This page contains all queries from Terraform, classified by severity level.
| Query | Category | Description | Help |
|---|---|---|---|
| S3 Bucket Allows Get Action From All Principals 1df37f4b-7197-45ce-83f8-9994d2fcf885 |
Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. | Documentation |
| S3 Bucket Allows Public Policy 1a4bc881-9f69-4d44-8c9a-d37d08f54c50 |
Access Control | S3 bucket allows public policy | Documentation |
| S3 Bucket With Any Principal 7af43613-6bb9-4a0e-8c4d-1314b799425e |
Access Control | S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals | Documentation |
| S3 Bucket Allows Delete Action From All Principals ffdf4b37-7703-4dfe-a682-9d2e99bc6c09 |
Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. | Documentation |
| IAM Role With Full Privileges b1ffa705-19a3-4b73-b9d0-0c97d0663842 |
Access Control | IAM role policy that allow full administrative privileges (for all resources) | Documentation |
| ECS Service Admin Role is Present 3206240f-2e87-4e58-8d24-3e19e7c83d7c |
Access Control | ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role | Documentation |
| SQS Queue Exposed abb06e5f-ef9a-4a99-98c6-376d396bfcdf |
Access Control | Checks if the SQS Queue is exposed | Documentation |
| S3 Bucket Allows Put Action From All Principals d24c0755-c028-44b1-b503-8e719c898832 |
Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. | Documentation |
| S3 Bucket Allows List Action From All Principals 66c6f96f-2d9e-417e-a998-9058aeeecd44 |
Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. | Documentation |
| S3 Bucket Allows Write_ACP Action From All Principals 64a222aa-7793-4e40-915f-4b302c76e4d4 |
Access Control | S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals. | Documentation |
| All Auth Users Get Read Access 57b9893d-33b1-4419-bcea-a717ea87e139 |
Access Control | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
| BigQuery Dataset Is Public e576ce44-dd03-4022-a8c0-3906acca2ab4 |
Access Control | BigQuery dataset is anonymously or publicly accessible | Documentation |
| OSLogin Is Disabled 32ecd6eb-0711-421f-9627-1a28d9eff217 |
Access Control | Verifies that the OSLogin is enabled | Documentation |
| Cloud Storage Bucket With Public Access c010082c-76e0-4b91-91d9-6e8439e455dd |
Access Control | Cloud Storage Bucket is anonymously or publicly accessible | Documentation |
| VM with Full Cloud Access bc280331-27b9-4acb-a010-018e8098aa5d |
Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs | Documentation |
| Master Authentication is Disabled 1baba08e-3c8a-4be7-95eb-dced5833de21 |
Access Control | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| Role Assignment Of Guest Users 2bc626a8-0751-446f-975d-8139214fc790 |
Access Control | There is a role assignment for guest user | Documentation |
| Storage Container with Public Access dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299 |
Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage | Documentation |
| Admin user is enabled for Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51 |
Access Control | Admin user is enabled for Container Registry | Documentation |
| SQL Database Backup Configuration Disabled cf3c7631-cd1e-42f3-8801-a561214a6e79 |
Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| Geo Redundancy Is Disabled 8b042c30-e441-453f-b162-7696982ebc58 |
Backup | Make sure that on PostgreSQL Geo Redundant Backups is enabled | Documentation |
| EBS Volume Clusters Not Encrypted cc997676-481b-4e93-aa81-d19f8c5e9b12 |
Encryption | The value on AWS EBS Volume Cluster Encryption must be true | Documentation |
| Memcached Disabled 4bd15dd9-8d5e-4008-8532-27eb0c3706d3 |
Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
| DB Instance Storage Not Encrypted 08bd0760-8752-44e1-9779-7bb369b2b4e4 |
Encryption | The parameter storage_encrypted in aws_db_instance must be true (the default is false) | Documentation |
| Redis Not Compliant 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4 |
Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements | Documentation |
| Secure Ciphers Not Used 5c0003fb-9aa0-42c1-9da3-eb0e332bef21 |
Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
| EBS Volume Snapshot Not Encrypted e6b4b943-6883-47a9-9739-7ada9568f8ca |
Encryption | The value on AWS EBS Volume Snapshot Encryptation must be true | Documentation |
| Kinesis Not Encrypted With KMS 862fe4bf-3eec-4767-a517-40f378886b88 |
Encryption | AWS Kinesis Streams and metadata should be protected with KMS | Documentation |
| Redshift Not Encrypted cfdcabb0-fc06-427c-865b-c59f13e898ce |
Encryption | Check if 'encrypted' field is false or undefined (default is false) | Documentation |
| User Data Base64 Contains Encoded Private Key 443488f5-c734-460b-a36d-5b3f330174dc |
Encryption | User Data Base64 contains an encoded RSA Private Key | Documentation |
| Base64 Shell Script Is Encoded 9cf718ce-46f9-430e-89ec-c456f8b469ee |
