From 07b528d3a0f958dc2a1ac6daf7480b05573c467f Mon Sep 17 00:00:00 2001 From: Ruben Silva Date: Thu, 1 Apr 2021 16:27:57 +0100 Subject: [PATCH 01/15] Unifiying queries names categories, and severities & fixing typos (#2671) --- .../metadata.json | 4 +- .../query.rego | 0 .../test/negative.yaml | 0 .../test/positive.yaml | 0 .../test/positive_expected_result.json | 8 +-- .../metadata.json | 2 +- .../ansible/aws/efs_without_kms/metadata.json | 14 ++-- .../metadata.json | 4 +- .../test/positive_expected_result.json | 4 +- .../metadata.json | 2 +- .../metadata.json | 4 +- .../test/positive_expected_result.json | 7 -- .../metadata.json | 0 .../query.rego | 0 .../test/negative.yaml | 0 .../test/positive.yaml | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 2 +- .../query.rego | 0 .../test/negative.yaml | 0 .../test/positive.yaml | 0 .../test/positive_expected_result.json | 7 ++ .../metadata.json | 0 .../query.rego | 0 .../test/negative.yaml | 0 .../test/positive.yaml | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 4 +- .../test/positive_expected_result.json | 6 +- .../metadata.json | 4 +- .../metadata.json | 9 --- .../test/positive_expected_result.json | 12 ---- .../metadata.json | 4 +- .../metadata.json | 9 --- .../test/positive_expected_result.json | 32 ---------- .../metadata.json | 9 +++ .../query.rego | 0 .../test/negative.yaml | 0 .../test/positive.yaml | 0 .../test/positive_expected_result.json | 32 ++++++++++ .../redis_entirely_accessible/metadata.json | 4 +- .../metadata.json | 9 +++ .../query.rego | 0 .../test/negative.yaml | 0 .../test/positive.yaml | 0 .../test/positive_expected_result.json | 12 ++++ .../metadata.json | 0 .../query.rego | 0 .../test/negative1.yaml | 0 .../test/negative2.json | 0 .../test/positive1.yaml | 0 .../test/positive2.json | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.yaml | 0 .../test/negative2.json | 0 .../test/positive1.yaml | 0 .../test/positive2.yaml | 0 .../test/positive3.json | 0 .../test/positive4.json | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.yaml | 0 .../test/negative2.json | 0 .../test/positive1.yaml | 0 .../test/positive2.json | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 2 +- .../metadata.json | 4 +- .../test/positive_expected_result.json | 10 +-- .../metadata.json | 4 +- .../route53_record_undefined/metadata.json | 4 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../query.rego | 0 .../test/negative.json | 0 .../test/negative.yaml | 0 .../test/positive1.json | 0 .../test/positive1.yaml | 0 .../test/positive2.json | 0 .../test/positive2.yaml | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 4 +- .../metadata.json | 2 +- .../metadata.json | 0 .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 4 +- .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 2 +- .../aws/efs_without_kms/metadata.json | 9 +++ .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 0 .../aws/efs_without_kms_key_id/metadata.json | 9 --- .../metadata.json | 2 +- .../test/positive_expected_result.json | 2 +- .../metadata.json | 8 +-- .../query.rego | 24 +++---- .../test/negative.tf | 30 +++------ .../test/positive.tf | 64 ++++++------------- .../test/positive_expected_result.json | 6 +- .../metadata.json | 9 +++ .../query.rego | 24 +++++++ .../test/negative.tf | 25 ++++++++ .../test/positive.tf | 51 +++++++++++++++ .../test/positive_expected_result.json | 12 ++++ .../metadata.json | 2 +- .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 9 --- .../query.rego | 18 ------ .../test/negative.tf | 13 ---- .../test/positive.tf | 27 -------- .../test/positive_expected_result.json | 12 ---- .../metadata.json | 4 +- .../test/positive_expected_result.json | 6 +- .../metadata.json | 4 +- .../metadata.json | 4 +- .../metadata.json | 4 +- .../metadata.json | 9 --- .../test/positive_expected_result.json | 17 ----- .../metadata.json | 4 +- .../test/positive_expected_result.json | 7 -- .../metadata.json | 9 +++ .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 17 +++++ .../public_storage_account/metadata.json | 4 +- .../metadata.json | 2 +- .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 7 ++ .../metadata.json | 4 +- .../metadata.json | 4 +- .../metadata.json | 9 +++ .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 7 ++ .../metadata.json | 9 --- .../test/positive_expected_result.json | 7 -- .../metadata.json | 2 +- 154 files changed, 370 insertions(+), 370 deletions(-) rename assets/queries/ansible/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/metadata.json (93%) rename assets/queries/ansible/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/query.rego (100%) rename assets/queries/ansible/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/negative.yaml (100%) rename assets/queries/ansible/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive.yaml (100%) rename assets/queries/ansible/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive_expected_result.json (74%) delete mode 100644 assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json rename assets/queries/ansible/aws/{all_users_group_gets_read_access => s3_bucket_acl_allows_read_to_all_users}/metadata.json (100%) rename assets/queries/ansible/aws/{all_users_group_gets_read_access => s3_bucket_acl_allows_read_to_all_users}/query.rego (100%) rename assets/queries/ansible/aws/{all_users_group_gets_read_access => s3_bucket_acl_allows_read_to_all_users}/test/negative.yaml (100%) rename assets/queries/ansible/aws/{all_users_group_gets_read_access => s3_bucket_acl_allows_read_to_all_users}/test/positive.yaml (100%) rename assets/queries/ansible/aws/{all_users_group_gets_read_access => s3_bucket_acl_allows_read_to_all_users}/test/positive_expected_result.json (100%) rename assets/queries/ansible/aws/{s3_bucket_acl_allows_read_or_write_to_all_users => s3_bucket_allows_writeacp_action_from_all_principals}/metadata.json (88%) rename assets/queries/ansible/aws/{s3_bucket_acl_allows_read_or_write_to_all_users => s3_bucket_allows_writeacp_action_from_all_principals}/query.rego (100%) rename assets/queries/ansible/aws/{s3_bucket_acl_allows_read_or_write_to_all_users => s3_bucket_allows_writeacp_action_from_all_principals}/test/negative.yaml (100%) rename assets/queries/ansible/aws/{s3_bucket_acl_allows_read_or_write_to_all_users => s3_bucket_allows_writeacp_action_from_all_principals}/test/positive.yaml (100%) create mode 100644 assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json rename assets/queries/ansible/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/metadata.json (100%) rename assets/queries/ansible/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/query.rego (100%) rename assets/queries/ansible/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/negative.yaml (100%) rename assets/queries/ansible/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive.yaml (100%) rename assets/queries/ansible/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive_expected_result.json (100%) delete mode 100644 assets/queries/ansible/azure/blob_container_with_public_access/metadata.json delete mode 100644 assets/queries/ansible/azure/blob_container_with_public_access/test/positive_expected_result.json delete mode 100644 assets/queries/ansible/azure/log_disconnections_is_not_set/metadata.json delete mode 100644 assets/queries/ansible/azure/log_disconnections_is_not_set/test/positive_expected_result.json create mode 100644 assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json