Incoming connections should use SSL while making connections with Cloud SQL database instances.
Stackdriver is the default logging solution for clusters deployed on GKE. GKE should have logging enabled so that access can be audited.
Ensure that Cloud SQL database instances is not publicly accessible to lower the attack surface.
/0
TF-AWS006Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
/0
TF-AWS007Opening up unwanted CIDR ranges to connect out to the public internet is generally to be avoided.
It is not recommended to use outdated/insecure TLS versions for encryption.
EKS cluster resources should have the encryption_config block set with protection of the secrets resource.
Node auto-upgrade keeps nodes up-to-date with the latest cluster master version when your master is updated on your behalf, and it should enabled.
S3 buckets should block public ACLs on buckets and any objects they contain.
Ensure Azure instance does not use basic authentication but should prefer SSH-based authentication instead.
Ensure Azure AKS has RBAC (Role-based Access Control) enabled.
The "standard" tier in Azure's Security Center enables threat detection for networks and virtual machines. It allows greater (compared to "free" tier) in-depth defense like threat detection for networks and virtual machines, providing threat intelligence, anomaly detection, and behavior analytics. It is highly recommended to opt for the "standard" tier instead of the "free" tier.
Authorized networks permit allowlisting of specific CIDR ranges and allow IP addresses in those ranges to access the cluster master endpoint using HTTPS. GKE uses TLS and authentication to secure access to the cluster master endpoint from the public Internet enabling the flexibility to administer the cluster from anywhere. Using authorized networks, you will be able to restrict access to specified sets of IP addresses further.
We recommend you enable "master authorized networks" in GKE clusters.
Warns against to prevent accidental exposure of internal assets.
/0
TF-AWS008Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
/0
TF-AWS009Opening up unwanted CIDR ranges to the public internet is generally to be avoided.
It is not recommended to use outdated/insecure TLS versions for encryption.
Database resources should not publicly available.
You should limit the provision of public IP addresses for resources.
You should not make secrets available to a user in plaintext in any scenario.