"

const AZUKeyVaultKeyExpirationDateBadExample = `` /* 292-byte string literal not displayed */

const AZUKeyVaultKeyExpirationDateDescription = "Ensure that the expiration date is set on all keys"

const AZUKeyVaultKeyExpirationDateExplanation = `` /* 130-byte string literal not displayed */

const AZUKeyVaultKeyExpirationDateGoodExample = `` /* 336-byte string literal not displayed */

const AZUKeyVaultKeyExpirationDateImpact = "Long life keys increase the attack surface when compromised"

const AZUKeyVaultKeyExpirationDateResolution = "Set an expiration date on the vault key"

const AZUKeyVaultNetworkAcl = "AZU020"

const AZUKeyVaultNetworkAclBadExample = `` /* 293-byte string literal not displayed */

const AZUKeyVaultNetworkAclDescription = "Key vault should have the network acl block specified"

const AZUKeyVaultNetworkAclExplanation = `` /* 233-byte string literal not displayed */

const AZUKeyVaultNetworkAclGoodExample = `` /* 386-byte string literal not displayed */

const AZUKeyVaultNetworkAclImpact = "Without a network ACL the key vault is freely accessible"

const AZUKeyVaultNetworkAclResolution = "Set a network ACL for the key vault"

const AZUKeyVaultPurgeProtection = "AZU021"

const AZUKeyVaultPurgeProtectionBadExample = `` /* 257-byte string literal not displayed */

const AZUKeyVaultPurgeProtectionDescription = "Key vault should have purge protection enabled"

const AZUKeyVaultPurgeProtectionExplanation = `` /* 193-byte string literal not displayed */

const AZUKeyVaultPurgeProtectionGoodExample = `` /* 294-byte string literal not displayed */

const AZUKeyVaultPurgeProtectionImpact = "Keys could be purged from the vault without protection"

const AZUKeyVaultPurgeProtectionResolution = "Enable purge protection for key vaults"

const AZUKeyVaultSecretContentType = "AZU022"

const AZUKeyVaultSecretContentTypeBadExample = `` /* 161-byte string literal not displayed */

const AZUKeyVaultSecretContentTypeDescription = "Key vault Secret should have a content type set"

const AZUKeyVaultSecretContentTypeExplanation = `` /* 351-byte string literal not displayed */

const AZUKeyVaultSecretContentTypeGoodExample = `` /* 190-byte string literal not displayed */

const AZUKeyVaultSecretContentTypeImpact = "The secret's type is unclear without a content type"

const AZUKeyVaultSecretContentTypeResolution = "Provide content type for secrets to aid interpretation on retrieval"

const AZUKeyVaultSecretExpirationDate = "AZU023"

const AZUKeyVaultSecretExpirationDateBadExample = `` /* 161-byte string literal not displayed */

const AZUKeyVaultSecretExpirationDateDescription = "Key Vault Secret should have an expiration date set"

const AZUKeyVaultSecretExpirationDateExplanation = `` /* 133-byte string literal not displayed */

const AZUKeyVaultSecretExpirationDateGoodExample = `` /* 214-byte string literal not displayed */

const AZUKeyVaultSecretExpirationDateImpact = "Long life secrets increase the opportunity for compromise"

const AZUKeyVaultSecretExpirationDateResolution = "Set an expiry for secrets"

const AZUMinTLSForStorageAccountsSet = "AZU015"

const AZUMinTLSForStorageAccountsSetBadExample = `` /* 238-byte string literal not displayed */

const AZUMinTLSForStorageAccountsSetDescription = "The minimum TLS version for Storage Accounts should be TLS1_2"

const AZUMinTLSForStorageAccountsSetExplanation = `` /* 280-byte string literal not displayed */

const AZUMinTLSForStorageAccountsSetGoodExample = `` /* 277-byte string literal not displayed */

const AZUMinTLSForStorageAccountsSetImpact = "The TLS version being outdated and has known vulnerabilities"

const AZUMinTLSForStorageAccountsSetResolution = "Use a more recent TLS/SSL policy for the load balancer"

const AZUQueueStorageAnalyticsTurnedOn = "AZU016"

const AZUQueueStorageAnalyticsTurnedOnBadExample = `` /* 350-byte string literal not displayed */

const AZUQueueStorageAnalyticsTurnedOnDescription = "When using Queue Services for a storage account, logging should be enabled."

