{"id":13530972,"url":"https://github.com/bridgecrewio/cfngoat","last_synced_at":"2025-04-01T19:30:59.263Z","repository":{"id":37937566,"uuid":"258656556","full_name":"bridgecrewio/cfngoat","owner":"bridgecrewio","description":"Cfngoat is Bridgecrew's \"Vulnerable by Design\" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.","archived":false,"fork":false,"pushed_at":"2024-08-05T22:09:01.000Z","size":83,"stargazers_count":94,"open_issues_count":10,"forks_count":625,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-03-30T11:02:07.563Z","etag":null,"topics":["aws-security","cloudformation","cloudsecurity","devsecops"],"latest_commit_sha":null,"homepage":"https://www.bridgecrew.io/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bridgecrewio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-25T00:47:57.000Z","updated_at":"2025-03-28T19:31:47.000Z","dependencies_parsed_at":"2024-11-02T17:42:33.084Z","dependency_job_id":null,"html_url":"https://github.com/bridgecrewio/cfngoat","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcfngoat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcfngoat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcfngoat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcfngoat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bridgecrewio","download_url":"https://codeload.github.com/bridgecrewio/cfngoat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246700146,"owners_count":20819829,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-security","cloudformation","cloudsecurity","devsecops"],"created_at":"2024-08-01T07:00:58.628Z","updated_at":"2025-04-01T19:30:54.254Z","avatar_url":"https://github.com/bridgecrewio.png","language":null,"funding_links":[],"categories":["Tools","Cloud Security"],"sub_categories":["Intentionally Vulnerable Applications"],"readme":"# Cfngoat - Vulnerable Cloudformation Template\n[![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=cfngoat)\n[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/bridgecrewio/cfngoat/general)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fcfngoat\u0026benchmark=INFRASTRUCTURE+SECURITY)\n[![CIS AWS](https://www.bridgecrew.cloud/badges/github/bridgecrewio/cfngoat/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fcfngoat\u0026benchmark=CIS+AWS+V1.2)\n[![PCI-DSS](https://www.bridgecrew.cloud/badges/github/bridgecrewio/cfngoat/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fcfngoat\u0026benchmark=PCI-DSS+V3.2)\n[![SOC2](https://www.bridgecrew.cloud/badges/github/bridgecrewio/cfngoat/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fcfngoat\u0026benchmark=SOC2)\n[![ISO](https://www.bridgecrew.cloud/badges/github/bridgecrewio/cfngoat/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fcfngoat\u0026benchmark=ISO27001)\n[![NIST-800-53](https://www.bridgecrew.cloud/badges/github/bridgecrewio/cfngoat/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github\u0026fullRepo=bridgecrewio%2Fcfngoat\u0026benchmark=NIST-800-53)\n[![slack-community](https://img.shields.io/badge/Slack-4A154B?style=plastic\u0026logo=slack\u0026logoColor=white)](https://slack.bridgecrew.io/)\n\n\nCfngoat is one of Bridgecrew's \"Vulnerable by Design\" Infrastructure as Code repositories, a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.\n\n![Cfngoat](.github/cfngoat-removebg-preview.png)\n\nIt's an ideal companion to testing build time Infrastructure as Code scanning tools, such as [Bridgecrew](https://bridgecrew.io/) \u0026 [Checkov](https://checkov.io) \n\n## Table of Contents\n\n* [Introduction](#introduction)\n* [Installation](#Installation)\n* [Contributing](#contributing)\n* [Support](#support)\n\n## Introduction\n\nCfngoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like [Bridgecrew](https://bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=cfngoat) \u0026 [Checkov](https://github.com/bridgecrewio/checkov/), inline-linters, pre-commit hooks or other code scanning methods.\n\nCfngoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.\n\n\n## Installation\n \n```bash\naws cloudformation create-stack --stack-name cfngoat --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 --capabilities CAPABILITY_NAMED_IAM\n```\n\nExpect provisioning to take at least 5 minutes. \n\nMultiple stacks can be deployed simultaniously by changing the `--stack-name` and adding an `Environment` parameter:\n\n```bash\naws cloudformation create-stack --stack-name cfngoat2 --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 ParameterKey=Environment,ParameterValue=dev2 --capabilities CAPABILITY_NAMED_IAM\n```\n\n## Important notes\n\n* **Where to get help:** the [Bridgecrew Community Slack](https://slack.bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=cfngoat)\n\nBefore you proceed please take a not of these warning:\n\u003e :warning: Cfngoat creates intentionally vulnerable AWS resources into your account. **DO NOT deploy Cfngoat in a production environment or alongside any sensitive AWS resources.**\n\n## Requirements\n\n* aws cli\n\n\n## Bridgecrew's IaC herd of goats\n\n* [CfnGoat](https://github.com/bridgecrewio/cfngoat) - Vulnerable by design Cloudformation template\n* [TerraGoat](https://github.com/bridgecrewio/terragoat) - Vulnerable by design Terraform stack\n* [CDKGoat](https://github.com/bridgecrewio/cdkgoat) - Vulnerable by design CDK application\n\n## Contributing\n\nContribution is welcomed!\n\nWe would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.\n\n## Support\n\n[Bridgecrew](https://bridgecrew.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=cfngoat) builds and maintains Cfngoat to encourage the adoption of policy-as-code.\n\nIf you need direct support you can contact us at [info@bridgecrew.io](mailto:info@bridgecrew.io).\n\n## Existing vulnerabilities (Auto-Generated)\n\n| | check_id | file | resource | check_name | guideline |\n|----|-------------|---------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|\n| 0 | CKV_AWS_46 | /cfngoat.yaml | AWS::EC2::Instance.EC2Instance | Ensure no hard-coded secrets exist in EC2 user data | https://docs.bridgecrew.io/docs/bc_aws_secrets_1 |\n| 1 | CKV_AWS_3 | /cfngoat.yaml | AWS::EC2::Volume.WebHostStorage | Ensure all data stored in the EBS is securely encrypted | https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume |\n| 2 | CKV_AWS_24 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | https://docs.bridgecrew.io/docs/networking_1-port-security |\n| 3 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.WebNodeSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |\n| 4 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |\n| 5 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |\n| 6 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |\n| 7 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |\n| 8 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |\n| 