rename assets/queries/ansible/azure/{log_disconnections_is_not_set => postgresql_log_disconnections_not_set}/query.rego (100%) rename assets/queries/ansible/azure/{log_disconnections_is_not_set => postgresql_log_disconnections_not_set}/test/negative.yaml (100%) rename assets/queries/ansible/azure/{log_disconnections_is_not_set => postgresql_log_disconnections_not_set}/test/positive.yaml (100%) create mode 100644 assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json create mode 100644 assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json rename assets/queries/ansible/azure/{blob_container_with_public_access => storage_container_is_publicly_accessible}/query.rego (100%) rename assets/queries/ansible/azure/{blob_container_with_public_access => storage_container_is_publicly_accessible}/test/negative.yaml (100%) rename assets/queries/ansible/azure/{blob_container_with_public_access => storage_container_is_publicly_accessible}/test/positive.yaml (100%) create mode 100644 assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json rename assets/queries/cloudFormation/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/metadata.json (100%) rename assets/queries/cloudFormation/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/query.rego (100%) rename assets/queries/cloudFormation/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/negative1.yaml (100%) rename assets/queries/cloudFormation/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/negative2.json (100%) rename assets/queries/cloudFormation/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/positive1.yaml (100%) rename assets/queries/cloudFormation/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/positive2.json (100%) rename assets/queries/cloudFormation/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/positive_expected_result.json (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/metadata.json (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/query.rego (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/negative1.yaml (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/negative2.json (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive1.yaml (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive2.yaml (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive3.json (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive4.json (100%) rename assets/queries/cloudFormation/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive_expected_result.json (100%) rename assets/queries/cloudFormation/{efs_not_encrypted_with_kms_cmk => efs_without_kms}/metadata.json (100%) rename assets/queries/cloudFormation/{efs_not_encrypted_with_kms_cmk => efs_without_kms}/query.rego (100%) rename assets/queries/cloudFormation/{efs_not_encrypted_with_kms_cmk => efs_without_kms}/test/negative1.yaml (100%) rename assets/queries/cloudFormation/{efs_not_encrypted_with_kms_cmk => efs_without_kms}/test/negative2.json (100%) rename assets/queries/cloudFormation/{efs_not_encrypted_with_kms_cmk => efs_without_kms}/test/positive1.yaml (100%) rename assets/queries/cloudFormation/{efs_not_encrypted_with_kms_cmk => efs_without_kms}/test/positive2.json (100%) rename assets/queries/cloudFormation/{efs_not_encrypted_with_kms_cmk => efs_without_kms}/test/positive_expected_result.json (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/metadata.json (92%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/query.rego (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/negative.json (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/negative.yaml (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive1.json (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive1.yaml (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive2.json (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive2.yaml (100%) rename assets/queries/cloudFormation/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/metadata.json (100%) rename assets/queries/terraform/aws/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/query.rego (100%) rename assets/queries/terraform/aws/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/negative.tf (100%) rename assets/queries/terraform/aws/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/positive.tf (100%) rename assets/queries/terraform/aws/{default_security_groups_woth_unrestricted_traffic => default_security_groups_with_unrestricted_traffic}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/metadata.json (93%) rename assets/queries/terraform/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/query.rego (100%) rename assets/queries/terraform/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/negative.tf (100%) rename assets/queries/terraform/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive.tf (100%) rename assets/queries/terraform/aws/{ebs_volume_encrytpion_disabled => ebs_volume_encryption_disabled}/test/positive_expected_result.json (74%) create mode 100644 assets/queries/terraform/aws/efs_without_kms/metadata.json rename assets/queries/terraform/aws/{efs_without_kms_key_id => efs_without_kms}/query.rego (100%) rename assets/queries/terraform/aws/{efs_without_kms_key_id => efs_without_kms}/test/negative.tf (100%) rename assets/queries/terraform/aws/{efs_without_kms_key_id => efs_without_kms}/test/positive.tf (100%) rename assets/queries/terraform/aws/{efs_without_kms_key_id => efs_without_kms}/test/positive_expected_result.json (100%) delete mode 100644 assets/queries/terraform/aws/efs_without_kms_key_id/metadata.json create mode 100644 assets/queries/terraform/aws/s3_bucket_allows_writeacp_action_from_all_principals/metadata.json create mode 100644 assets/queries/terraform/aws/s3_bucket_allows_writeacp_action_from_all_principals/query.rego create mode 100644 assets/queries/terraform/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/negative.tf create mode 100644 assets/queries/terraform/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive.tf create mode 100644 assets/queries/terraform/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json rename assets/queries/terraform/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/metadata.json (91%) rename assets/queries/terraform/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/query.rego (100%) rename assets/queries/terraform/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/negative.tf (100%) rename assets/queries/terraform/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive.tf (100%) rename assets/queries/terraform/aws/{s3_bucket_rules_with_master_key_id_null => s3_bucket_sse_disabled}/test/positive_expected_result.json (100%) delete mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_rw_access/metadata.json delete mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_rw_access/query.rego delete mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_rw_access/test/negative.tf delete mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_rw_access/test/positive.tf delete mode 100644 assets/queries/terraform/aws/s3_bucket_with_public_rw_access/test/positive_expected_result.json delete mode 100644 assets/queries/terraform/azure/log_disconnections_is_not_set/metadata.json delete mode 100644 assets/queries/terraform/azure/log_disconnections_is_not_set/test/positive_expected_result.json delete mode 100644 assets/queries/terraform/azure/postgre_sql_db_server_log_retention_is_low/test/positive_expected_result.json