Encryption | Base64 Shell Script must be encoded | Documentation |
| EBS Encryption Disabled 3d3f6270-546b-443c-adb4-bb6fb2187ca6 |
Encryption | EBS Encryption should be enabled | Documentation |
| ECS Task Definition Container Has Password d40210ea-64b9-4cce-a4fb-e8604f3c062c |
Encryption | It's not recommend to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
| ELB Using Weak Ciphers 4a800e14-c94a-442d-9067-5a2e9f6c0a4c |
Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. | Documentation |
| Kinesis SSE Not Configured 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3 |
Encryption | AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled | Documentation |
| EFS Is Not Encrypted 48207659-729f-4b5c-9402-f884257d794f |
Encryption | Elastic File System (EFS) must be encrypted | Documentation |
| Launch Configuration Is Not Encrypted 4de9de27-254e-424f-bd70-4c1e95790838 |
Encryption | Data stored in the Launch configuration EBS is not securely encrypted | Documentation |
| ELB Using Insecure Protocols 126c1788-23c2-4a10-906c-ef179f4f96ec |
Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. | Documentation |
| ECR Repository Has Public Access e86e26fc-489e-44f0-9bcd-97305e4ba69a |
Encryption | Amazon ECR image repositories shouldn't have public access | Documentation |
| CA certificate Identifier is outdated 9f40c07e-699e-4410-8856-3ba0f2e3a2dd |
Encryption | The CA certificate Identifier must be rds-ca-2019 | Documentation |
| Auto Minor Version Upgrade Is Set To False 3b6d777b-76e3-4133-80a3-0d6f667ade7f |
Encryption | RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true | Documentation |
| MSK Cluster Encryption Disabled 6db52fa6-d4da-4608-908a-89f0c59e743e |
Encryption | Ensure MSK Cluster encryption in rest and transit is enabled | Documentation |
| HTTPS Traffic Disabled 55af1353-2f62-4fa0-a8e1-a210ca2708f5 |
Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
| Ami Not Encrypted 8bbb242f-6e38-4127-86d4-d8f0b2687ae2 |
Encryption | AWS AMI Encryption is not enabled | Documentation |
| RDS Cluster Storage Not Encrypted 3199c26c-7871-4cb3-99c2-10a59244ce7f |
Encryption | Check if RDS Cluster Storage isn't encrypted. Happens when 'kms_key_id' field is false or undefined and 'engine_mode' field null or "". | Documentation |
| IAM Database Auth Not Enabled 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6 |
Encryption | IAM Database Auth Enabled must be configured to true | Documentation |
| KMS Rotation Period Is Higher Than 365 Days 352271ca-842f-408a-8b24-f6f2b76eb027 |
Encryption | Check that keys aren't the same for a period greater than 365 days. | Documentation |
| Cloud SQL Instance With SSL Disabled 02474449-71aa-40a1-87ae-e14497747b00 |
Encryption | Cloud SQL Database Instance with SSL disabled for incoming connections | Documentation |
| DNSSEC Using RSASHA1 ccc3100c-0fdd-4a5e-9908-c10107291860 |
Encryption | Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. | Documentation |
| SSL Enforce Is Disabled 0437633b-daa6-4bbc-8526-c0d2443b946e |
Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' | Documentation |
| Storage Account Not Forcing HTTPS 12944ec4-1fa0-47be-8b17-42a034f937c2 |
Encryption | See that Storage Accounts forces the use of HTTPS | Documentation |
| ECS Task Definition Network Mode Not Recommended 9f4a9409-9c60-4671-be96-9716dbf63db1 |
Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
| S3 Bucket Without Enabled MFA Delete c5b31ab9-0f26-4a49-b8aa-4cc064392f4d |
Insecure Configurations | S3 bucket without enabled MFA Delete | Documentation |
| S3 Bucket Without Encryption 6726dcc0-5ff5-459d-b473-a780bef7665c |
Insecure Configurations | S3 bucket should have encryption defined | Documentation |
| Root Account Has Associated Active Access Keys 970d224d-b42a-416b-81f9-8f4dfe70c4bc |
Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
| IAM User Policy Without MFA b5681959-6c09-4f55-b42b-c40fa12d03ec |
Insecure Configurations | Check if the root user is authenticated with MFA | Documentation |
| Redshift Publicly Accessible af173fde-95ea-4584-b904-bb3923ac4bda |
Insecure Configurations | Check if 'publicly_accessible' field is true or undefined (default is true) | Documentation |
| S3 Bucket Without Versioning 568a4d22-3517-44a6-a7ad-6a7eed88722c |
Insecure Configurations | S3 bucket without versioning | Documentation |
| DB Instance Publicly Accessible 35113e6f-2c6b-414d-beec-7a9482d3b2d1 |
Insecure Configurations | The feature Publicly Accessible must be false | Documentation |
| SQS With SSE Disabled 6e8849c1-3aa7-40e3-9063-b85ee300f29f |
Insecure Configurations | Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE) | Documentation |
| No Password Policy Enabled b592ffd4-0577-44b6-bd35-8c5ee81b5918 |
Insecure Configurations | IAM password policies should be set through the password minimum length and reset password attributes | Documentation |