const AZUQueueStorageAnalyticsTurnedOnExplanation = `` /* 259-byte string literal not displayed */

const AZUQueueStorageAnalyticsTurnedOnGoodExample = `` /* 555-byte string literal not displayed */

const AZUQueueStorageAnalyticsTurnedOnImpact = "Logging provides valuable information about access and usage"

const AZUQueueStorageAnalyticsTurnedOnResolution = "Enable logging for Queue Services"

const AZURDPAccessNotAllowedFromInternet = "AZU024"

const AZURDPAccessNotAllowedFromInternetBadExample = `` /* 825-byte string literal not displayed */

const AZURDPAccessNotAllowedFromInternetDescription = "RDP access should not be accessible from the Internet, should be blocked on port 3389"

const AZURDPAccessNotAllowedFromInternetExplanation = `` /* 236-byte string literal not displayed */

const AZURDPAccessNotAllowedFromInternetGoodExample = `` /* 847-byte string literal not displayed */

const AZURDPAccessNotAllowedFromInternetImpact = "Anyone from the internet can potentially RDP onto an instance"

const AZURDPAccessNotAllowedFromInternetResolution = "Block RDP port from internet"

const AZURequireSecureTransferForStorageAccounts = "AZU014"

const AZURequireSecureTransferForStorageAccountsBadExample = `` /* 354-byte string literal not displayed */

const AZURequireSecureTransferForStorageAccountsDescription = "Storage accounts should be configured to only accept transfers that are over secure connections"

const AZURequireSecureTransferForStorageAccountsExplanation = `` /* 362-byte string literal not displayed */

const AZURequireSecureTransferForStorageAccountsGoodExample = `` /* 354-byte string literal not displayed */

const AZURequireSecureTransferForStorageAccountsImpact = "Insecure transfer of data into secure accounts could be read if intercepted"

const AZURequireSecureTransferForStorageAccountsResolution = "Only allow secure connection for transferring data into storage accounts"

const AZUSQLDatabaseAuditingEnabled = "AZU018"

const AZUSQLDatabaseAuditingEnabledBadExample = `` /* 375-byte string literal not displayed */

const AZUSQLDatabaseAuditingEnabledDescription = "Auditing should be enabled on Azure SQL Databases"

const AZUSQLDatabaseAuditingEnabledExplanation = `` /* 204-byte string literal not displayed */

const AZUSQLDatabaseAuditingEnabledGoodExample = `` /* 706-byte string literal not displayed */

const AZUSQLDatabaseAuditingEnabledImpact = "Auditing provides valuable information about access and usage"

const AZUSQLDatabaseAuditingEnabledResolution = "Enable auditing on Azure SQL databases"

const AZUSSHAccessNotAllowedFromInternet = "AZU017"

const AZUSSHAccessNotAllowedFromInternetBadExample = `` /* 821-byte string literal not displayed */

const AZUSSHAccessNotAllowedFromInternetDescription = "SSH access should not be accessible from the Internet, should be blocked on port 22"

const AZUSSHAccessNotAllowedFromInternetExplanation = `` /* 194-byte string literal not displayed */

const AZUSSHAccessNotAllowedFromInternetGoodExample = `` /* 845-byte string literal not displayed */

const AZUSSHAccessNotAllowedFromInternetImpact = "Its dangerous to allow SSH access from the internet"

const AZUSSHAccessNotAllowedFromInternetResolution = "Block port 22 access from the internet"

const AZUStorageAccountHTTPSenabled = "AZU010"

const AZUStorageAccountHTTPSenabledBadExample = `
resource "azurerm_storage_account" "bad_example" {
	enable_https_traffic_only = false
}
`