create mode 100644 assets/queries/terraform/azure/postgresql_log_disconnections_not_set/metadata.json rename assets/queries/terraform/azure/{log_disconnections_is_not_set => postgresql_log_disconnections_not_set}/query.rego (100%) rename assets/queries/terraform/azure/{log_disconnections_is_not_set => postgresql_log_disconnections_not_set}/test/negative.tf (100%) rename assets/queries/terraform/azure/{log_disconnections_is_not_set => postgresql_log_disconnections_not_set}/test/positive.tf (100%) create mode 100644 assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json rename assets/queries/terraform/azure/{postgre_sql_db_server_log_retention_is_low => small_postgresql_db_server_log_retention_period}/metadata.json (84%) rename assets/queries/terraform/azure/{postgre_sql_db_server_log_retention_is_low => small_postgresql_db_server_log_retention_period}/query.rego (100%) rename assets/queries/terraform/azure/{postgre_sql_db_server_log_retention_is_low => small_postgresql_db_server_log_retention_period}/test/negative.tf (100%) rename assets/queries/terraform/azure/{postgre_sql_db_server_log_retention_is_low => small_postgresql_db_server_log_retention_period}/test/positive.tf (100%) create mode 100644 assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json create mode 100644 assets/queries/terraform/azure/storage_container_is_publicly_accessible/metadata.json rename assets/queries/terraform/azure/{storage_container_with_public_access => storage_container_is_publicly_accessible}/query.rego (100%) rename assets/queries/terraform/azure/{storage_container_with_public_access => storage_container_is_publicly_accessible}/test/negative.tf (100%) rename assets/queries/terraform/azure/{storage_container_with_public_access => storage_container_is_publicly_accessible}/test/positive.tf (100%) create mode 100644 assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json delete mode 100644 assets/queries/terraform/azure/storage_container_with_public_access/metadata.json delete mode 100644 assets/queries/terraform/azure/storage_container_with_public_access/test/positive_expected_result.json diff --git a/assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/metadata.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json similarity index 93% rename from assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/metadata.json rename to assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json index 10af6de962c..9d862c24e5d 100644 --- a/assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/metadata.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json @@ -1,9 +1,9 @@ { "id": "4b6012e7-7176-46e4-8108-e441785eae57", "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Encryption", "descriptionText": "EBS Encryption should be enabled", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted", "platform": "Ansible" -} +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/query.rego b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/query.rego similarity index 100% rename from assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/query.rego rename to assets/queries/ansible/aws/ebs_volume_encryption_disabled/query.rego diff --git a/assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/test/negative.yaml b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/negative.yaml similarity index 100% rename from assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/test/negative.yaml rename to assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/negative.yaml diff --git a/assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/test/positive.yaml b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive.yaml similarity index 100% rename from assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/test/positive.yaml rename to assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive.yaml diff --git a/assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json similarity index 74% rename from assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/test/positive_expected_result.json rename to assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 3f1e6f0782c..24de78277b0 100644 --- a/assets/queries/ansible/aws/ebs_volume_encrytpion_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -1,22 +1,22 @@ [ { "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", + "severity": "MEDIUM", "line": 5 }, { "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", + "severity": "MEDIUM", "line": 12 }, { "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", + "severity": "MEDIUM", "line": 19 }, { "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", + "severity": "MEDIUM", "line": 24 } ] diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json index 51ab4d85208..b52aef28480 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json +++ b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/metadata.json @@ -2,7 +2,7 @@ "id": "01aec7c2-3e4d-4274-ae47-2b8fea22fd1f", "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "HIGH", - "category": "Access Control", + "category": "Insecure Configurations", "descriptionText": "Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode", "platform": "Ansible" diff --git a/assets/queries/ansible/aws/efs_without_kms/metadata.json b/assets/queries/ansible/aws/efs_without_kms/metadata.json index 98e70229d7c..21e643423c7 100644 --- a/assets/queries/ansible/aws/efs_without_kms/metadata.json +++ b/assets/queries/ansible/aws/efs_without_kms/metadata.json @@ -1,9 +1,9 @@ { - "id": "bd77554e-f138-40c5-91b2-2a09f878608e", - "queryName": "EFS Without KMS", - "severity": "HIGH", - "category": "Secret Management", - "descriptionText": "Elastic File System (EFS) must have KMS Key ID", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id", - "platform": "Ansible" + "id": "bd77554e-f138-40c5-91b2-2a09f878608e", + "queryName": "EFS Without KMS", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "Elastic File System (EFS) must have KMS Key ID", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id", + "platform": "Ansible" } diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json index ffb30cbf178..c4fddf10313 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json @@ -1,9 +1,9 @@ { "id": "e401d614-8026-4f4b-9af9-75d1197461ba", "queryName": "IAM Policies With Full Privileges", - "severity": "MEDIUM", + "severity": "HIGH", "category": "Access Control", "descriptionText": "IAM policies that allow full administrative privileges (for all resources)", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html", "platform": "Ansible" -} +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 241278eade3..ccdf2b233bc 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "IAM Policies With Full Privileges", - "severity": "MEDIUM", + "severity": "HIGH", "line": 8 } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json index d64664c4909..fe230ec29d1 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/metadata.json @@ -2,7 +2,7 @@ "id": "f2ea6481-1d31-4d40-946a-520dc6321dd7", "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "category": "Secret Management", + "category": "Encryption", "descriptionText": "AWS Kinesis Streams and metadata should be protected with KMS", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html", "platform": "Ansible" diff --git a/assets/queries/ansible/aws/kms_key_with_vulnerable_policy/metadata.json b/assets/queries/ansible/aws/kms_key_with_vulnerable_policy/metadata.json index 4036ed9a11c..9daee80048a 100644 --- a/assets/queries/ansible/aws/kms_key_with_vulnerable_policy/metadata.json +++ b/assets/queries/ansible/aws/kms_key_with_vulnerable_policy/metadata.json @@ -2,8 +2,8 @@ "id": "5b9d237a-57d5-4177-be0e-71434b0fef47", "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "category": "Networking and Firewall", + "category": "Insecure Configurations", "descriptionText": "Checks if the policy is vulnerable and needs updating.