| Static Websites Found 42bb6b7f-6d54-4428-b707-666f669d94fb |
Insecure Configurations | Checks if any static websties are hosted on buckets | Documentation |
| KMS Key With Vulnerable Policy 7ebc9038-0bde-479a-acc4-6ed7b6758899 |
Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
| S3 Bucket Without Restriction Of Public Bucket 1ec253ab-c220-4d63-b2de-5b40e0af9293 |
Insecure Configurations | S3 bucket without restriction of public bucket | Documentation |
| Authentication Without MFA 3ddfa124-6407-4845-a501-179f90c65097 |
Insecure Configurations | Users should authenticate with MFA (Multi-factor Authentication) | Documentation |
| Pod Security Policy is Disabled 9192e0f9-eca5-4056-9282-ae2a736a4088 |
Insecure Configurations | Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true | Documentation |
| IAM Binding Check No Gmail Accounts 9356962e-4a4f-4d06-ac59-dc8008775eaa |
Insecure Configurations | Gmail accounts are being used instead of corporate credentials | Documentation |
| GKE Basic Authentication is Enabled 70cdf849-b7d9-4569-b87d-5d82ffd44719 |
Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty | Documentation |
| Network Policy is Disabled 11e7550e-c4b6-472e-adff-c698f157cdd7 |
Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false | Documentation |
| Cluster Labels are Disabled 65c1bc7a-4835-4ac4-a2b6-13d310b0648d |
Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined | Documentation |
| Node Auto Upgrade Not Enabled b139213e-7d24-49c2-8025-c18faa21ecaa |
Insecure Configurations | Node 'auto_upgrade' should be enabled for Kubernetes Clusters | Documentation |
| Private Cluster Is Disabled 6ccb85d7-0420-4907-9380-50313f80946b |
Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true | Documentation |
| Legacy Authorization is Enabled 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067 |
Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true | Documentation |
| Client Certificate is Disabled 73fb21a1-b19a-45b1-b648-b47b1678681e |
Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true | Documentation |
| COS Node Image Not Used 8a893e46-e267-485a-8690-51f39951de58 |
Insecure Configurations | A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image | Documentation |
| IP Aliasing is Disabled c606ba1d-d736-43eb-ac24-e16108f3a9e0 |
Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE | Documentation |
| Redis Not Updated Regularly b947809d-dd2f-4de9-b724-04d101c515aa |
Insecure Configurations | Redis Cache is not configured to be updated regularly with security and operational updates | Documentation |
| Azurerm Container Registry With No Locks a187ac47-8163-42ce-8a63-c115236be6fb |
Insecure Configurations | Azurerm Container Registry Must Contain Associated Locks | Documentation |
| VM Not Attached To Network bbf6b3df-4b65-4f87-82cc-da9f30f8c033 |
Insecure Configurations | No Network Security Group is attached to the Virtual Machine | Documentation |
| Network Watcher Flow Disabled b90842e5-6779-44d4-9760-972f4c03ba1c |
Insecure Configurations | Check if enable field in the resource azurerm_network_watcher_flow_log is false. | Documentation |
| SSL Connection Is Enabled 73e42469-3a86-4f39-ad78-098f325b4e9f |
Insecure Configurations | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled | Documentation |
| AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b |
Insecure Configurations | The Active Directory Administrator is not configured for a SQL server | Documentation |
| CosmosDB Account Ip Range Filter Not Setted c2a3efb6-8a58-481c-82f2-bfddf34bb4b7 |
Insecure Configurations | The Ip Range Must Contain Ips | Documentation |
| Trusted Microsoft Services Not Enabled 5400f379-a347-4bdd-a032-446465fdcc6f |
Insecure Configurations | Trusted MIcrosoft Services are not enabled for Storage Account access | Documentation |
| DB Security Group Has Public IP f0d8781f-99bf-4958-9917-d39283b168a0 |
Networking and Firewall | The CIDR IP must not be Public | Documentation |
| Remote Desktop Port Open 151187cb-0efc-481c-babd-ad24e3c9bc22 |
Networking and Firewall | The remote desktop port is open | Documentation |
| 'SSH' (TCP:22) in Public Scope 65905cec-d691-4320-b320-2000436cb696 |
Networking and Firewall | SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
| ALB protocol is HTTP de7f5e83-da88-4046-871f-ea18504b1d43 |
Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
| HTTP Port Open ffac8a12-322e-42c1-b9b9-81ff85c39ef7 |
Networking and Firewall | HTTP port is open to the internet | Documentation |
| Sensitive Port Is Exposed To Entire Network 381c3f2a-ef6f-4eff-99f7-b169cda3422c |
Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| Fully Open Ingress 4728cd65-a20c-49da-8b31-9c08b423e4db |
Networking and Firewall | Security groups allow ingress from 0.0.0.0:0 | Documentation Documentation |
| DB Security Group Higher than 256 4f615f3e-fb9c-4fad-8b70-2e9f781806ce |