const AZUStorageAccountHTTPSenabledDescription = "Ensure HTTPS is enabled on Azure Storage Account"

const AZUStorageAccountHTTPSenabledExplanation = `
Requiring HTTPS in Storage Account helps to minimize the risk of eavesdropping.
`

const AZUStorageAccountHTTPSenabledGoodExample = `
resource "azurerm_storage_account" "good_example" {
	enable_https_traffic_only = true
}
`

const AZUStorageAccountHTTPSenabledImpact = "HTTP access to storage account could be read if intercepted"

const AZUStorageAccountHTTPSenabledResolution = "Only use HTTPS for storage account"

const AZUSynapseWorkspaceManagedNetwork = "AZU027"

const AZUSynapseWorkspaceManagedNetworkBadExample = `` /* 669-byte string literal not displayed */

const AZUSynapseWorkspaceManagedNetworkDescription = "Synapse Workspace should have managed virtual network enabled, the default is disabled."

const AZUSynapseWorkspaceManagedNetworkExplanation = `` /* 635-byte string literal not displayed */

const AZUSynapseWorkspaceManagedNetworkGoodExample = `` /* 713-byte string literal not displayed */

const AZUSynapseWorkspaceManagedNetworkImpact = "Your Synapse workspace is not using the private endpoints"

const AZUSynapseWorkspaceManagedNetworkResolution = "Set manage virtual network to enabled"

const AZUTrustedMicrosoftServicesHaveStroageAccountAccess = "AZU013"

const AZUTrustedMicrosoftServicesHaveStroageAccountAccessBadExample = `` /* 923-byte string literal not displayed */

const AZUTrustedMicrosoftServicesHaveStroageAccountAccessDescription = "Trusted Microsoft Services should have bypass access to Storage accounts"

const AZUTrustedMicrosoftServicesHaveStroageAccountAccessExplanation = `` /* 256-byte string literal not displayed */

const AZUTrustedMicrosoftServicesHaveStroageAccountAccessGoodExample = `` /* 961-byte string literal not displayed */

const AZUTrustedMicrosoftServicesHaveStroageAccountAccessImpact = "Trusted Microsoft Services won't be able to access storage account unless rules set to allow"

const AZUTrustedMicrosoftServicesHaveStroageAccountAccessResolution = "Allow Trusted Microsoft Services to bypass"

const AzureOpenInboundNetworkSecurityGroupRule = "AZU001"

const AzureOpenInboundNetworkSecurityGroupRuleBadExample = `` /* 137-byte string literal not displayed */

const AzureOpenInboundNetworkSecurityGroupRuleDescription = "An inbound network security rule allows traffic from /0."

const AzureOpenInboundNetworkSecurityGroupRuleExplanation = `
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.
`

const AzureOpenInboundNetworkSecurityGroupRuleGoodExample = `` /* 145-byte string literal not displayed */

const AzureOpenInboundNetworkSecurityGroupRuleImpact = "The port is exposed for ingress from the internet"

const AzureOpenInboundNetworkSecurityGroupRuleResolution = "Set a more restrictive cidr range"

const AzureOpenOutboundNetworkSecurityGroupRule = "AZU002"

const AzureOpenOutboundNetworkSecurityGroupRuleBadExample = `` /* 143-byte string literal not displayed */

const AzureOpenOutboundNetworkSecurityGroupRuleDescription = "An outbound network security rule allows traffic to /0."

const AzureOpenOutboundNetworkSecurityGroupRuleExplanation = `
Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets.
`

const AzureOpenOutboundNetworkSecurityGroupRuleGoodExample = `` /* 146-byte string literal not displayed */

const AzureOpenOutboundNetworkSecurityGroupRuleImpact = "The port is exposed for egress to the internet"

const AzureOpenOutboundNetworkSecurityGroupRuleResolution = "Set a more restrictive cidr range"

const AzureUnencryptedDataLakeStore = "AZU004"

const AzureUnencryptedDataLakeStoreBadExample = `
resource "azurerm_data_lake_store" "bad_example" {
	encryption_state = "Disabled"
}`

const AzureUnencryptedDataLakeStoreDescription = "Unencrypted data lake storage."