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html", "platform": "Ansible" -} +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json deleted file mode 100644 index 19bbbb4133b..00000000000 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { - "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", - "severity": "HIGH", - "line": 8 - } -] diff --git a/assets/queries/ansible/aws/all_users_group_gets_read_access/metadata.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json similarity index 100% rename from assets/queries/ansible/aws/all_users_group_gets_read_access/metadata.json rename to assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json diff --git a/assets/queries/ansible/aws/all_users_group_gets_read_access/query.rego b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/query.rego similarity index 100% rename from assets/queries/ansible/aws/all_users_group_gets_read_access/query.rego rename to assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/query.rego diff --git a/assets/queries/ansible/aws/all_users_group_gets_read_access/test/negative.yaml b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/negative.yaml similarity index 100% rename from assets/queries/ansible/aws/all_users_group_gets_read_access/test/negative.yaml rename to assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/negative.yaml diff --git a/assets/queries/ansible/aws/all_users_group_gets_read_access/test/positive.yaml b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive.yaml similarity index 100% rename from assets/queries/ansible/aws/all_users_group_gets_read_access/test/positive.yaml rename to assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive.yaml diff --git a/assets/queries/ansible/aws/all_users_group_gets_read_access/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json similarity index 100% rename from assets/queries/ansible/aws/all_users_group_gets_read_access/test/positive_expected_result.json rename to assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/metadata.json similarity index 88% rename from assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json rename to assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/metadata.json index c814cab9d59..3ac70ee3b2f 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/metadata.json @@ -1,6 +1,6 @@ { "id": "7529b8d2-55d7-44d2-b1cd-d7d2984a2a81", - "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", + "queryName": "S3 Bucket Allows WriteACP Action From All Principals", "severity": "HIGH", "category": "Access Control", "descriptionText": "S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.", diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego b/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/query.rego similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego rename to assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/query.rego diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/negative.yaml b/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/negative.yaml similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/negative.yaml rename to assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/negative.yaml diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive.yaml b/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive.yaml similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive.yaml rename to assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive.yaml diff --git a/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json new file mode 100644 index 00000000000..63c99d80380 --- /dev/null +++ b/assets/queries/ansible/aws/s3_bucket_allows_writeacp_action_from_all_principals/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "S3 Bucket Allows WriteACP Action From All Principals", + "severity": "HIGH", + "line": 8 + } +] diff --git a/assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/metadata.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/metadata.json rename to assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json diff --git a/assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/query.rego b/assets/queries/ansible/aws/s3_bucket_sse_disabled/query.rego similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/query.rego rename to assets/queries/ansible/aws/s3_bucket_sse_disabled/query.rego diff --git a/assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/test/negative.yaml b/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/negative.yaml similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/test/negative.yaml rename to assets/queries/ansible/aws/s3_bucket_sse_disabled/test/negative.yaml diff --git a/assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/test/positive.yaml b/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive.yaml similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/test/positive.yaml rename to assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive.yaml diff --git a/assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive_expected_result.json similarity index 100% rename from assets/queries/ansible/aws/s3_bucket_rules_with_master_key_id_null/test/positive_expected_result.json rename to assets/queries/ansible/aws/s3_bucket_sse_disabled/test/positive_expected_result.json diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json index 98ede0d9a3b..b185fb9d4a7 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/metadata.json @@ -1,9 +1,9 @@ { "id": "9232306a-f839-40aa-b3ef-b352001da9a5", "queryName": "S3 Bucket Without Versioning", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Observability", "descriptionText": "S3 bucket without versioning", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning", "platform": "Ansible" -} +} \ No newline at end of file diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 32236a1d1af..86a263a630f 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -1,12 +1,12 @@ [ { "queryName": "S3 Bucket Without Versioning", - "severity": "HIGH", + "severity": "MEDIUM", "line": 3 }, { "queryName": "S3 Bucket Without Versioning", - "severity": "HIGH", + "severity": "MEDIUM", "line": 15 } -] +] \ No newline at end of file diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json index 7de58f87dee..c83bf842d9c 100644 --- a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json +++ b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/metadata.json @@ -2,8 +2,8 @@ "id": "b176e927-bbe2-44a6-a9c3-041417137e5f", "queryName": "AD Admin Not Configured For SQL Server", "severity": "HIGH", - "category": "Access Control", + "category": "Insecure Configurations", "descriptionText": "The Active Directory Administrator is not configured for a SQL server", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html#parameter-ad_user", "platform": "Ansible" -} +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/blob_container_with_public_access/metadata.json b/assets/queries/ansible/azure/blob_container_with_public_access/metadata.json deleted file mode 100644 index 3e14f6f4f02..00000000000 --- a/assets/queries/ansible/azure/blob_container_with_public_access/metadata.