Networking and Firewall | DB Security CIDR must be lower than 256 (/24) | Documentation |
| EKS Cluster Has Public Access CIDRs 61cf9883-1752-4768-b18c-0d57f2737709 |
Networking and Firewall | Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" | Documentation |
| DB Security Group With Public Scope 1e0ef61b-ad85-4518-a3d3-85eaad164885 |
Networking and Firewall | The CIDR must be diferent than 0.0.0.0/0 | Documentation |
| Unknown Port Exposed To Internet 590d878b-abdc-428f-895a-e2b68a0e1998 |
Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
| Route53 Record Undefined 25db74bf-fa3b-44da-934e-8c3e005c0453 |
Networking and Firewall | Check if Record is set | Documentation |
| Default Security Group Does Not Restrict All Traffic 46883ce1-dc3e-4b17-9195-c6a601624c73 |
Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
| Cloud SQL DB Is Publicly Accessible b187edca-b81e-4fdc-aff4-aab57db45edb |
Networking and Firewall | Check if any Cloud SQL instances are publicly accessible. | Documentation |
| Sensitive Port Is Exposed To Entire Network 594c198b-4d79-41b8-9b36-fde13348b619 |
Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| Redis Publicly Accessible 5089d055-53ff-421b-9482-a5267bdce629 |
Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources | Documentation |
| SQLServer Ingress from Any IP 25c0ea09-f1c5-4380-b055-3b83863f2bb8 |
Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. | Documentation |
| SSH Is Exposed To The Internet 3e3c175e-aadf-4e2b-a464-3fdac5748d24 |
Networking and Firewall | Port 22 (SSH) is exposed to the internet | Documentation |
| Redis Entirely Accessible fd8da341-6760-4450-b26c-9f6d8850575e |
Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet | Documentation |
| Public Storage Account 17f75827-0684-48f4-8747-61129c7e4198 |
Networking and Firewall | Check if 'network_rules' is open to public. | Documentation |
| RDP Is Exposed To The Internet efbf6449-5ec5-4cfe-8f15-acc51e0d787c |
Networking and Firewall | Port 3389 (Remote Desktop) is exposed to the internet | Documentation |
| KMS Key No Deletion Window 0b530315-0ea4-497f-b34c-4ff86268f59d |
Observability | AWS KMS Key should have a valid deletion window | Documentation |
| Config Configuration Aggregator All Regions Not Enabled ac5a0bc0-a54c-45aa-90c3-15f7703b9132 |
Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
| CloudTrail Logging Disabled 4bb76f17-3d63-4529-bdca-2b454529d774 |
Observability | Checks if we have enabled logging in the CloudTrail | Documentation |
| Stackdriver Monitoring is Disabled 30e8dfd2-3591-4d19-8d11-79e93106c93d |
Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' | Documentation |
| Stackdriver Logging is Disabled 4c7ebcb2-eae2-461e-bc83-456ee2d4f694 |
Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' | Documentation |
| Cloud Storage Bucket Logging Not Enabled d6cabc3a-d57e-48c2-b341-bf3dd4f4a120 |
Observability | Cloud storage bucket with logging not enabled | Documentation |
| Object Versioning Not Enabled e7e961ac-d17e-4413-84bc-8a1fbe242944 |
Observability | Object Versioning Not Enabled on Cloud Storage Bucket | Documentation |
| IAM Audit Logging Has Not Proper Config 89fe890f-b480-460c-8b6b-7d8b1468adb4 |
Observability | Audit Logging Configuration is defective | Documentation |
| Vault with disabled Audit 38c71c00-c177-4cd7-8d36-cd1007cdb190 |
Observability | Ensure that logging for Azure KeyVault is 'Enabled' | Documentation |
| SQL Database disabled Audit 83a229ba-483e-47c6-8db7-dc96969bce5a |
Resource Management | Ensure that 'Threat Detection' is enabled for Azure SQL Database | Documentation |
| S3 Bucket Rules With Master Key Id Null ad03cb46-f174-4674-bf8e-2880a7000edd |
Secret Management | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
| EFS Without KMS Key ID 25d251f3-f348-4f95-845c-1090e41a615c |
Secret Management | Elastic File System (EFS) must have KMS Key ID | Documentation |
| Check Secret Expiration Is Set dfa20ffa-f476-428f-a490-424b41e91c7f |
Secret Management | Make sure that for all secrets the expiration date is set | Documentation |
| Check Key Expiration Is Set 4d080822-5ee2-49a4-8984-68f3d4c890fc |
Secret Management | Make sure that for all keys the expiration date is set | Documentation |
| Logging Disabled For Key Vault bb2d6cbc-b3af-4da7-9b1c-d91652dd9ead |
Secret Management | Logging for Azure Key Vault is disabled | Documentation |
| Query | Category | Description | Help |
|---|---|---|---|
| Google Project IAM Member Service Account has Token Creator or Account User Role c68b4e6d-4e01-4ca1-b256-1e18e875785c |
Access Control | Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated | Documentation |
| SQS Policy Allows ALL (*) Actions 816ea8cf-d589-442d-a917-2dd0ce0e45e3 |
Access Control | SQS policy allows ALL (*) actions | Documentation |
| Google Project IAM Member Service Account Has Admin Role 84d36481-fd63-48cb-838e-635c44806ec2 |
