Q
Detector Library
Terraform detectors (58/58)
Unsecured encryption of SageMaker data at restDisabled AWS Glue security encryptionRestrict IAM asterisk actionDisabled AWS RDS EncryptionExposed secrets in EC2 user dataDisabled block public aclsDisabled Glue Data Catalog encryptionS3 bucket restrict public bucket not truenonhttps viewer protocol policyRestrict log4j2 message lookupRestrict overly permissive VPC peering routesRestrict overly permissive access by AWS EKS to all trafficSecure AWS Database Migration Service endpointsDisabled logging for aws document dbUnencrypted code build projectSns Topic Uses CMKEnabled RDS public accessUnsecure encryption of DAX at restPublic READ bucket ACLdisabled detailed monitoring for EC2Disabled iam authenticationUnecrypted AWS Redshift using CMKImplicit SSH for AWS EKS node groupRestrict IAM asterisk actionDisabled encryption on Aurora at restRestrict assumed IAM role accessRestrict AWS IAM policy with full administrative privilegesRestrict actions with any Principal for S3 bucketsDisabled ALB drops HTTP headersRestrict IAM policies with full 'asterisk-asterisk' administrative privilegesDisabled athena database encryptionUse AWS certificate manager SSL certificate with Elastic Load BalancerUnencrypted backup vaultAvoid hardcoded AWS access keys and secrets credentialsRestrict IAM password reuseDisabled document db encryptionConfigure TLS 1.2 in AWS Load balancerMisconfigured data encryption at rest for AWS SageMaker instanceDisabled AWS S3 object versioningConfigure HTTPS for CloudFront distribution ViewerProtocolPolicyUnsecured Encryption in transit for EFS volumesUnencrypted EBS VolumesExposed secrets in Lambda function environment variablesRDS postgresql file read vulnerabilityUndefined lambda function urls authtypeAssociate AWS Glue component with a security componentRestrict public access on DMS replication instanceS3 bucket ignore public acls not trueDynamoDB Table Autoscaling EnabledRestrict Neptune cluster instance public accessRestrict the use of asterisk actions for SQS policy documentsDisabled Neptune loggingnonhttps load balancer terraformUnencryted Codebuild projectsUnencrypted Secrets Manager using CMKAWS S3 public WRITE permissionRestrict public IP association on EC2 instanceDisabled DynamoDB Point-In-Time Recovery
Disabled DynamoDB Point-In-Time Recovery High
Disabled DynamoDB Point-In-Time Recovery is detected. Make sure that DynamoDB Point-In-Time Recovery is enabled.
Detector ID
terraform/disabled-dynamodb-pitr-terraform@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
Noncompliant example
1resource "aws_dynamodb_table" "basic-dynamodb-table" {
2 name = "GameScores"
3 # Noncompliant: `point_in_time_recovery` is disabled.
4 attribute {
5 name = "UserId"
6 type = "S"
7 }
8 ttl {
9 attribute_name = "TimeToExist"
10 enabled = false
11 }
12 tags = {
13 Name = "dynamodb-table-1"
14 Environment = "production"
15 }
16 enabled = true
17 server_side_encryption {
18 enabled = true
19 kms_key_arn = "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
20 }
21}
22resource "aws_appautoscaling_target" "pass" {
23 resource_id = "table/${aws_dynamodb_table.basic-dynamodb-table.name}"
24 scalable_dimension = "dynamodb:table:ReadCapacityUnits"
25 service_namespace = "dynamodb"
26 min_capacity = 1
27 max_capacity = 15
28}
29
30resource "aws_appautoscaling_policy" "pass" {
31 name = "rcu-auto-scaling"
32 service_namespace = aws_appautoscaling_target.pass.service_namespace
33 scalable_dimension = aws_appautoscaling_target.pass.scalable_dimension
34 resource_id = aws_appautoscaling_target.pass.resource_id
35 policy_type = "TargetTrackingScaling"
36
37 target_tracking_scaling_policy_configuration {
38 predefined_metric_specification {
39 predefined_metric_type = "DynamoDBReadCapacityUtilization"
40 }
41
42 target_value = 75
43 scale_in_cooldown = 300
44 scale_out_cooldown = 300
45 }
46}
Compliant example
1resource "aws_dynamodb_table" "basic-dynamodb-table" {
2 name = "GameScores"
3 attribute {
4 name = "UserId"
5 type = "S"
6 }
7 ttl {
8 attribute_name = "TimeToExist"
9 enabled = false
10 }
11 # Compliant: `point_in_time_recovery` is enabled.
12 point_in_time_recovery {
13 enabled = true
14 }
15 tags = {
16 Name = "dynamodb-table-1"
17 Environment = "production"
18 }
19 enabled = true
20 server_side_encryption {
21 enabled = true
22 kms_key_arn = "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
23 }
24}
25resource "aws_appautoscaling_target" "pass" {
26 resource_id = "table/${aws_dynamodb_table.basic-dynamodb-table.name}"
27 scalable_dimension = "dynamodb:table:ReadCapacityUnits"
28 service_namespace = "dynamodb"
29 min_capacity = 1
30 max_capacity = 15
31}
32
33resource "aws_appautoscaling_policy" "pass" {
34 name = "rcu-auto-scaling"
35 service_namespace = aws_appautoscaling_target.pass.service_namespace
36 scalable_dimension = aws_appautoscaling_target.pass.scalable_dimension
37 resource_id = aws_appautoscaling_target.pass.resource_id
38 policy_type = "TargetTrackingScaling"
39
40 target_tracking_scaling_policy_configuration {
41 predefined_metric_specification {
42 predefined_metric_type = "DynamoDBReadCapacityUtilization"
43 }
44
45 target_value = 75
46 scale_in_cooldown = 300
47 scale_out_cooldown = 300
48 }
49}