Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Terraform static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your TERRAFORM code

Tags

Impact

Clean code attribute

AWS resource tags should have valid format
Code Smell
Excluding users or groups activities from audit logs is security-sensitive
Security Hotspot
Defining a short log retention duration is security-sensitive
Security Hotspot
Unversioned Google Cloud Storage buckets are security-sensitive
Security Hotspot
Google Cloud load balancers SSL policies should not offer weak cipher suites
Vulnerability
Enabling Attribute-Based Access Control for Kubernetes is security-sensitive
Security Hotspot
Creating custom roles allowing privilege escalation is security-sensitive
Security Hotspot
Creating App Engine handlers without requiring TLS is security-sensitive
Security Hotspot
Excessive granting of GCP IAM permissions is security-sensitive
Security Hotspot
Enabling project-wide SSH keys to access VM instances is security-sensitive
Security Hotspot
Granting public access to GCP resources is security-sensitive
Security Hotspot
Creating GCP SQL instances without requiring TLS is security-sensitive
Security Hotspot
Creating DNS zones without DNSSEC enabled is security-sensitive
Security Hotspot
Creating keys without a rotation period is security-sensitive
Security Hotspot
Granting highly privileged GCP resource rights is security-sensitive
Security Hotspot
Using unencrypted cloud storages is security-sensitive
Security Hotspot
Azure role assignments that grant access to all resources of a subscription are security-sensitive
Security Hotspot
Azure custom roles should not grant subscription Owner capabilities
Vulnerability
Disabling Role-Based Access Control on Azure resources is security-sensitive
Security Hotspot
Disabling certificate-based authentication is security-sensitive
Security Hotspot
Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
Security Hotspot
Authorizing anonymous access to Azure resources is security-sensitive
Security Hotspot
Enabling Azure resource-specific admin accounts is security-sensitive
Security Hotspot
Disabling Managed Identities for Azure resources is security-sensitive
Security Hotspot
Assigning high privileges Azure Active Directory built-in roles is security-sensitive
Security Hotspot
Defining a short backup retention duration is security-sensitive
Security Hotspot
Creating public APIs is security-sensitive
Security Hotspot
Using unencrypted EFS file systems is security-sensitive
Security Hotspot
Using unencrypted SQS queues is security-sensitive
Security Hotspot
Allowing public network access to cloud resources is security-sensitive
Security Hotspot
Using unencrypted SNS topics is security-sensitive
Security Hotspot
Administration services access should be restricted to specific IP addresses
Vulnerability
Using unencrypted SageMaker notebook instances is security-sensitive
Security Hotspot
AWS IAM policies should limit the scope of permissions given
Vulnerability
Using unencrypted Elasticsearch domains is security-sensitive
Security Hotspot
Policies granting access to all resources of an account are security-sensitive
Security Hotspot
Using unencrypted RDS DB resources is security-sensitive
Security Hotspot
Policies granting all privileges are security-sensitive
Security Hotspot
Allowing public ACLs or policies on a S3 bucket is security-sensitive
Security Hotspot
Using unencrypted EBS volumes is security-sensitive
Security Hotspot
AWS tag keys should comply with a naming convention
Code Smell
Policies authorizing public access to resources are security-sensitive
Security Hotspot
Granting access to S3 buckets to all or authenticated users is security-sensitive
Security Hotspot
Disabling logging is security-sensitive
Security Hotspot
Disabling S3 bucket MFA delete is security-sensitive
Security Hotspot
Disabling versioning of S3 buckets is security-sensitive
Security Hotspot
Authorizing HTTP communications with S3 buckets is security-sensitive
Security Hotspot
Disabling server-side encryption of S3 buckets is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Weak SSL/TLS protocols should not be used
Vulnerability
Terraform parsing failure
Code Smell
Track uses of "TODO" tags
Code Smell

AWS tag keys should comply with a naming convention

consistency - identifiable

maintainability

Code Smell

aws
convention

Amazon Web Services (AWS) resources tags are metadata labels with keys and optional values used to categorize and manage resources.

Why is this an issue?

How can I fix it?

More Info

Proper tagging enhances resource discovery, lifecycle management, and overall productivity within the AWS environment.

This rule ensures that AWS tag keys adhere to a specified naming convention, facilitating effective resource management, cost tracking, security compliance, and automation.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.2

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.2

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy | Terms of Use

In-IDE

SaaS

Self-Hosted