const AzureUnencryptedDataLakeStoreExplanation = `
Datalake storage encryption defaults to Enabled, it shouldn't be overridden to Disabled.
`

const AzureUnencryptedDataLakeStoreGoodExample = `
resource "azurerm_data_lake_store" "good_example" {
	encryption_state = "Enabled"
}`

const AzureUnencryptedDataLakeStoreImpact = "Data could be read if compromised"

const AzureUnencryptedDataLakeStoreResolution = "Enable encryption of data lake storage"

const AzureUnencryptedManagedDisk = "AZU003"

const AzureUnencryptedManagedDiskBadExample = `
resource "azurerm_managed_disk" "bad_example" {
	encryption_settings {
		enabled = false
	}
}`

const AzureUnencryptedManagedDiskDescription = "Unencrypted managed disk."

const AzureUnencryptedManagedDiskExplanation = `` /* 161-byte string literal not displayed */

const AzureUnencryptedManagedDiskGoodExample = `
resource "azurerm_managed_disk" "good_example" {
	encryption_settings {
		enabled = true
	}
}`

const AzureUnencryptedManagedDiskImpact = "Data could be read if compromised"

const AzureUnencryptedManagedDiskResolution = "Enable encryption on managed disks"

const AzureVMWithPasswordAuthentication = "AZU005"

const AzureVMWithPasswordAuthenticationBadExample = `
resource "azurerm_virtual_machine" "bad_example" {
	os_profile_linux_config {
		disable_password_authentication = false
	}
}`

const AzureVMWithPasswordAuthenticationDescription = "Password authentication in use instead of SSH keys."

const AzureVMWithPasswordAuthenticationExplanation = `` /* 187-byte string literal not displayed */

const AzureVMWithPasswordAuthenticationGoodExample = `
resource "azurerm_virtual_machine" "good_example" {
	os_profile_linux_config {
		disable_password_authentication = true
	}
}`

const AzureVMWithPasswordAuthenticationImpact = "Passwords are potentially easier to compromise than SSH Keys"

const AzureVMWithPasswordAuthenticationResolution = "Use SSH keys for authentication"

const DIGDropletHasNoSSHKeysAssigned = "DIG003"

const DIGDropletHasNoSSHKeysAssignedBadExample = `` /* 149-byte string literal not displayed */

const DIGDropletHasNoSSHKeysAssignedDescription = "SSH Keys are the preferred way to connect to your droplet, no keys are supplied"

const DIGDropletHasNoSSHKeysAssignedExplanation = `` /* 292-byte string literal not displayed */

const DIGDropletHasNoSSHKeysAssignedGoodExample = `` /* 264-byte string literal not displayed */

const DIGDropletHasNoSSHKeysAssignedImpact = "Logging in with username and password is easier to compromise"

const DIGDropletHasNoSSHKeysAssignedResolution = "Use ssh keys for login"

const DIGFirewallHasOpenInboundAccess = "DIG001"

const DIGFirewallHasOpenInboundAccessBadExample = `` /* 250-byte string literal not displayed */

const DIGFirewallHasOpenInboundAccessDescription = "The firewall has an inbound rule with open access"

const DIGFirewallHasOpenInboundAccessExplanation = `` /* 182-byte string literal not displayed */

const DIGFirewallHasOpenInboundAccessGoodExample = `` /* 265-byte string literal not displayed */

const DIGFirewallHasOpenInboundAccessImpact = "Your port is exposed to the internet"

const DIGFirewallHasOpenInboundAccessResolution = "Set a more restrictive CIRDR range"

const DIGFirewallHasOpenOutboundAccess = "DIG002"

const DIGFirewallHasOpenOutboundAccessBadExample = `` /* 256-byte string literal not displayed */

const DIGFirewallHasOpenOutboundAccessDescription = "The firewall has an outbound rule with open access"

const DIGFirewallHasOpenOutboundAccessExplanation = `` /* 165-byte string literal not displayed */

