diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md
index 781dfc5465c..04a3daa0c54 100644
--- a/docs/queries/all-queries.md
+++ b/docs/queries/all-queries.md
@@ -9,7 +9,7 @@ This page contains all queries.
|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
|
|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
|
|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
|
-|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should have 'AZMode' set to 'cross-az' in in multi nodes cluster|Documentation
|
+|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
|
|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
|
|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
|
|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
|
@@ -267,7 +267,6 @@ This page contains all queries.
|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
|
|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
|
|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
|
-|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
|
|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
|
|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
|
|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
|
@@ -275,6 +274,7 @@ This page contains all queries.
|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
|
|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
|
|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
|
+|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
|
|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
|
|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
|
|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
|
@@ -541,7 +541,7 @@ This page contains all queries.
|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
|
|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
|
|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
|
-|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should have 'az_mode' set to 'cross-az' in in multi nodes cluster|Documentation
|
+|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
|
|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
|
|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
|
|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
|
@@ -646,6 +646,7 @@ This page contains all queries.
|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
|
|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
|
|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
|
+|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
|
|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
|
|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
|
|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
|
@@ -665,7 +666,6 @@ This page contains all queries.
|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
|
|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
|
|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
|
-|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
|
|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
|
|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
|
|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
|
@@ -957,11 +957,11 @@ This page contains all queries.
|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
|
|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
|
|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
|
+|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
|
|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
|
|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
|
|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
|
|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
|
-|RDS DB Instance With IAM Auth Disabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when compatible with engine and version|Documentation
|
|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
|
|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
|
|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
|
@@ -1028,7 +1028,7 @@ This page contains all queries.
|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
|
|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
|
|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
|
-|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should have 'AZMode' set to 'cross-az' in in multi nodes cluster|Documentation
|
+|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
|
|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
|
|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
|
|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running|Documentation
|
@@ -1453,9 +1453,9 @@ This page contains all queries.
|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
|
|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
|
|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
|
-|SQS with SSE disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
|
+|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
|
|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
|
-|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
|
+|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
|
|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
|
|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
|
|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
|
@@ -1530,6 +1530,7 @@ This page contains all queries.
|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
|
|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
|
|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
|
+|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
|
|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
|
|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
|
|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
|
@@ -1543,7 +1544,6 @@ This page contains all queries.
|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
|
|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
|
|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
|
-|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Resource Management|The node image should be Container-Optimized OS(COS)|Documentation
|
|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
|
|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
|
|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
|
diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md
index f4207ddff22..7d7ce9d4692 100644
--- a/docs/queries/ansible-queries.md
+++ b/docs/queries/ansible-queries.md
@@ -84,6 +84,7 @@ Bellow are listed queries related with Ansible GCP:
|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
|
|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
|
|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
|
+|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
|
|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
|
|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
|
|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
|
@@ -97,7 +98,6 @@ Bellow are listed queries related with Ansible GCP:
|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
|
|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
|
|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
|
-|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Resource Management|The node image should be Container-Optimized OS(COS)|Documentation
|
|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
|
|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
|
|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
|
diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md
index 0e549444999..75346388bbf 100644
--- a/docs/queries/cloudformation-queries.md
+++ b/docs/queries/cloudformation-queries.md
@@ -78,11 +78,11 @@ Bellow are listed queries related with CloudFormation AWS:
|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
|
|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
|
|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
|
+|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
|
|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
|
|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
|
|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
|
|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
|
-|RDS DB Instance With IAM Auth Disabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when compatible with engine and version|Documentation
|
|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
|
|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
|
|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
|
@@ -149,7 +149,7 @@ Bellow are listed queries related with CloudFormation AWS:
|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
|
|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
|
|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
|
-|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should have 'AZMode' set to 'cross-az' in in multi nodes cluster|Documentation
|
+|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
|
|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
|
|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
|
|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running|Documentation
|
diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md
index 7e8e8aa9a35..176fb40a430 100644
--- a/docs/queries/crossplane-queries.md
+++ b/docs/queries/crossplane-queries.md
@@ -31,8 +31,8 @@ Bellow are listed queries related with Crossplane AWS:
|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
|
|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
|
|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
|
-|SQS with SSE disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
|
+|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
|
|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
|
-|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
|
+|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
|
|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
|
|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
|
diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md
index d9788cb69ed..520bbf46a75 100644
--- a/docs/queries/pulumi-queries.md
+++ b/docs/queries/pulumi-queries.md
@@ -34,7 +34,7 @@ Bellow are listed queries related with Pulumi AWS:
| Query |Severity|Category|Description|Help|
|------------------------------|--------|--------|-----------|----|
-|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should have 'AZMode' set to 'cross-az' in in multi nodes cluster|Documentation
|
+|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
|
|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
|
|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
|
|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length|Documentation
|
diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md
index c9149447668..6bb950f86e2 100644
--- a/docs/queries/terraform-queries.md
+++ b/docs/queries/terraform-queries.md
@@ -227,7 +227,6 @@ Bellow are listed queries related with Terraform GCP:
|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
|
|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
|
|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
|
-|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Insecure Configurations|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
|
|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
|
|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
|
|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
|
@@ -235,6 +234,7 @@ Bellow are listed queries related with Terraform GCP:
|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
|
|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
|
|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
|
+|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
|
|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
|
|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
|
|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
|
@@ -529,7 +529,7 @@ Bellow are listed queries related with Terraform AWS:
|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
|
|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
|
|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
|
-|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should have 'az_mode' set to 'cross-az' in in multi nodes cluster|Documentation
|
+|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
|
|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
|
|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
|
|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
|
@@ -634,6 +634,7 @@ Bellow are listed queries related with Terraform AWS:
|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
|
|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
|
|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
|
+|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
|
|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
|
|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
|
|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
|
@@ -653,7 +654,6 @@ Bellow are listed queries related with Terraform AWS:
|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
|
|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
|
|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
|
-|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
|
|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
|
|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
|
|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
|