Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
class PasswordPolicyLowercaseLetter(BaseResourceCheck):
def __init__(self):
name = "Ensure IAM password policy requires at least one lowercase letter"
id = "CKV_AWS_11"
supported_resources = ['aws_iam_account_password_policy']
categories = [CheckCategories.IAM]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
validates iam password policy
https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
:param conf: aws_iam_account_password_policy configuration
:return:
"""
key = 'require_lowercase_characters'
if key in conf.keys():
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
class SNSTopicEncryption(BaseResourceCheck):
def __init__(self):
name = "Ensure all data stored in the SNS topic is encrypted"
id = "CKV_AWS_26"
supported_resources = ['aws_sns_topic']
categories = [CheckCategories.ENCRYPTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
Looks for encryption configuration at aws_sns_topic:
https://www.terraform.io/docs/providers/aws/r/sns_topic.html
:param conf: aws_s3_bucket configuration
:return:
"""
if 'kms_master_key_id' in conf.keys():
if conf['kms_master_key_id']:
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
from checkov.terraform.models.enums import CheckResult, CheckCategories
class GoogleContainerClusterMonitoringEnabled(BaseResourceCheck):
def __init__(self):
name = "Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters"
id = "CKV_GCP_8"
supported_resources = ['google_container_cluster']
categories = [CheckCategories.LOGGING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
Looks for monitoring configuration on google_container_cluster:
https://www.terraform.io/docs/providers/google/r/container_cluster.html
:param conf: google_container_cluster configuration
:return:
"""
if 'monitoring_service' in conf:
if conf['monitoring_service'][0] == "none":
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
class SQSQueueEncryption(BaseResourceCheck):
def __init__(self):
name = "Ensure all data stored in the SQS queue is encrypted"
id = "CKV_AWS_27"
supported_resources = ['aws_sqs_queue']
categories = [CheckCategories.ENCRYPTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
Looks for encryption configuration at aws_sqs_queue:
https://www.terraform.io/docs/providers/aws/r/sqs_queue.html
:param conf: aws_s3_bucket configuration
:return:
"""
if 'kms_master_key_id' in conf.keys():
if conf['kms_master_key_id']:
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
class SagemakerEncryption(BaseResourceCheck):
def __init__(self):
name = "Ensure all data stored in the Sagemaker is securely encrypted at rest"
id = "CKV_AWS_22"
supported_resources = ['aws_sagemaker_notebook_instance']
categories = [CheckCategories.ENCRYPTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
Looks for encryption configuration at aws_sagemaker_notebook_instance:
https://www.terraform.io/docs/providers/aws/r/sagemaker_notebook_instance.html
:param conf: aws_sagemaker_notebook_instance configuration
:return:
"""
if 'kms_key_id' in conf.keys():
return CheckResult.PASSED
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
class RDSPubliclyAccessible(BaseResourceCheck):
def __init__(self):
name = "Ensure all data stored in the RDS bucket is not public accessible"
id = "CKV_AWS_17"
supported_resources = ['aws_db_instance','aws_rds_cluster_instance']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
Looks for publicly_accessible configuration at aws_db_instance:
https://www.terraform.io/docs/providers/aws/d/db_instance.html
:param conf: publicly_accessible configuration
:return:
"""
if 'publicly_accessible' in conf.keys():
key = conf['publicly_accessible'][0]
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
class SecurityGroupRuleDescription(BaseResourceCheck):
def __init__(self):
name = "Ensure every security groups rule has a description"
id = "CKV_AWS_23"
supported_resource = ['aws_security_group', 'aws_security_group_rule', 'aws_db_security_group',
'aws_elasticache_security_group', 'aws_redshift_security_group']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resource)
def scan_resource_conf(self, conf):
"""
Looks for description at security group rules :
https://www.terraform.io/docs/providers/aws/r/security_group.html
:param conf: aws_security_group configuration
:return:
"""
if 'description' in conf.keys():
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
PORT = '3389'
class GoogleComputeFirewallUnrestrictedIngress22(BaseResourceCheck):
def __init__(self):
name = "Ensure Google compute firewall ingress does not allow unrestricted rdp access"
id = "CKV_GCP_3"
supported_resources = ['google_compute_firewall']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
Looks for password configuration at google_compute_firewall:
https://www.terraform.io/docs/providers/google/r/compute_firewall.html
:param conf: azure_instance configuration
:return:
"""
if PORT in conf['allow'][0]['ports'][0]:
if 'source_ranges' in conf.keys():
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
PORT = '22'
class GoogleComputeFirewallUnrestrictedIngress22(BaseResourceCheck):
def __init__(self):
name = "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
id = "CKV_GCP_2"
supported_resources = ['google_compute_firewall']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
Looks for password configuration at google_compute_firewall:
https://www.terraform.io/docs/providers/google/r/compute_firewall.html
:param conf: azure_instance configuration
:return:
"""
if PORT in conf['allow'][0]['ports'][0]:
if 'source_ranges' in conf.keys():
from checkov.terraform.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_check import BaseResourceCheck
class PasswordPolicyExpiration(BaseResourceCheck):
def __init__(self):
name = "Ensure IAM password policy expires passwords within 90 days or less"
id = "CKV_AWS_9"
supported_resources = ['aws_iam_account_password_policy']
categories = [CheckCategories.IAM]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
"""
validates iam password policy
https://www.terraform.io/docs/providers/aws/r/iam_account_password_policy.html
:param conf: aws_iam_account_password_policy configuration
:return:
"""
key = 'max_password_age'
if key in conf.keys():