const DIGFirewallHasOpenOutboundAccessGoodExample = `` /* 271-byte string literal not displayed */

const DIGFirewallHasOpenOutboundAccessImpact = "The port is exposed for ingress from the internet"

const DIGFirewallHasOpenOutboundAccessResolution = "Set a more restrictive cidr range"

const DIGForceDestroyEnabled = "DIG007"

const DIGForceDestroyEnabledBadExample = `
resource "digitalocean_spaces_bucket" "bad_example" {
  name   		= "foobar"
  region 		= "nyc3"
  force_destroy = true
}
`

const DIGForceDestroyEnabledDescription = "Force destroy is enabled on Spaces bucket which is dangerous"

const DIGForceDestroyEnabledExplanation = `` /* 209-byte string literal not displayed */

const DIGForceDestroyEnabledGoodExample = `
resource "digitalocean_spaces_bucket" "good_example" {
  name   = "foobar"
  region = "nyc3"
}
`

const DIGForceDestroyEnabledImpact = "Accidental deletion of bucket objects"

const DIGForceDestroyEnabledResolution = "Don't use force destroy on bucket configuration"

const DIGLoadBalancerWithPlainHTTP = "DIG004"

const DIGLoadBalancerWithPlainHTTPBadExample = `` /* 280-byte string literal not displayed */

const DIGLoadBalancerWithPlainHTTPDescription = "The load balancer forwarding rule is using an insecure protocol as an entrypoint"

const DIGLoadBalancerWithPlainHTTPExplanation = `` /* 309-byte string literal not displayed */

const DIGLoadBalancerWithPlainHTTPGoodExample = `` /* 278-byte string literal not displayed */

const DIGLoadBalancerWithPlainHTTPImpact = "Your inbound traffic is not protected"

const DIGLoadBalancerWithPlainHTTPResolution = "Switch to HTTPS to benefit from TLS security features"

const DIGPublicReadAclOnSpacesBucket = "DIG005"

const DIGPublicReadAclOnSpacesBucketBadExample = `` /* 470-byte string literal not displayed */

const DIGPublicReadAclOnSpacesBucketDescription = "Spaces bucket or bucket object has public read acl set"

const DIGPublicReadAclOnSpacesBucketExplanation = `
Space bucket and bucket object permissions should be set to deny public access unless explicitly required.
`

const DIGPublicReadAclOnSpacesBucketGoodExample = `` /* 441-byte string literal not displayed */

const DIGPublicReadAclOnSpacesBucketImpact = "The contents of the space can be accessed publicly"

const DIGPublicReadAclOnSpacesBucketResolution = "Apply a more restrictive ACL"

const DIGSpacesBucketVersioningEnabled = "DIG006"

const DIGSpacesBucketVersioningEnabledBadExample = `` /* 228-byte string literal not displayed */

const DIGSpacesBucketVersioningEnabledDescription = "Spaces buckets should have versioning enabled"

const DIGSpacesBucketVersioningEnabledExplanation = `` /* 325-byte string literal not displayed */

const DIGSpacesBucketVersioningEnabledGoodExample = `` /* 132-byte string literal not displayed */

const DIGSpacesBucketVersioningEnabledImpact = "Deleted or modified data would not be recoverable"

const DIGSpacesBucketVersioningEnabledResolution = "Enable versioning to protect against accidental or malicious removal or modification"

const GCPGKENodeServiceAccount = "GCP012"

const GCPGKENodeServiceAccountBadExample = `
resource "google_container_cluster" "bad_example" {
	node_config {
	}
}
`

const GCPGKENodeServiceAccountDescription = "Checks for service account defined for GKE nodes"

const GCPGKENodeServiceAccountExplanation = `` /* 151-byte string literal not displayed */

const GCPGKENodeServiceAccountGoodExample = `` /* 129-byte string literal not displayed */

const GCPGKENodeServiceAccountImpact = "Service accounts with wide permissions can increase the risk of compromise"

const GCPGKENodeServiceAccountResolution = "Use limited permissions for service accounts to be effective"

const GCPRawEncryptionKeySpecifiedForComputeDisk = "GCP013"

const GCPRawEncryptionKeySpecifiedForComputeDiskBadExample = `
resource "google_compute_disk" "good_example" {
	disk_encryption_key {
		raw_key="b2ggbm8gdGhpcyBpcyBiYWQ="
	}
}
`

const GCPRawEncryptionKeySpecifiedForComputeDiskDescription = "The encryption key used to encrypt a compute disk has been specified in plaintext."