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "id": "4d3817db-dd35-4de4-a80d-3867157e7f7f", - "queryName": "Blob Container With Public Access", - "severity": "HIGH", - "category": "Access Control", - "descriptionText": "Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageblob_module.html#parameter-public_access", - "platform": "Ansible" -} diff --git a/assets/queries/ansible/azure/blob_container_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/azure/blob_container_with_public_access/test/positive_expected_result.json deleted file mode 100644 index 4180ef92322..00000000000 --- a/assets/queries/ansible/azure/blob_container_with_public_access/test/positive_expected_result.json +++ /dev/null @@ -1,12 +0,0 @@ -[ - { - "queryName": "Blob Container With Public Access", - "severity": "HIGH", - "line": 9 - }, - { - "queryName": "Blob Container With Public Access", - "severity": "HIGH", - "line": 17 - } -] diff --git a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json index aee2b0228a0..369c5ac16e3 100644 --- a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json +++ b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/metadata.json @@ -2,8 +2,8 @@ "id": "69f72007-502e-457b-bd2d-5012e31ac049", "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache", "severity": "MEDIUM", - "category": "Access Control", + "category": "Networking and Firewall", "descriptionText": "Check if any firewall rule allows too many hosts to access Redis Cache.", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html", "platform": "Ansible" -} +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/log_disconnections_is_not_set/metadata.json b/assets/queries/ansible/azure/log_disconnections_is_not_set/metadata.json deleted file mode 100644 index 19005eb3753..00000000000 --- a/assets/queries/ansible/azure/log_disconnections_is_not_set/metadata.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "id": "054d07b5-941b-4c28-8eef-18989dc62323", - "queryName": "Log Disconnections Is Not Set", - "severity": "MEDIUM", - "category": "Observability", - "descriptionText": "Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'", - "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", - "platform": "Ansible" -} diff --git a/assets/queries/ansible/azure/log_disconnections_is_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/log_disconnections_is_not_set/test/positive_expected_result.json deleted file mode 100644 index c8730bf9281..00000000000 --- a/assets/queries/ansible/azure/log_disconnections_is_not_set/test/positive_expected_result.json +++ /dev/null @@ -1,32 +0,0 @@ -[ - { - "queryName": "Log Disconnections Is Not Set", - "severity": "MEDIUM", - "line": 7 - }, - { - "queryName": "Log Disconnections Is Not Set", - "severity": "MEDIUM", - "line": 13 - }, - { - "queryName": "Log Disconnections Is Not Set", - "severity": "MEDIUM", - "line": 19 - }, - { - "queryName": "Log Disconnections Is Not Set", - "severity": "MEDIUM", - "line": 25 - }, - { - "queryName": "Log Disconnections Is Not Set", - "severity": "MEDIUM", - "line": 31 - }, - { - "queryName": "Log Disconnections Is Not Set", - "severity": "MEDIUM", - "line": 37 - } -] \ No newline at end of file diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json new file mode 100644 index 00000000000..ca2da8f3293 --- /dev/null +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/metadata.json @@ -0,0 +1,9 @@ +{ + "id": "054d07b5-941b-4c28-8eef-18989dc62323", + "queryName": "PostgreSQL Log Disconnections Not Set", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html", + "platform": "Ansible" +} diff --git a/assets/queries/ansible/azure/log_disconnections_is_not_set/query.rego b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/query.rego similarity index 100% rename from assets/queries/ansible/azure/log_disconnections_is_not_set/query.rego rename to assets/queries/ansible/azure/postgresql_log_disconnections_not_set/query.rego diff --git a/assets/queries/ansible/azure/log_disconnections_is_not_set/test/negative.yaml b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/negative.yaml similarity index 100% rename from assets/queries/ansible/azure/log_disconnections_is_not_set/test/negative.yaml rename to assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/negative.yaml diff --git a/assets/queries/ansible/azure/log_disconnections_is_not_set/test/positive.yaml b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive.yaml similarity index 100% rename from assets/queries/ansible/azure/log_disconnections_is_not_set/test/positive.yaml rename to assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive.yaml diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json new file mode 100644 index 00000000000..d3675e682a1 --- /dev/null +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -0,0 +1,32 @@ +[ + { + "queryName": "PostgreSQL Log Disconnections Not Set", + "severity": "MEDIUM", + "line": 7 + }, + { + "queryName": "PostgreSQL Log Disconnections Not Set", + "severity": "MEDIUM", + "line": 13 + }, + { + "queryName": "PostgreSQL Log Disconnections Not Set", + "severity": "MEDIUM", + "line": 19 + }, + { + "queryName": "PostgreSQL Log Disconnections Not Set", + "severity": "MEDIUM", + "line": 25 + }, + { + "queryName": "PostgreSQL Log Disconnections Not Set", + "severity": "MEDIUM", + "line": 31 + }, + { + "queryName": "PostgreSQL Log Disconnections Not Set", + "severity": "MEDIUM", + "line": 37 + } +] diff --git a/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json b/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json index 9ea7bd45270..80dba318f35 100644 --- a/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json +++ b/assets/queries/ansible/azure/redis_entirely_accessible/metadata.json @@ -2,8 +2,8 @@ "id": "0d0c12b9-edce-4510-9065-13f6a758750c", "queryName": "Redis Entirely Accessible", "severity": "HIGH", - "category": "Access Control", + "category": "Networking and Firewall", "descriptionText": "Firewall rule allowing unrestricted access to Redis from the Internet", "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address", "platform": "Ansible" -} +} \ No newline at end of file diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json new file mode 100644 index 00000000000..96d823245e5 --- /dev/null +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/metadata.json @@ -0,0 +1,9 @@ +{ + "id": "4d3817db-dd35-4de4-a80d-3867157e7f7f", + "queryName": "Storage Container Is Publicly Accessible", + "severity": "HIGH", + "category": "Access Control", + "descriptionText": "Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageblob_module.html#parameter-public_access", + "platform": "Ansible" +} diff --git a/assets/queries/ansible/azure/blob_container_with_public_access/query.rego b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/query.rego similarity index 100% rename from assets/queries/ansible/azure/blob_container_with_public_access/query.rego rename to assets/queries/ansible/azure/storage_container_is_publicly_accessible/query.rego diff --git a/assets/queries/ansible/azure/blob_container_with_public_access/test/negative.yaml b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/negative.yaml similarity index 100% rename from