Custom Checkov policies for SOC2 compliance validation across AWS, GCP, Azure, and DigitalOcean infrastructure as code.
This repository contains comprehensive Checkov custom policies designed to validate Terraform configurations against SOC2 compliance requirements. The policies cover the five Trust Services Criteria:
- Security: Encryption, access controls, network security
- Availability: High availability, backup and recovery
- Processing Integrity: Monitoring, logging, audit trails
- Confidentiality: Data protection, encryption
- Privacy: Access controls, data isolation
- AWS (Amazon Web Services)
- GCP (Google Cloud Platform)
- Azure (Microsoft Azure)
- DigitalOcean
- Data at rest encryption (S3, EBS, RDS, GCS, Cloud SQL, etc.)
- Data in transit encryption (HTTPS/TLS for load balancers)
- Customer-managed encryption keys (CMEK)
- Password policies and MFA requirements
- Least privilege access
- Service account security
- SSH key enforcement
- Public access restrictions
- Audit logging (CloudTrail, Cloud Logging)
- Access logs for storage and load balancers
- VPC flow logs
- Log retention policies
- Database audit logs
- Security group and firewall restrictions
- SSH/RDP access controls
- Public IP restrictions
- Network isolation and segmentation
- VPC configuration
- Automated backups
- Backup retention policies
- Point-in-time recovery
- High availability configurations
- Snapshot policies
- Python 3.7+
- Checkov installed (
pip install checkov) - Terraform configurations to scan
- Clone or download this repository:
git clone <repository-url>
cd soc2- The policies are organized in the
checkov_policies/directory by provider and category.
To scan your Terraform code with these custom SOC2 policies:
checkov -d /path/to/terraform/code --external-checks-dir ./checkov_policiesFor AWS only:
checkov -d /path/to/terraform/code --external-checks-dir ./checkov_policies --framework terraform --check-pattern "CKV_SOC2_AWS_.*"For GCP only:
checkov -d /path/to/terraform/code --external-checks-dir ./checkov_policies --framework terraform --check-pattern "CKV_SOC2_GCP_.*"For Azure only:
checkov -d /path/to/terraform/code --external-checks-dir ./checkov_policies --framework terraform --check-pattern "CKV_SOC2_AZURE_.*"For DigitalOcean only:
checkov -d /path/to/terraform/code --external-checks-dir ./checkov_policies --framework terraform --check-pattern "CKV_SOC2_DO_.*"Generate reports in different formats:
# JSON output
checkov -d /path/to/terraform --external-checks-dir ./checkov_policies -o json
# JUnit XML (for CI/CD integration)
checkov -d /path/to/terraform --external-checks-dir ./checkov_policies -o junitxml
# SARIF (for GitHub integration)
checkov -d /path/to/terraform --external-checks-dir ./checkov_policies -o sarifname: SOC2 Compliance Check
on: [push, pull_request]
jobs:
checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
external_checks_dir: checkov_policies
framework: terraform
output_format: sarif
soft_fail: falsesoc2-compliance:
stage: test
image: bridgecrew/checkov:latest
script:
- checkov -d terraform/ --external-checks-dir checkov_policies --framework terraform| Policy ID | Description | Category |
|---|---|---|
| CKV_SOC2_AWS_001 | S3 bucket encryption | Encryption |
| CKV_SOC2_AWS_002 | EBS volume encryption | Encryption |
| CKV_SOC2_AWS_003 | RDS encryption | Encryption |
| CKV_SOC2_AWS_101 | IAM password policy | Access Control |
| CKV_SOC2_AWS_102 | IAM user MFA | Access Control |
| CKV_SOC2_AWS_201 | CloudTrail enabled | Logging |
| CKV_SOC2_AWS_301 | Security group ingress restrictions | Network Security |
| CKV_SOC2_AWS_401 | RDS backup retention | Backup & Recovery |
| Policy ID | Description | Category |
|---|---|---|
| CKV_SOC2_GCP_001 | GCS bucket CMEK encryption | Encryption |
| CKV_SOC2_GCP_002 | Compute disk CMEK encryption | Encryption |
| CKV_SOC2_GCP_101 | Service account key rotation | Access Control |
| CKV_SOC2_GCP_201 | Project logging enabled | Logging |
| CKV_SOC2_GCP_301 | Firewall ingress restrictions | Network Security |
| CKV_SOC2_GCP_401 | Cloud SQL backups | Backup & Recovery |
| Policy ID | Description | Category |
|---|---|---|
| CKV_SOC2_AZURE_001 | Storage Account encryption | Encryption |
| CKV_SOC2_AZURE_002 | Managed Disk encryption | Encryption |
| CKV_SOC2_AZURE_003 | SQL Database TDE | Encryption |
| CKV_SOC2_AZURE_004 | PostgreSQL SSL enforcement | Encryption |
| CKV_SOC2_AZURE_005 | MySQL SSL enforcement | Encryption |
| CKV_SOC2_AZURE_006 | CosmosDB encryption | Encryption |
| CKV_SOC2_AZURE_007 | Application Gateway HTTPS | Encryption |
| CKV_SOC2_AZURE_008 | Data Lake Store encryption | Encryption |
| CKV_SOC2_AZURE_009 | AKS disk encryption | Encryption |
| CKV_SOC2_AZURE_101 | Storage Account public access | Access Control |
| CKV_SOC2_AZURE_102 | Key Vault access policies | Access Control |
| CKV_SOC2_AZURE_103 | Key Vault public access | Access Control |
| CKV_SOC2_AZURE_104 | SQL Server Azure AD admin | Access Control |