Access Control | Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated | Documentation |
| IAM Policies With Full Privileges 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84 |
Access Control | IAM policies that allow full administrative privileges (for all resources) | Documentation |
| SNS Topic is Publicly Accessible For Subscription b26d2b7e-60f6-413d-a3a1-a57db24aa2b3 |
Access Control | This query checks if SNS Topic is Accessible For Subscription | Documentation |
| SQS Policy With Public Access 730675f9-52ed-49b6-8ead-0acb5dd7df7f |
Access Control | SQS policy with public access | Documentation |
| Google Project IAM Binding Service Account has Token Creator or Account User Role 617ef6ff-711e-4bd7-94ae-e965911b1b40 |
Access Control | Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated | Documentation |
| IAM Policy Allows All ('*') In Policy Statement 575a2155-6af1-4026-b1af-d5bc8fe2a904 |
Access Control | IAM policies allow all ('*') in a statement action | Documentation |
| S3 Bucket Allows Public ACL d0cc8694-fcad-43ff-ac86-32331d7e867f |
Access Control | S3 bucket allows public ACL | Documentation |
| Container Allow Privilege Escalation Is True c878abb4-cca5-4724-92b9-289be68bd47c |
Access Control | Admission of privileged containers should be minimized | Documentation |
| Container Has Allowed Capabilities fe771ff7-ba15-4f8f-ad7a-8aa232b49a28 |
Access Control | Kubernetes Pod should not have extra capabilities allowed | Documentation |
| Cloud Storage Anonymous or Publicly Accessible a6cd52a1-3056-4910-96a5-894de9f3f3b3 |
Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' | Documentation |
| Default Network Access is Allowed 9be09caf-2ba4-4fa9-9787-a670dc32c639 |
Access Control | Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' | Documentation |
| ElastiCache Nodes Are Not Created Across Multi AZ 6db03a91-f933-4f13-ab38-a8b87a7de54d |
Availability | Check if ElastiCache nodes are not being created across multi AZ | Documentation |
| Stack Retention Is Disabled 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97 |
Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
| RDS Without Backup 1dc73fb4-5b51-430c-8c5f-25dcf9090b02 |
Backup | RDS configured without backup | Documentation |
| Insecure SSL Is Enabled For GitHub Organization Webhook ce7c874e-1b88-450b-a5e4-cb76ada3c8a9 |
Encryption | Check if insecure SSL is being used in the GitHub organization webhooks | Documentation |
| Config Rule For Encrypted Volumes Is Disabled abdb29d4-5ca1-4e91-800b-b3569bbd788c |
Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
| Google Compute SSL Policy Weak Cipher Suits is Enabled 14a457f0-473d-4d1d-9e37-6d99b355b336 |
Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
| Neptune Cluster Not Encrypted 98d59056-f745-4ef5-8613-32bca8d40b7e |
Encryption | Check if Neptune Cluster Storage is securely encrypted | Documentation |
| API Gateway Content Encoding ed35928e-195c-4405-a252-98ccb664ab7b |
Encryption | Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760 | Documentation |
| Google KMS Crypto Key Rotation Period Not Recommended d8c57c4e-bf6f-4e32-a2bf-8643532de77b |
Encryption | Make sure Encryption keys change after 90 days | Documentation |
| ElasticSearch Not Encrypted At Rest 24e16922-4330-4e9d-be8a-caa90299466a |
Encryption | Check if ElasticSearch encryption is disabled at Rest | Documentation |
| Image is not scanned 9630336b-3fed-4096-8173-b9afdfe346a7 |
Encryption | Checks if the Image has been scanned | Documentation |
| ElasticSearch Encryption With KMS Is Disabled 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2 |
Encryption | Check if any ElasticSearch domain isn't encrypted with KMS | Documentation |
| VM CSEK Encryption Is Disabled b1d51728-7270-4991-ac2f-fc26e2695b38 |
Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'sha256' must also be defined and not empty | Documentation |
| Ensure Encryption on Disk a99130ab-4c0e-43aa-97f8-78d4fcb30024 |
Encryption | Ensure that the encryption is active on the disk | Documentation |
| Redis Cache Allows Non SSL Connections e29a75e6-aba3-4896-b42d-b87818c16b58 |
Encryption | Check if any Redis Cache resource allows non-SSL connections. | Documentation |
| Public Repository Is Enabled 15d8a7fd-465a-4d15-a868-add86552f17b |
Insecure Configurations | Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') | Documentation |
| CloudFormation Without Template 91bea7b8-0c31-4863-adc9-93f6177266c4 |
Insecure Configurations | AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body | Documentation |
| Organizations SCPs All Features Not Enabled 5ba6229c-8057-433e-91d0-21cf13569ca9 |
Insecure Configurations | Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). | Documentation |
| Google Storage Bucket Level Access is Enabled bb0db090-5509-4853-a827-75ced0b3caa0 |
Insecure Configurations | Validates if the Google Storage Bucket Level Access is Enabled | Documentation |