assets/queries/ansible/azure/blob_container_with_public_access/test/negative.yaml rename to assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/negative.yaml diff --git a/assets/queries/ansible/azure/blob_container_with_public_access/test/positive.yaml b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive.yaml similarity index 100% rename from assets/queries/ansible/azure/blob_container_with_public_access/test/positive.yaml rename to assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive.yaml diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json new file mode 100644 index 00000000000..b27a116746e --- /dev/null +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Storage Container Is Publicly Accessible", + "severity": "HIGH", + "line": 9 + }, + { + "queryName": "Storage Container Is Publicly Accessible", + "severity": "HIGH", + "line": 17 + } +] diff --git a/assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/metadata.json b/assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/metadata.json similarity index 100% rename from assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/metadata.json rename to assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/metadata.json diff --git a/assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/query.rego b/assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/query.rego similarity index 100% rename from assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/query.rego rename to assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/query.rego diff --git a/assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/negative1.yaml b/assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/negative1.yaml similarity index 100% rename from assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/negative1.yaml rename to assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/negative1.yaml diff --git a/assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/negative2.json b/assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/negative2.json similarity index 100% rename from assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/negative2.json rename to assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/negative2.json diff --git a/assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/positive1.yaml b/assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/positive1.yaml similarity index 100% rename from assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/positive1.yaml rename to assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/positive1.yaml diff --git a/assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/positive2.json b/assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/positive2.json similarity index 100% rename from assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/positive2.json rename to assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/positive2.json diff --git a/assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json similarity index 100% rename from assets/queries/cloudFormation/default_security_groups_woth_unrestricted_traffic/test/positive_expected_result.json rename to assets/queries/cloudFormation/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/metadata.json b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/metadata.json similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/metadata.json rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/metadata.json diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/query.rego b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/query.rego similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/query.rego rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/query.rego diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/negative1.yaml b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/negative1.yaml similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/negative1.yaml rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/negative1.yaml diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/negative2.json b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/negative2.json similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/negative2.json rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/negative2.json diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive1.yaml b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive1.yaml similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive1.yaml rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive1.yaml diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive2.yaml b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive2.yaml similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive2.yaml rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive2.yaml diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive3.json b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive3.json similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive3.json rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive3.json diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive4.json b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive4.json similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive4.json rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive4.json diff --git a/assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive_expected_result.json similarity index 100% rename from assets/queries/cloudFormation/ebs_volume_encrytpion_disabled/test/positive_expected_result.json rename to assets/queries/cloudFormation/ebs_volume_encryption_disabled/test/positive_expected_result.json diff --git a/assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/metadata.json b/assets/queries/cloudFormation/efs_without_kms/metadata.json similarity index 100% rename from assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/metadata.json rename to assets/queries/cloudFormation/efs_without_kms/metadata.json diff --git a/assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/query.rego b/assets/queries/cloudFormation/efs_without_kms/query.rego similarity index 100% rename from assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/query.rego rename to assets/queries/cloudFormation/efs_without_kms/query.rego diff --git a/assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/negative1.yaml b/assets/queries/cloudFormation/efs_without_kms/test/negative1.yaml similarity index 100% rename from assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/negative1.yaml rename to assets/queries/cloudFormation/efs_without_kms/test/negative1.yaml diff --git a/assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/negative2.json b/assets/queries/cloudFormation/efs_without_kms/test/negative2.json similarity index 100% rename from assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/negative2.json rename to assets/queries/cloudFormation/efs_without_kms/test/negative2.json diff --git a/assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/positive1.yaml b/assets/queries/cloudFormation/efs_without_kms/test/positive1.yaml similarity index 100% rename from assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/positive1.yaml rename to assets/queries/cloudFormation/efs_without_kms/test/positive1.yaml diff --git a/assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/positive2.json b/assets/queries/cloudFormation/efs_without_kms/test/positive2.json