Prompt
Cloud resources should be configured to restrict public network access by default to minimize potential attack surfaces. Always explicitly disable public-facing endpoints and network interfaces unless absolutely necessary for the service to function.
When implementing security checks for cloud resources:
- Use appropriate base classes like
BaseResourceValueCheckorBaseResourceNegativeValueCheckto verify public access is disabled - Check the correct property paths in configuration (e.g.,
public_network_access_enabled,associate_public_ip_address) - Handle default values correctly - many cloud resources enable public access by default
- Validate all network-facing attributes (ports, protocols, IP ranges)
Example for AWS EMR:
from checkov.terraform.checks.resource.base_resource_value_check import BaseResourceValueCheck
from checkov.common.models.enums import CheckCategories
class EMRPubliclyAccessible(BaseResourceValueCheck):
def __init__(self):
name = "Ensure AWS EMR block public access setting is enabled"
id = "CKV_AWS_390"
supported_resources = ['aws_emr_block_public_access_configuration']
categories = [CheckCategories.NETWORKING]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def get_inspected_key(self):
return "block_public_security_group_rules"
For VM instances, database services, storage accounts, and container services, ensure you’re checking all network access points including public IPs, public endpoints, network rules, and default access policies.