Skip to content

Commit

Permalink
docs(queries): update queries catalog (#6001)
Browse files Browse the repository at this point in the history 
Co-authored-by: cxMiguelSilva <[email protected]>
  • Loading branch information
@kicsbot @cxMiguelSilva
kicsbot and cxMiguelSilva authored Nov 15, 2022
1 parent 846040f commit 0af2703
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 18 deletions.
18 changes: 9 additions & 9 deletions docs/queries/all-queries.md
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion docs/queries/ansible-queries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ Bellow are listed queries related with Ansible GCP:
|Disk Encryption Disabled<br/><sup><sub>092bae86-6105-4802-99d2-99cd7e7431f3</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_disk_module.html">Documentation</a><br/>|
|Google Compute SSL Policy Weak Cipher In Use<br/><sup><sub>b28bcd2f-c309-490e-ab7c-35fc4023eb26</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_ssl_policy_module.html">Documentation</a><br/>|
|OSLogin Is Disabled In VM Instance<br/><sup><sub>66dae697-507b-4aef-be18-eec5bd707f33</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|VM instance should have OSLogin enabled|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html">Documentation</a><br/>|
|COS Node Image Not Used<br/><sup><sub>be41f891-96b1-4b9d-b74f-b922a918c778</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|The node image should be Container-Optimized OS(COS)|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type">Documentation</a><br/>|
|Google Container Node Pool Auto Repair Disabled<br/><sup><sub>d58c6f24-3763-4269-9f5b-86b2569a003b</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html">Documentation</a><br/>|
|Shielded VM Disabled<br/><sup><sub>18d3a83d-4414-49dc-90ea-f0387b2856cc</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html">Documentation</a><br/>|
|Using Default Service Account<br/><sup><sub>2775e169-e708-42a9-9305-b58aadd2c4dd</sub></sup>|<span style="color:#C60">Medium</span>|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html">Documentation</a><br/>|
Expand All @@ -97,7 +98,6 @@ Bellow are listed queries related with Ansible GCP:
|Serial Ports Are Enabled For VM Instances<br/><sup><sub>c6fc6f29-dc04-46b6-99ba-683c01aff350</sub></sup>|<span style="color:#C60">Medium</span>|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html">Documentation</a><br/>|
|PostgreSQL log_checkpoints Flag Not Set To ON<br/><sup><sub>89afe3f0-4681-4ce3-89ed-896cebd4277c</sub></sup>|<span style="color:#C60">Medium</span>|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags">Documentation</a><br/>|
|PostgreSQL Misconfigured Log Messages Flag<br/><sup><sub>28a757fc-3d8f-424a-90c0-4233363b2711</sub></sup>|<span style="color:#C60">Medium</span>|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags">Documentation</a><br/>|
|COS Node Image Not Used<br/><sup><sub>be41f891-96b1-4b9d-b74f-b922a918c778</sub></sup>|<span style="color:#C60">Medium</span>|Resource Management|The node image should be Container-Optimized OS(COS)|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type">Documentation</a><br/>|
|High Google KMS Crypto Key Rotation Period<br/><sup><sub>f9b7086b-deb8-4034-9330-d7fd38f1b8de</sub></sup>|<span style="color:#C60">Medium</span>|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html">Documentation</a><br/>|
|Project-wide SSH Keys Are Enabled In VM Instances<br/><sup><sub>099b4411-d11e-4537-a0fc-146b19762a79</sub></sup>|<span style="color:#C60">Medium</span>|Secret Management|VM Instance should block project-wide SSH keys|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html">Documentation</a><br/>|
|Google Compute Subnetwork with Private Google Access Disabled<br/><sup><sub>6a4080ae-79bd-42f6-a924-8f534c1c018b</sub></sup>|<span style="color:#CC0">Low</span>|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|<a href="https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access">Documentation</a><br/>|
Expand Down