| CKV_SOC2_AZURE_105 | PostgreSQL Azure AD auth | Access Control |
| CKV_SOC2_AZURE_106 | Container Registry admin | Access Control |
| CKV_SOC2_AZURE_107 | AKS RBAC enabled | Access Control |
| CKV_SOC2_AZURE_108 | AKS local accounts | Access Control |
| CKV_SOC2_AZURE_109 | Function App managed identity | Access Control |
| CKV_SOC2_AZURE_110 | App Service managed identity | Access Control |
| CKV_SOC2_AZURE_111 | VM password authentication | Access Control |
| CKV_SOC2_AZURE_201 | Storage Account logging | Logging |
| CKV_SOC2_AZURE_202 | Key Vault diagnostics | Logging |
| CKV_SOC2_AZURE_203 | SQL Server auditing | Logging |
| CKV_SOC2_AZURE_204 | PostgreSQL log checkpoints | Logging |
| CKV_SOC2_AZURE_205 | PostgreSQL log connections | Logging |
| CKV_SOC2_AZURE_206 | MySQL audit log | Logging |
| CKV_SOC2_AZURE_207 | AKS monitoring | Logging |
| CKV_SOC2_AZURE_208 | App Service logging | Logging |
| CKV_SOC2_AZURE_209 | Network Watcher flow log retention | Logging |
| CKV_SOC2_AZURE_210 | Log Analytics retention | Logging |
| CKV_SOC2_AZURE_301 | NSG SSH restrictions | Network Security |
| CKV_SOC2_AZURE_302 | NSG RDP restrictions | Network Security |
| CKV_SOC2_AZURE_303 | Subnet NSG association | Network Security |
| CKV_SOC2_AZURE_304 | SQL firewall rules | Network Security |
| CKV_SOC2_AZURE_305 | PostgreSQL firewall rules | Network Security |
| CKV_SOC2_AZURE_306 | AKS network policy | Network Security |
| CKV_SOC2_AZURE_307 | AKS authorized IP ranges | Network Security |
| CKV_SOC2_AZURE_308 | App Service VNet integration | Network Security |
| CKV_SOC2_AZURE_309 | Function App VNet integration | Network Security |
| CKV_SOC2_AZURE_401 | VM backup configuration | Backup & Recovery |
| CKV_SOC2_AZURE_402 | SQL Database backup retention | Backup & Recovery |
| CKV_SOC2_AZURE_403 | PostgreSQL backup retention | Backup & Recovery |
| CKV_SOC2_AZURE_404 | MySQL backup retention | Backup & Recovery |
| CKV_SOC2_AZURE_405 | Storage Account replication | Backup & Recovery |
| CKV_SOC2_AZURE_406 | Recovery Vault backup policy | Backup & Recovery |
| CKV_SOC2_AZURE_407 | SQL Database geo-replication | Backup & Recovery |
| CKV_SOC2_AZURE_408 | CosmosDB backup | Backup & Recovery |
| CKV_SOC2_AZURE_409 | AKS availability zones | Backup & Recovery |
| Policy ID | Description | Category |
|---|---|---|
| CKV_SOC2_DO_001 | Volume encryption | Encryption |
| CKV_SOC2_DO_003 | Load balancer HTTPS | Encryption |
| CKV_SOC2_DO_101 | Droplet SSH keys | Access Control |
| CKV_SOC2_DO_201 | Kubernetes monitoring | Logging |
| CKV_SOC2_DO_301 | Firewall ingress restrictions | Network Security |
| CKV_SOC2_DO_401 | Droplet backups | Backup & Recovery |
See the examples/terraform/ directory for example Terraform configurations that pass and fail these policies.
To customize policies for your organization:
- Edit the policy files in
checkov_policies/ - Adjust thresholds (e.g., backup retention days, password length)
- Add new policies by creating new classes that inherit from
BaseResourceCheck
Example custom policy:
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class CustomSOC2Check(BaseResourceCheck):
def __init__(self):
name = "Your custom check description"
id = "CKV_SOC2_CUSTOM_001"
supported_resources = ['resource_type']
categories = [CheckCategories.ENCRYPTION]
guideline = "SOC2 guidance for this check"
super().__init__(name=name, id=id, categories=categories,
supported_resources=supported_resources, guideline=guideline)
def scan_resource_conf(self, conf, entity_type):
# Your validation logic here
if meets_requirements:
return CheckResult.PASSED
return CheckResult.FAILED
check_custom = CustomSOC2Check()To suppress specific checks for valid exceptions:
resource "aws_s3_bucket" "public_bucket" {
#checkov:skip=CKV_SOC2_AWS_001:This bucket is intentionally public for static website hosting
bucket = "my-public-bucket"
}Create .checkov.yml:
skip-check:
- CKV_SOC2_AWS_001 # Skip S3 encryption check
- CKV_SOC2_GCP_103 # Skip GCS public access checkTo add new policies:
- Create a new policy file or add to existing provider files
- Follow the naming convention:
{provider}_{category}_policies.py - Use policy IDs in the format:
CKV_SOC2_{PROVIDER}_{CATEGORY_NUMBER} - Include clear descriptions and guidelines
- Add examples to the examples directory
These policies map to SOC2 Trust Services Criteria:
- CC6.1 - Logical and Physical Access Controls → Access Control Policies
- CC6.6 - Encryption of Data → Encryption Policies
- CC6.7 - Transmission of Data → Network Security Policies
- CC7.2 - Detection of System Failures → Monitoring & Logging Policies
- A1.2 - Backup and Recovery → Backup Policies
MIT License - See LICENSE file for details
For issues or questions:
- Open an issue in the repository
- Review the examples directory
- Check Checkov documentation: https://www.checkov.io/
- Add support for Azure
- Include custom severity levels
- Add automated remediation suggestions
- Integrate with compliance frameworks (HIPAA, PCI-DSS)
- Add performance benchmarks