const GCPRawEncryptionKeySpecifiedForComputeDiskExplanation = `` /* 145-byte string literal not displayed */

const GCPRawEncryptionKeySpecifiedForComputeDiskGoodExample = `` /* 138-byte string literal not displayed */

const GCPRawEncryptionKeySpecifiedForComputeDiskImpact = "The encryption key should be considered compromised as it is not stored securely."

const GCPRawEncryptionKeySpecifiedForComputeDiskResolution = "Reference a managed key rather than include the key in raw format."

const GENAttributeHasSensitiveData = "GEN005"

const GENAttributeHasSensitiveDataBadExample = `` /* 128-byte string literal not displayed */

const GENAttributeHasSensitiveDataDescription = "The attribute has potentially sensitive data, passwords, tokens or keys in it"

const GENAttributeHasSensitiveDataExplanation = `` /* 130-byte string literal not displayed */

const GENAttributeHasSensitiveDataGoodExample = `` /* 164-byte string literal not displayed */

const GENAttributeHasSensitiveDataImpact = "Sensitive credentials may be compromised"

const GENAttributeHasSensitiveDataResolution = "Check the code for vulnerabilities and move to variables"

const GENEnsureGithubRepositoryIsPrivate = "GEN004"

const GENEnsureGithubRepositoryIsPrivateBadExample = `` /* 222-byte string literal not displayed */

const GENEnsureGithubRepositoryIsPrivateDescription = "Github repository shouldn't be public."

const GENEnsureGithubRepositoryIsPrivateExplanation = `` /* 189-byte string literal not displayed */

const GENEnsureGithubRepositoryIsPrivateGoodExample = `` /* 224-byte string literal not displayed */

const GENEnsureGithubRepositoryIsPrivateImpact = "Anyone can read the contents of the GitHub repository and leak IP"

const GENEnsureGithubRepositoryIsPrivateResolution = "Make sensitive or commercially important repositories private"

const GenericSensitiveAttributes = "GEN003"

const GenericSensitiveAttributesBadExample = `
resource "evil_corp" "bad_example" {
	root_password = "p4ssw0rd"
}
`

const GenericSensitiveAttributesDescription = "Potentially sensitive data stored in block attribute."

const GenericSensitiveAttributesExplanation = `` /* 420-byte string literal not displayed */

const GenericSensitiveAttributesGoodExample = `` /* 167-byte string literal not displayed */

const GenericSensitiveAttributesImpact = "Block attribute could be leaking secrets"

const GenericSensitiveAttributesResolution = "Don't include sensitive data in blocks"

const GenericSensitiveLocals = "GEN002"

const GenericSensitiveLocalsBadExample = `
locals {
  password = "p4ssw0rd"
}

resource "evil_corp" "bad_example" {
	root_password = local.password
}
`

const GenericSensitiveLocalsDescription = "Potentially sensitive data stored in local value."

const GenericSensitiveLocalsExplanation = `` /* 420-byte string literal not displayed */

const GenericSensitiveLocalsGoodExample = `` /* 166-byte string literal not displayed */

const GenericSensitiveLocalsImpact = "Local value could be leaking secrets"

const GenericSensitiveLocalsResolution = "Don't include sensitive data in locals"

const GenericSensitiveVariables = "GEN001"

const GenericSensitiveVariablesBadExample = `` /* 196-byte string literal not displayed */

const GenericSensitiveVariablesDescription = "Potentially sensitive data stored in \"default\" value of variable."