4 changes: 2 additions & 2 deletions docs/queries/cloudformation-queries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,11 @@ Bellow are listed queries related with CloudFormation AWS:
|ECS Task Definition Container With Plaintext Password<br/><sup><sub>f9b10cdb-eaab-4e39-9793-e12b94a582ad</sub></sup>|<span style="color:#C00">High</span>|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment">Documentation</a><br/>|
|Redshift Cluster Without KMS CMK<br/><sup><sub>de76a0d6-66d5-45c9-9022-f05545b85c78</sub></sup>|<span style="color:#C00">High</span>|Encryption|AWS Redshift Cluster should have KMS CMK defined|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html">Documentation</a><br/>|
|CloudFormation Specifying Credentials Not Safe<br/><sup><sub>9ecb6b21-18bc-4aa7-bd07-db20f1c746db</sub></sup>|<span style="color:#C00">High</span>|Encryption|Specifying credentials in the template itself is probably not safe to do.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.html">Documentation</a><br/>|
|IAM Database Auth Not Enabled<br/><sup><sub>9fcd0a0a-9b6f-4670-a215-d94e6bf3f184</sub></sup>|<span style="color:#C00">High</span>|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableiamdatabaseauthentication">Documentation</a><br/>|
|ELB Using Insecure Protocols<br/><sup><sub>61a94903-3cd3-4780-88ec-fc918819b9c8</sub></sup>|<span style="color:#C00">High</span>|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html">Documentation</a><br/>|
|Kinesis SSE Not Configured<br/><sup><sub>7f65be75-90ab-4036-8c2a-410aef7bb650</sub></sup>|<span style="color:#C00">High</span>|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-stream.html">Documentation</a><br/>|
|ElastiCache With Disabled Transit Encryption<br/><sup><sub>3b02569b-fc6f-4153-b3a3-ba91022fed68</sub></sup>|<span style="color:#C00">High</span>|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html">Documentation</a><br/>|
|DynamoDB With Aws Owned CMK<br/><sup><sub>c8dee387-a2e6-4a73-a942-183c975549ac</sub></sup>|<span style="color:#C00">High</span>|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html">Documentation</a><br/>|
|RDS DB Instance With IAM Auth Disabled<br/><sup><sub>9fcd0a0a-9b6f-4670-a215-d94e6bf3f184</sub></sup>|<span style="color:#C00">High</span>|Encryption|IAM Database Auth Enabled should be configured to true when compatible with engine and version|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableiamdatabaseauthentication">Documentation</a><br/>|
|Redshift Not Encrypted<br/><sup><sub>3b316b05-564c-44a7-9c3f-405bb95e211e</sub></sup>|<span style="color:#C00">High</span>|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html">Documentation</a><br/>|
|User Data Shell Script Is Encoded<br/><sup><sub>48c3bc58-6959-4f27-b647-4fedeace23be</sub></sup>|<span style="color:#C00">High</span>|Encryption|User Data Shell Script must be encoded|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata">Documentation</a><br/>|
|Secure Ciphers Disabled<br/><sup><sub>be96849c-3df6-49c2-bc16-778a7be2519c</sub></sup>|<span style="color:#C00">High</span>|Encryption|Check if secure ciphers aren't used in CloudFront|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html">Documentation</a><br/>|
Expand Down Expand Up @@ -149,7 +149,7 @@ Bellow are listed queries related with CloudFormation AWS:
|API Gateway Without Configured Authorizer<br/><sup><sub>7fd0d461-5b8c-4815-898c-f2b4b117eb28</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|API Gateway REST API should have an API Gateway Authorizer|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html">Documentation</a><br/>|
|Empty Roles For ECS Cluster Task Definitions<br/><sup><sub>7f384a5f-b5a2-4d84-8ca3-ee0a5247becb</sub></sup>|<span style="color:#C60">Medium</span>|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html">Documentation</a><br/>|
|Auto Scaling Group With No Associated ELB<br/><sup><sub>ad21e616-5026-4b9d-990d-5b007bfe679c</sub></sup>|<span style="color:#C60">Medium</span>|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html">Documentation</a><br/>|