9 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |\n| 10 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FlowBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |\n| 11 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure |\n| 12 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |\n| 13 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration |\n| 14 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint |\n| 15 | CKV_AWS_40 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1 |\n| 16 | CKV_AWS_110 | /cfngoat.yaml | AWS::IAM::Policy.UserPolicy | Ensure IAM policies does not allow privilege escalation | https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation |\n| 17 | CKV_AWS_7 | /cfngoat.yaml | AWS::KMS::Key.LogsKey | Ensure rotation for customer created CMKs is enabled | https://docs.bridgecrew.io/docs/logging_8 |\n| 18 | CKV_AWS_16 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in the RDS is securely encrypted at rest | https://docs.bridgecrew.io/docs/general_4 |\n| 19 | CKV_AWS_157 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure that RDS instances have Multi-AZ enabled | https://docs.bridgecrew.io/docs/general_73 |\n| 20 | CKV_AWS_17 | /cfngoat.yaml | AWS::RDS::DBInstance.DefaultDB | Ensure all data stored in RDS is not publicly accessible | https://docs.bridgecrew.io/docs/public_2 |\n| 21 | CKV_AWS_23 | /cfngoat.yaml | AWS::EC2::SecurityGroup.DefaultSG | Ensure every security groups rule has a description | https://docs.bridgecrew.io/docs/networking_31 |\n| 22 | CKV_AWS_107 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow credentials exposure | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure |\n| 23 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |\n| 24 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration |\n| 25 | CKV_AWS_109 | /cfngoat.yaml | AWS::IAM::Policy.EC2Policy | Ensure IAM policies does not allow permissions management without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint |\n| 26 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq |\n| 27 | CKV_AWS_173 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Check encryption settings for Lambda environmental variable | https://docs.bridgecrew.io/docs/bc_aws_serverless_5 |\n| 28 | CKV_AWS_45 | /cfngoat.yaml | AWS::Lambda::Function.AnalysisLambda | Ensure no hard-coded secrets exist in lambda environment | https://docs.bridgecrew.io/docs/bc_aws_secrets_3 |\n| 29 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |\n| 30 | CKV_AWS_20 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket does not allow READ permissions to everyone | https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone |\n| 31 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |\n| 32 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |\n| 33 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |\n| 34 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |\n| 35 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |\n| 36 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |\n| 37 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |\n| 38 | CKV_AWS_21 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has versioning enabled | https://docs.bridgecrew.io/docs/s3_16-enable-versioning |\n| 39 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |\n| 40 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |\n| 41 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |\n| 42 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |\n| 43 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.FinancialsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |\n| 44 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |\n| 45 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |\n| 46 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |\n| 47 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |\n| 48 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |\n| 49 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.OperationsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |\n| 50 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |\n| 51 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |\n| 52 | CKV_AWS_19 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure the S3 bucket has server-side-encryption enabled | https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest |\n| 53 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |\n| 54 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.DataScienceBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |\n| 55 | CKV_AWS_18 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure the S3 bucket has access logging enabled | https://docs.bridgecrew.io/docs/s3_13-enable-logging |\n| 56 | CKV_AWS_53 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public ACLS enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_19 |\n| 57 | CKV_AWS_55 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has ignore public ACLs enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_21 |\n| 58 | CKV_AWS_56 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has 'restrict_public_bucket' enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_22 |\n| 59 | CKV_AWS_54 | /cfngoat.yaml | AWS::S3::Bucket.LogsBucket | Ensure S3 bucket has block public policy enabled | https://docs.bridgecrew.io/docs/bc_aws_s3_20 |\n| 60 | CKV_AWS_111 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow write access without constraints | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint |\n| 61 | CKV_AWS_108 | /cfngoat.yaml | AWS::IAM::Role.CleanupRole | Ensure IAM policies does not allow data exfiltration | https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration |\n| 62 | CKV_AWS_116 | /cfngoat.yaml | AWS::Lambda::Function.CleanBucketFunction | Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) | https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq |\n| 63 | CKV_AWS_58 | /eks.yaml | AWS::EKS::Cluster.EKSCluster | Ensure EKS Cluster has Secrets Encryption Enabled | https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3 |\n\n\n---\n\n\n| | check_id | file | resource | check_name | guideline |\n|----|--------------|---------------|------------------------------------------|----------------------------|-----------------------------------------------|\n| 0 | CKV_SECRET_2 | /cfngoat.yaml | 25910f981e85ca04baf359199dd0bd4a3ae738b6 | AWS Access Key | https://docs.bridgecrew.io/docs/git_secrets_2 |\n| 1 | CKV_SECRET_6 | /cfngoat.yaml | d70eab08607a4d05faa2d0d6647206599e9abc65 | Base64 High Entropy String | https://docs.bridgecrew.io/docs/git_secrets_6 |\n\n\n---\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fcfngoat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbridgecrewio%2Fcfngoat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fcfngoat/lists"}