| MQ Broker Is Publicly Accessible 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb |
Insecure Configurations | Check if any MQ Broker is not publicly accessible | Documentation |
| AMI Shared To Multiple Accounts ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698 |
Insecure Configurations | Limits access to AWS AMIs by checking if more than one account is using the same image | Documentation |
| IAM Password Without Reuse Prevention 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a |
Insecure Configurations | Check if IAM account password has the reuse password configured with 24 | Documentation |
| IAM Password Without Valid Minimum Length 1bc1c685-e593-450e-88fb-19db4c82aa1d |
Insecure Configurations | Check if IAM account password has the required minimum length | Documentation |
| IAM Password Without Uppercase Letter c5ff7bc9-d8ea-46dd-81cb-8286f3222249 |
Insecure Configurations | Check if IAM account password has at least one uppercase letter | Documentation |
| Google Container Node Pool Auto Repair is Disabled acfdbec6-4a17-471f-b412-169d77553332 |
Insecure Configurations | Verifies if Google Conatiner Node Pool Auto Repair is Enabled | Documentation |
| IAM Password Without Lowercase Letter bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9 |
Insecure Configurations | Check if IAM account password has at least one lowercase letter | Documentation |
| Instance With No VPC a31a5a29-718a-4ff4-8001-a69e5e4d029e |
Insecure Configurations | Instance should be configured in VPC (Virtual Private Cloud) | Documentation |
| IAM Password Without Symbols 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48 |
Insecure Configurations | Check if IAM account password has the required symbols | Documentation |
| IAM Access Key Is Exposed 7081f85c-b94d-40fd-8b45-a4f1cac75e46 |
Insecure Configurations | Check if IAM Access Key is active for some user besides 'root' | Documentation |
| Unchangeable password 9ef7d25d-9764-4224-9968-fa321c56ef76 |
Insecure Configurations | Unchangeable passwords in AWS password policy | Documentation |
| Public Lambda via API Gateway 3ef8696c-e4ae-4872-92c7-520bb44dfe77 |
Insecure Configurations | Allowing to run lambda function using public API Gateway | Documentation |
| EKS Cluster Has Public Access 42f4b905-3736-4213-bfe9-c0660518cda8 |
Insecure Configurations | Amazon EKS public endpoint shoud be set to false | Documentation |
| Container Read-Only Root Filesystem Is False d532566b-8d9d-4f3b-80bd-361fe802f9c2 |
Insecure Configurations | Container's root filesystem should be read-only | Documentation |
| Container Host Pid Is True 587d5d82-70cf-449b-9817-f60f9bccb88c |
Insecure Configurations | Minimize the admission of containers wishing to share the host process ID namespace | Documentation |
| Container Resources Not Defined 60af03ff-a421-45c8-b214-6741035476fa |
Insecure Configurations | Kubernetes container should have resource limitations defined such as CPU and memory | Documentation |
| OSLogin Is Disabled For VM Instance d0b4d550-c001-46c3-bbdb-d5d75d33f05f |
Insecure Configurations | Check if any VM instance disables OSLogin | Documentation |
| Using Default Service Account 3cb4af0b-056d-4fb1-8b95-fdc4593625ff |
Insecure Configurations | Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. | Documentation |
| Google Project Auto Create Network Is Disabled 59571246-3f62-4965-a96f-c7d97e269351 |
Insecure Configurations | Verifies if the Google Project Auto Create Network is Disabled | Documentation |
| Shielded VM is Disabled 1b44e234-3d73-41a8-9954-0b154135280e |
Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 3e4d5ce6-3280-4027-8010-c26eeea1ec01 |
Insecure Configurations | Check if SSH keys are enabled project-wide in VM instances | Documentation |
| Serial Ports Are Enabled For VM Instances 97fa667a-d05b-4f16-9071-58b939f34751 |
Insecure Configurations | Check if VM instance enables serial ports | Documentation |
| Cloud DNS without DNSSEC 5ef61c88-bbb4-4725-b1df-55d23c9676bb |
Insecure Configurations | Cloud DNS without DNSSEC | Documentation |
| Security Center Pricing Tier Is Not Standard 819d50fd-1cdf-45c3-9936-be408aaad93e |
Insecure Configurations | Make sure that the 'Standard' pricing tiers were selected. | Documentation |
| Log Retention Is Greater Than 90 Days 7750fcca-dd03-4d38-b663-4b70289bcfd4 |
Insecure Configurations | Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches | Documentation |
| AKS Network Policy Misconfigured f5342045-b935-402d-adf1-8dbbd09c0eef |
Insecure Configurations | Check if the Azure Kubernetes Service doesn't have the proper network policy configuration. | Documentation |
| Cosmos DB Account No Tags 56dad03e-e94f-4dd6-93a4-c253a03ff7a0 |
Insecure Configurations | Cosmos DB Account must have a mapping of tags. | Documentation |
| Security Group is Not Configured 5c822443-e1ea-46b8-84eb-758ec602e844 |
Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty | Documentation |
| SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450 |
Insecure Configurations | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict | Documentation |
| SQL Server Predictable Admin Account Name 2ab6de9a-0136-415c-be92-79d2e4fd750f |
Insecure Configurations | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict | Documentation |
| Kube Dashboard Is Enabled 61c3cb8b-0715-47e4-b788-86dde40dd2db |
Insecure Configurations | Check if the Kubernetes Dashboard is enabled. | Documentation |
| API Gateway Endpoint Config is Private 6b2739db-9c49-4db7-b980-7816e0c248c1 |
Networking and Firewall | Type of Endpoint Configuration is Private | Documentation |
| API Gateway Without SSL Certificate 0b4869fc-a842-4597-aa00-1294df425440 |
Networking and Firewall | SSL Client Certificate should be enabled in aws_api_gateway_stage resource | Documentation |
| Sensitive Port Is Exposed To Small Public Network e35c16a2-d54e-419d-8546-a804d8e024d0 |
Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol | Documentation |
| SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 54c417bf-c762-48b9-9d31-b3d87047e3f0 |
Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. | Documentation |
| Sensitive Port Is Exposed To Wide Private Network 92fe237e-074c-4262-81a4-2077acb928c1 |
Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol | Documentation |
| SSH Access Is Not Restricted From The Internet c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0 |
Networking and Firewall | Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block) | Documentation |
| RDP Access Is Not Restricted 678fd659-96f2-454a-a2a0-c2571f83a4a3 |
Networking and Firewall | Check if Google Firewall ingress allows RDP access (port 3389) | Documentation |
| IP Forwarding is Enabled f34c0c25-47b4-41eb-9c79-249b4dd47b89 |
Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true | Documentation |
| Firewall Rule Allows Too Many Hosts To Access Redis Cache a829b715-cf75-4e92-b645-54c9b739edfb |
Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache | Documentation |
| WAF Is Disabled For Azure Application Gateway 2e48d91c-50e4-45c8-9312-27b625868a72 |
Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. | Documentation |
| Sensitive Port Is Exposed To Small Public Network e9dee01f-2505-4df2-b9bf-7804d1fd9082 |
Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol | Documentation |
| SQL Server Accessibility Is Not Minimal d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28 |
Networking and Firewall | Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0' | Documentation |
| Sensitive Port Is Exposed To Wide Private Network c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e |
Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol | Documentation |
| MQ Broker Has Disabled General Or Audit Logging 31245f98-a6a9-4182-9fc1-45482b9d030a |
Observability | Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). | Documentation |
| Redshift Cluster Logging Disabled 15ffbacc-fa42-4f6f-a57d-2feac7365caa |
Observability | Make sure Logging is enabled for Redshift Cluster | Documentation |
| CloudWatch Logging Is Disabled 7dbba512-e244-42dc-98bb-422339827967 |
Observability | Check if CloudWatch logging is disabled for Route53 hosted zones | Documentation |
| MSK Cluster Logging Disabled 2f56b7ab-7fba-4e93-82f0-247e5ddeb239 |
Observability | Ensure MSK Cluster Logging is enabled | Documentation |
| Elasticsearch Without Slow Logs e979fcbc-df6c-422d-9458-c33d65e71c45 |
Observability | Ensure that AWS Elasticsearch enables support for slow logs | Documentation |
| CloudFormation Stack Notifications Disabled b72d0026-f649-4c91-a9ea-15d8f681ac09 |
Observability | Enable AWS CloudFormation Stack Notifications | Documentation |
| Default VPC Exists 96ed3526-0179-4c73-b1b2-372fde2e0d13 |
Observability | It isn't recommended to use resources in default VPC | Documentation |
| VPC Flow Logs Disabled f83121ea-03da-434f-9277-9cd247ab3047 |
Observability | Sees if the id of the flow logs is the same as the vpc, if they are VPC flow logs are Enabled | Documentation |
| API Gateway Without Cloudwatch Log 982aa526-6970-4c59-8b9b-2ce7e019fe36 |
Observability | AWS CloudWatch Logs for APIs is not enabled | Documentation |
| API Gateway X-Ray Disabled 5813ef56-fa94-406a-b35d-977d4a56ff2b |
Observability | Xray Tracing is not enabled | Documentation |
| Cloudfront Logging is Disabled 94690d79-b3b0-43de-b656-84ebef5753e5 |
Observability | AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined | Documentation |
| CloudWatch Metrics Not Enabled 081069cb-588b-4ce1-884c-2a1ce3029fe5 |
Observability | Enable the CloudWatch Metrics | Documentation |
| CloudWatch Without Retention Period Specified ef0b316a-211e-42f1-888e-64efe172b755 |
Observability | AWS CloudWatch Log groups should have retention days specified | Documentation |