const GenericSensitiveVariablesExplanation = `` /* 420-byte string literal not displayed */

const GenericSensitiveVariablesGoodExample = `` /* 169-byte string literal not displayed */

const GenericSensitiveVariablesImpact = "Default values could be exposing sensitive data"

const GenericSensitiveVariablesResolution = "Don't include sensitive data in variable defaults"

const GkeAbacEnabled = "GCP005"

const GkeAbacEnabledBadExample = `
resource "google_container_cluster" "bad_example" {
	enable_legacy_abac = "true"
}
`

const GkeAbacEnabledDescription = "Legacy ABAC permissions are enabled."

const GkeAbacEnabledExplanation = `` /* 223-byte string literal not displayed */

const GkeAbacEnabledGoodExample = `
resource "google_container_cluster" "good_example" {
	# ...
	# enable_legacy_abac not set
	# ...
}
`

const GkeAbacEnabledImpact = "ABAC permissions are less secure than RBAC permissions"

const GkeAbacEnabledResolution = "Switch to using RBAC permissions"

const GkeEnforcePSP = "GCP009"

const GkeEnforcePSPBadExample = `
resource "google_container_cluster" "bad_example" {
	pod_security_policy_config {
        enabled = "false"
	}
}`

const GkeEnforcePSPDescription = "Pod security policy enforcement not defined."

const GkeEnforcePSPExplanation = `` /* 489-byte string literal not displayed */

const GkeEnforcePSPGoodExample = `
resource "google_container_cluster" "good_example" {
	pod_security_policy_config {
        enabled = "true"
	}
}`

const GkeEnforcePSPImpact = "Pods could be operating with more permissions than required to be effective"

const GkeEnforcePSPResolution = "Use security policies for pods to restrict permissions to those needed to be effective"

const GkeLegacyAuthEnabled = "GCP008"

const GkeLegacyAuthEnabledBadExample = `` /* 230-byte string literal not displayed */

const GkeLegacyAuthEnabledDescription = "Legacy client authentication methods utilized."

const GkeLegacyAuthEnabledExplanation = `` /* 287-byte string literal not displayed */

const GkeLegacyAuthEnabledGoodExample = `
resource "google_container_cluster" "good_example" {
	master_auth {
	    username = ""
	    password = ""
	}
}
`

const GkeLegacyAuthEnabledImpact = "Username and password authentication methods are less secure"

const GkeLegacyAuthEnabledResolution = "Use service account or OAuth for authentication"

const GkeLegacyMetadataEndpoints = "GCP007"

const GkeLegacyMetadataEndpointsBadExample = `
resource "google_container_cluster" "bad_example" {
	metadata {
    disable-legacy-endpoints = false
  }
}`

const GkeLegacyMetadataEndpointsDescription = "Legacy metadata endpoints enabled."

const GkeLegacyMetadataEndpointsExplanation = `` /* 491-byte string literal not displayed */

const GkeLegacyMetadataEndpointsGoodExample = `
resource "google_container_cluster" "good_example" {
	metadata {
    disable-legacy-endpoints = true
  }
}`

const GkeLegacyMetadataEndpointsImpact = "Legacy metadata endpoints don't require metadata headers"

const GkeLegacyMetadataEndpointsResolution = "Disable legacy metadata endpoints"

const GkeNodeMetadataExposed = "GCP006"

const GkeNodeMetadataExposedBadExample = `` /* 135-byte string literal not displayed */

const GkeNodeMetadataExposedDescription = "Node metadata value disables metadata concealment."

const GkeNodeMetadataExposedExplanation = `` /* 392-byte string literal not displayed */

const GkeNodeMetadataExposedGoodExample = `` /* 136-byte string literal not displayed */

const GkeNodeMetadataExposedImpact = "Metadata that isn't concealed potentially risks leakage of sensitive data"

const GkeNodeMetadataExposedResolution = "Set node metadata to SECURE or GKE_METADATA_SERVER"

const GkeShieldedNodesDisabled = "GCP010"

const GkeShieldedNodesDisabledBadExample = `
resource "google_container_cluster" "bad_example" {
	enable_shielded_nodes = "false"
}`

const GkeShieldedNodesDisabledDescription = "Shielded GKE nodes not enabled."