|ElastiCache Nodes Not Created Across Multi AZ<br/><sup><sub>cfdef2e5-1fe4-4ef4-bea8-c56e08963150</sub></sup>|<span style="color:#C60">Medium</span>|Availability|ElastiCache Nodes should have 'AZMode' set to 'cross-az' in in multi nodes cluster|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html">Documentation</a><br/>|
|ElastiCache Nodes Not Created Across Multi AZ<br/><sup><sub>cfdef2e5-1fe4-4ef4-bea8-c56e08963150</sub></sup>|<span style="color:#C60">Medium</span>|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html">Documentation</a><br/>|
|CMK Is Unusable<br/><sup><sub>2844c749-bd78-4cd1-90e8-b179df827602</sub></sup>|<span style="color:#C60">Medium</span>|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html">Documentation</a><br/>|
|EBS Volume Not Attached To Instances<br/><sup><sub>1819ac03-542b-4026-976b-f37addd59f3b</sub></sup>|<span style="color:#C60">Medium</span>|Availability|EBS Volumes that are unattached to instances may contain sensitive data|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html">Documentation</a><br/>|
|ECS Service Without Running Tasks<br/><sup><sub>79d745f0-d5f3-46db-9504-bef73e9fd528</sub></sup>|<span style="color:#C60">Medium</span>|Availability|ECS Service should have at least 1 task running|<a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration">Documentation</a><br/>|
Expand Down
4 changes: 2 additions & 2 deletions docs/queries/crossplane-queries.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ Bellow are listed queries related with Crossplane AWS:
|EFS Without KMS<br/><sup><sub>bdecd6db-2600-47dd-a10c-72c97cf17ae9</sub></sup>|<span style="color:#C00">High</span>|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/[email protected]#spec-forProvider-kmsKeyID">Documentation</a><br/>|
|CloudFront Without Minimum Protocol TLS 1.2<br/><sup><sub>255b0fcc-9f82-41fe-9229-01b163e3376b</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion">Documentation</a><br/>|
|DB Security Group Has Public Interface<br/><sup><sub>dd667399-8d9d-4a8d-bbb4-e49ab53b2f52</sub></sup>|<span style="color:#C00">High</span>|Insecure Configurations|The CIDR IP should not be a public interface|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/[email protected]#spec-forProvider-ingress-ipRanges-cidrIp">Documentation</a><br/>|
|SQS with SSE disabled<br/><sup><sub>9296f1cc-7a40-45de-bd41-f31745488a0e</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/[email protected]#spec-forProvider-kmsMasterKeyId">Documentation</a><br/>|
|SQS With SSE Disabled<br/><sup><sub>9296f1cc-7a40-45de-bd41-f31745488a0e</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/[email protected]#spec-forProvider-kmsMasterKeyId">Documentation</a><br/>|
|Neptune Database Cluster Encryption Disabled<br/><sup><sub>83bf5aca-138a-498e-b9cd-ad5bc5e117b4</sub></sup>|<span style="color:#C60">Medium</span>|Encryption|Neptune database cluster storage should have encryption enabled|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/[email protected]#spec-forProvider-storageEncrypted">Documentation</a><br/>|
|CloudFront Logging Disabled<br/><sup><sub>7b590235-1ff4-421b-b9ff-5227134be9bb</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-logging">Documentation</a><br/>|
|CloudFront Logging Disabled<br/><sup><sub>7b590235-1ff4-421b-b9ff-5227134be9bb</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-logging">Documentation</a><br/>|
|CloudWatch Without Retention Period Specified<br/><sup><sub>934613fe-b12c-4e5a-95f5-c1dcdffac1ff</sub></sup>|<span style="color:#C60">Medium</span>|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/[email protected]#spec-forProvider-retentionInDays">Documentation</a><br/>|
|CloudFront Without WAF<br/><sup><sub>6d19ce0f-b3d8-4128-ac3d-1064e0f00494</sub></sup>|<span style="color:#CC0">Low</span>|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|<a href="https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/[email protected]#spec-forProvider-distributionConfig-webACLID">Documentation</a><br/>|
Loading

0 comments on commit 0af2703

Please sign in to comment.