| Cloud Trail Multi Region Disabled 8173d5eb-96b5-4aa6-a71b-ecfa153c123d |
Observability | Check if MultiRegion is Enabled | Documentation |
| CloudTrail SNS Topic Name Is Undefined 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd |
Observability | Check if SNS topic name is set for CloudTrail | Documentation |
| Google Compute Subnetwork Logs are Disabled 40430747-442d-450a-a34f-dc57149f4609 |
Observability | This query checks if logs are enabled for google compute subnetwork | Documentation |
| GuardDuty Detector Disabled 704dadd3-54fc-48ac-b6a0-02f170011473 |
Observability | Make sure that Amazon GuardDuty is Enabled | Documentation |
| SQL Server Auditing Is Enabled f7e296b0-6660-4bc5-8f87-22ac4a815edf |
Observability | Make sure that for SQL Servers, 'Auditing' is set to 'On' | Documentation |
| PostgreSQL Logs Checkpoints Is On 3790d386-be81-4dcf-9850-eaa7df6c10d9 |
Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' | Documentation |
| MSSQL Audit Retention 9c301481-e6ec-44f7-8a49-8ec63e2969ea |
Observability | Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days | Documentation |
| Log Disconnections Is Not Set 07f7134f-9f37-476e-8664-670c218e4702 |
Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' | Documentation |
| MSSQL Server Auditing Is Enabled 609839ae-bd81-4375-9910-5bce72ae7b92 |
Observability | Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' | Documentation |
| PostgreSQL DB Server Log Retention Is Low 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606 |
Observability | Check if PostgreSQL Database Server retains logs for less than 3 Days | Documentation |
| SQL Audit Retention 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc |
Observability | Make sure for SQL Servers that Auditing Retention is greater than 90 days | Documentation |
| Log Duration Is Not Set 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f |
Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' | Documentation |
| Log Connections Is Not Set c640d783-10c5-4071-b6c1-23507300d333 |
Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' | Documentation |
| Log Retention Is Not Set ffb02aca-0d12-475e-b77c-a726f7aeff4b |
Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' | Documentation |
| Email Alerts Are Disabled 9db38e87-f6aa-4b5e-a1ec-7266df259409 |
Observability | Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact | Documentation |
| PostgreSQL Server Without Connection Throttling 2b3c671f-1b76-4741-8789-ed1fe0785dc4 |
Observability | Ensure that Connection Throttling is set for the PostgreSQL server | Documentation |
| CloudFormation Without Stack Policy 2f01fb2d-828a-499d-b98e-b83747305052 |
Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions | Documentation |
| Incorrect Password Policy Expiration ce60d060-efb8-4bfd-9cf7-ff8945d00d90 |
Secret Management | No password exeration policy | Documentation |
| Query | Category | Description | Help |
|---|---|---|---|
| IAM Role Allows All Principals To Assume 12b7e704-37f0-4d1e-911a-44bf60c48c21 |
Access Control | IAM role allows all services or principals to assume it | Documentation |
| IAM Role Allows Public Assume bcdcbdc6-a350-4855-ae7c-d1e6436f7c97 |
Access Control | IAM role allows All services or principals to assume it | Documentation |
| S3 Bucket With All Permissions a4966c4f-9141-48b8-a564-ffe9959945bc |
Encryption | S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
| IAM Policies Attached To User b4378389-a9aa-44ee-91e7-ef183f11079e |
Insecure Configurations | IAM policies should be attached only to groups or roles | Documentation |
| S3 Bucket With Ignore Public ACL 4fa66806-0dd9-4f8d-9480-3174d39c7c91 |
Insecure Configurations | S3 bucket with ignore public ACL | Documentation |
| Open Access To Resources Through API 108aa260-6dab-4a75-ae3f-de917d634840 |
Insecure Configurations | Open access to back-end resources through API | Documentation |
| Cloudfront Without WAF 1419b4c6-6d5c-4534-9cf6-6a5266085333 |
Networking and Firewall | CloudFront Distribution without WAF enabled | Documentation |
| S3 Bucket Without Logging f861041c-8c9f-4156-acfc-5e6e524f5884 |
Observability | S3 bucket without logging | Documentation |
| Missing Cluster Log Types 66f130d9-b81d-4e8e-9b08-da74b9c891df |
Observability | Amazon EKS control plane logging don't enabled for all log types | Documentation |
| Lambda Hardcoded AWS Access Key 1402afd8-a95c-4e84-8b0b-6fb43758e6ce |
Secret Management | Lambda hardcoded AWS access/secret keys | Documentation |
| Hardcoded AWS access key d7b9d850-3e06-4a75-852f-c46c2e92240b |
Secret Management | Hard-coded AWS access key / secret key exists in EC2 user data | Documentation |
| Query | Category | Description | Help |
|---|---|---|---|
| S3 Bucket With Public RW Access 38c5ee0d-7f22-4260-ab72-5073048df100 |
Access Control | S3 bucket with public READ/WRITE access | Documentation |