Aqua Wave

The Aqua Cloud Terraform Scanner supports many of the most popular AWS, Azure, and GCP services. The scanner looks for many common security issues, including:

• Checks for sensitive data exposed in a local or block-level variable
• AWS Resources are not deployed in EC2-Classic
• AWS S3 bucket logging is enabled
• AWS S3 bucket has properly-configured ACLs to block public access
• AWS S3 buckets are configured to use encryption
• AWS security group ingress rules do not allow traffic from 0.0.0.0/0
• AWS security group egress rules do not allow traffic to 0.0.0.0/0
• AWS security group rules contain valid descriptions
• AWS ELBs are configured to use TLS
• AWS ELBs are configured to use updated TLS settings
• AWS ELBs are not exposed publicly on non web ports
• AWS EBS volumes are configured to use encryption
• AWS resources are not exposed via a public IP addresss
• AWS RDS instance is not configured to be publicly accessible
• AWS SQS queues use encryption
• AWS SNS topics use encryption
• AWS task definitions do not contain secrets as environment variables
• AWS KMS keys are configured for rotation
• AWS CloudFront does not allow insecure communication over HTTP
• AWS CloudFront uses an up-to-date TLS protocol
• Azure virtual machine disks are encrypted
• Azure network security group ingress rules do not allow traffic from 0.0.0.0/0
• Azure network security group egress rules do not allow traffic to 0.0.0.0/0
• Azure data lakes are encrypted
• GCP storage buckets are encrypted
• GCP firewall ingress rules do not allow traffic from 0.0.0.0/0
• GCP firewall egress rules do not allow traffic to 0.0.0.0/0
• GCP ABAC permissions are not enabled
• GCP instance compute disks are encrypted