const GkeShieldedNodesDisabledExplanation = `` /* 236-byte string literal not displayed */

const GkeShieldedNodesDisabledGoodExample = `
resource "google_container_cluster" "good_example" {
	enable_shielded_nodes = "true"
}`

const GkeShieldedNodesDisabledImpact = "Node identity and integrity can't be verified without shielded GKE nodes"

const GkeShieldedNodesDisabledResolution = "Enable node shielding"

const GoogleOpenInboundFirewallRule = "GCP003"

const GoogleOpenInboundFirewallRuleBadExample = `
resource "google_compute_firewall" "bad_example" {
	source_ranges = ["0.0.0.0/0"]
}`

const GoogleOpenInboundFirewallRuleDescription = "An inbound firewall rule allows traffic from /0."

const GoogleOpenInboundFirewallRuleExplanation = `` /* 167-byte string literal not displayed */

const GoogleOpenInboundFirewallRuleGoodExample = `
resource "google_compute_firewall" "good_example" {
	source_ranges = ["1.2.3.4/32"]
}`

const GoogleOpenInboundFirewallRuleImpact = "The port is exposed for ingress from the internet"

const GoogleOpenInboundFirewallRuleResolution = "Set a more restrictive cidr range"

const GoogleOpenOutboundFirewallRule = "GCP004"

const GoogleOpenOutboundFirewallRuleBadExample = `
resource "google_compute_firewall" "bad_example" {
	destination_ranges = ["0.0.0.0/0"]
}`

const GoogleOpenOutboundFirewallRuleDescription = "An outbound firewall rule allows traffic to /0."

const GoogleOpenOutboundFirewallRuleExplanation = `` /* 167-byte string literal not displayed */

const GoogleOpenOutboundFirewallRuleGoodExample = `
resource "google_compute_firewall" "good_example" {
	destination_ranges = ["1.2.3.4/32"]
}`

const GoogleOpenOutboundFirewallRuleImpact = "The port is exposed for egress to the internet"

const GoogleOpenOutboundFirewallRuleResolution = "Set a more restrictive cidr range"

const GoogleUnencryptedDisk = "GCP001"

const GoogleUnencryptedDiskBadExample = `
resource "google_compute_disk" "bad_example" {
	# ...
}`

const GoogleUnencryptedDiskDescription = "Encrypted compute disk with unmanaged keys."

const GoogleUnencryptedDiskExplanation = `` /* 327-byte string literal not displayed */

const GoogleUnencryptedDiskGoodExample = `
resource "google_compute_disk" "good_example" {
	disk_encryption_key {
		kms_key_self_link = "something"
	}
}

`

const GoogleUnencryptedDiskImpact = "Encryption of disk using unmanaged keys."

const GoogleUnencryptedDiskResolution = "Enable encryption using a customer-managed key."

const GoogleUserIAMGrant = "GCP011"

const GoogleUserIAMGrantBadExample = `` /* 191-byte string literal not displayed */

const GoogleUserIAMGrantDescription = "IAM granted directly to user."

const GoogleUserIAMGrantExplanation = `` /* 370-byte string literal not displayed */

const GoogleUserIAMGrantGoodExample = `` /* 210-byte string literal not displayed */

const GoogleUserIAMGrantImpact = "Users shouldn't have permissions granted to them directly"

const GoogleUserIAMGrantResolution = "Roles should be granted permissions and assigned to users"

const OCIComputeIpReservation = "OCI001"

const OCIComputeIpReservationBadExample = `` /* 137-byte string literal not displayed */

const OCIComputeIpReservationDescription = "Compute instance requests an IP reservation from a public pool"

const OCIComputeIpReservationExplanation = `` /* 183-byte string literal not displayed */

const OCIComputeIpReservationGoodExample = `` /* 137-byte string literal not displayed */

const OCIComputeIpReservationImpact = "The compute instance has the ability to be reached from outside"

const OCIComputeIpReservationResolution = "Reconsider the use of an public IP"