similarity index 100% rename from assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/positive2.json rename to assets/queries/cloudFormation/efs_without_kms/test/positive2.json diff --git a/assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/efs_without_kms/test/positive_expected_result.json similarity index 100% rename from assets/queries/cloudFormation/efs_not_encrypted_with_kms_cmk/test/positive_expected_result.json rename to assets/queries/cloudFormation/efs_without_kms/test/positive_expected_result.json diff --git a/assets/queries/cloudFormation/kms_key_with_vulnerable_policy/metadata.json b/assets/queries/cloudFormation/kms_key_with_vulnerable_policy/metadata.json index 20bd0f71d27..49a8d32d046 100644 --- a/assets/queries/cloudFormation/kms_key_with_vulnerable_policy/metadata.json +++ b/assets/queries/cloudFormation/kms_key_with_vulnerable_policy/metadata.json @@ -2,7 +2,7 @@ "id": "da905474-7454-43c0-b8d2-5756ab951aba", "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "category": "Networking and Firewall", + "category": "Insecure Configurations", "descriptionText": "Checks if the policy is vulnerable and needs updating", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy", "platform": "CloudFormation" diff --git a/assets/queries/cloudFormation/redshift_publicly_accessible/metadata.json b/assets/queries/cloudFormation/redshift_publicly_accessible/metadata.json index 060d93f0e3a..a79848ea042 100644 --- a/assets/queries/cloudFormation/redshift_publicly_accessible/metadata.json +++ b/assets/queries/cloudFormation/redshift_publicly_accessible/metadata.json @@ -1,9 +1,9 @@ { "id": "bdf8dcb4-75df-4370-92c4-606e4ae6c4d3", "queryName": "Redshift Publicly Accessible", - "severity": "MEDIUM", + "severity": "HIGH", "category": "Insecure Configurations", "descriptionText": "AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html", "platform": "CloudFormation" -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/redshift_publicly_accessible/test/positive_expected_result.json index 9b3748b1869..c77c482dda8 100644 --- a/assets/queries/cloudFormation/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/redshift_publicly_accessible/test/positive_expected_result.json @@ -1,26 +1,26 @@ [ { "queryName": "Redshift Publicly Accessible", - "severity": "MEDIUM", + "severity": "HIGH", "line": 4, "fileName": "positive1.yaml" }, { "queryName": "Redshift Publicly Accessible", - "severity": "MEDIUM", + "severity": "HIGH", "line": 17, "fileName": "positive1.yaml" }, { "queryName": "Redshift Publicly Accessible", - "severity": "MEDIUM", + "severity": "HIGH", "line": 5, "fileName": "positive2.json" }, { "queryName": "Redshift Publicly Accessible", - "severity": "MEDIUM", + "severity": "HIGH", "line": 30, "fileName": "positive2.json" } -] +] \ No newline at end of file diff --git a/assets/queries/cloudFormation/root_account_has_active_access_keys/metadata.json b/assets/queries/cloudFormation/root_account_has_active_access_keys/metadata.json index edb8be36272..4c21abbb96b 100644 --- a/assets/queries/cloudFormation/root_account_has_active_access_keys/metadata.json +++ b/assets/queries/cloudFormation/root_account_has_active_access_keys/metadata.json @@ -2,8 +2,8 @@ "id": "4c137350-7307-4803-8c04-17c09a7a9fcf", "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", - "category": "Access Control", + "category": "Insecure Configurations", "descriptionText": "Check if the root user has any access keys associated to it.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html", "platform": "CloudFormation" -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/route53_record_undefined/metadata.json b/assets/queries/cloudFormation/route53_record_undefined/metadata.json index 29a7c1e9d69..f0d13862643 100644 --- a/assets/queries/cloudFormation/route53_record_undefined/metadata.json +++ b/assets/queries/cloudFormation/route53_record_undefined/metadata.json @@ -2,8 +2,8 @@ "id": "24d932e1-91f0-46ea-836f-fdbd81694151", "queryName": "Route53 Record Undefined", "severity": "HIGH", - "category": "Insecure Configurations", + "category": "Networking and Firewall", "descriptionText": "Route53 HostedZone must have the Record Set defined.", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html", "platform": "CloudFormation" -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/s3_bucket_access_to_any_principal/metadata.json b/assets/queries/cloudFormation/s3_bucket_access_to_any_principal/metadata.json index b6ced57ac76..7965d014a25 100644 --- a/assets/queries/cloudFormation/s3_bucket_access_to_any_principal/metadata.json +++ b/assets/queries/cloudFormation/s3_bucket_access_to_any_principal/metadata.json @@ -2,7 +2,7 @@ "id": "7772bb8c-c0f3-42d4-8e4e-f1b8939ad085", "queryName": "S3 Bucket Access to Any Principal", "severity": "HIGH", - "category": "Insecure Configurations", + "category": "Access Control", "descriptionText": "The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')])", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation" diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/metadata.json b/assets/queries/cloudFormation/s3_bucket_sse_disabled/metadata.json similarity index 92% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/metadata.json rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/metadata.json index 96f83ce879b..b54c0c19602 100644 --- a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/metadata.json +++ b/assets/queries/cloudFormation/s3_bucket_sse_disabled/metadata.json @@ -2,7 +2,7 @@ "id": "64ab651b-f5b2-4af0-8c89-ddd03c4d0e61", "queryName": "S3 Bucket SSE Disabled", "severity": "HIGH", - "category": "Secret Management", + "category": "Encryption", "descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html", "platform": "CloudFormation" diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/query.rego b/assets/queries/cloudFormation/s3_bucket_sse_disabled/query.rego similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/query.rego rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/query.rego diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/negative.json b/assets/queries/cloudFormation/s3_bucket_sse_disabled/test/negative.json similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/negative.json rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/test/negative.json diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/negative.yaml b/assets/queries/cloudFormation/s3_bucket_sse_disabled/test/negative.yaml similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/negative.yaml rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/test/negative.yaml diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive1.json b/assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive1.json similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive1.json rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive1.json diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive1.yaml b/assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive1.yaml similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive1.yaml rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive1.yaml diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive2.json b/assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive2.json similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive2.json rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive2.json diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive2.yaml b/assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive2.yaml similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive2.yaml rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive2.yaml diff --git a/assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive_expected_result.json b/assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive_expected_result.json similarity index 100% rename from assets/queries/cloudFormation/s3_bucket_rules_with_master_key_id_null/test/positive_expected_result.json rename to assets/queries/cloudFormation/s3_bucket_sse_disabled/test/positive_expected_result.json diff --git a/assets/queries/cloudFormation/s3_bucket_without_versioning/metadata.json b/assets/queries/cloudFormation/s3_bucket_without_versioning/metadata.json index 915cb350baa..bac9b06979b 100644 --- a/assets/queries/cloudFormation/s3_bucket_without_versioning/metadata.json +++ b/assets/queries/cloudFormation/s3_bucket_without_versioning/metadata.json @@ -2,8 +2,8 @@ "id": "a227ec01-f97a-4084-91a4-47b350c1db54", "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "category": "Best Practices", + "category": "Observability", "descriptionText": "S3 bucket versioning should be enabled", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html", "platform": "CloudFormation" -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/s3_static_website_host_enabled/metadata.json b/assets/queries/cloudFormation/s3_static_website_host_enabled/metadata.json index 5c6294ddc28..028b7674933 100644 --- a/assets/queries/cloudFormation/s3_static_website_host_enabled/metadata.json +++ b/assets/queries/cloudFormation/s3_static_website_host_enabled/metadata.json @@ -2,7 +2,7 @@ "id": "90501b1b-cded-4cc1-9e8b-206b85cda317", "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", - "category": "Access Control", + "category": "Insecure Configurations", "descriptionText": "It's dangerous disabling a block public access settings in bucket or writing a bucket policy that grants public read access", "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html", "platform": "CloudFormation" diff --git a/assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/metadata.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json similarity index 100% rename from assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/metadata.json rename to assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/metadata.json diff --git a/assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/query.rego b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/query.rego similarity index 100% rename from assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/query.rego rename to assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/query.rego diff --git a/assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/test/negative.tf b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/negative.tf similarity index 100% rename from assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/test/negative.tf rename to assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/negative.tf diff --git a/assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/test/positive.tf b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive.tf similarity index 100% rename from assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/test/positive.tf rename to assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive.tf diff --git a/assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/default_security_groups_woth_unrestricted_traffic/test/positive_expected_result.json rename to assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/metadata.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json similarity index 93% rename from assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/metadata.json rename to assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json index 1155e9c3338..675950f636f 100644 --- a/assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/metadata.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/metadata.json @@ -1,9 +1,9 @@ { "id": "cc997676-481b-4e93-aa81-d19f8c5e9b12", "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", + "severity": "MEDIUM", "category": "Encryption", "descriptionText": "The value on AWS EBS Volume Cluster Encryption must be true", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted", "platform": "Terraform" -} +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/query.rego b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/query.rego similarity index 100% rename from assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/query.rego rename to assets/queries/terraform/aws/ebs_volume_encryption_disabled/query.rego diff --git a/assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/test/negative.tf b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/negative.tf similarity index 100% rename from assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/test/negative.tf rename to assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/negative.tf diff --git a/assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/test/positive.tf b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive.tf similarity index 100% rename from assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/test/positive.tf rename to assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive.tf diff --git a/assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json similarity index 74% rename from assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/test/positive_expected_result.json rename to assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index bdea2ad473a..5decede42b4 100644 --- a/assets/queries/terraform/aws/ebs_volume_encrytpion_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "EBS Volume Encryption Disabled", - "severity": "HIGH", + "severity": "MEDIUM", "line": 4 } ] diff --git a/assets/queries/terraform/aws/efs_without_kms/metadata.json b/assets/queries/terraform/aws/efs_without_kms/metadata.json new file mode 100644 index 00000000000..d7fc485018e --- /dev/null +++ b/assets/queries/terraform/aws/efs_without_kms/metadata.json @@ -0,0 +1,9 @@ +{ + "id": "25d251f3-f348-4f95-845c-1090e41a615c", + "queryName": "EFS Without KMS", + "severity": "HIGH", + "category": "Encryption", + "descriptionText": "Elastic File System (EFS) must have KMS Key ID", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#kms_key_id", + "platform": "Terraform" +} diff --git a/assets/queries/terraform/aws/efs_without_kms_key_id/query.rego b/assets/queries/terraform/aws/efs_without_kms/query.rego similarity index 100% rename from assets/queries/terraform/aws/efs_without_kms_key_id/query.rego rename to assets/queries/terraform/aws/efs_without_kms/query.rego diff --git a/assets/queries/terraform/aws/efs_without_kms_key_id/test/negative.tf b/assets/queries/terraform/aws/efs_without_kms/test/negative.tf similarity index 100% rename from assets/queries/terraform/aws/efs_without_kms_key_id/test/negative.tf rename to assets/queries/terraform/aws/efs_without_kms/test/negative.tf diff --git a/assets/queries/terraform/aws/efs_without_kms_key_id/test/positive.tf b/assets/queries/terraform/aws/efs_without_kms/test/positive.tf similarity index 100% rename from assets/queries/terraform/aws/efs_without_kms_key_id/test/positive.tf rename to assets/queries/terraform/aws/efs_without_kms/test/positive.tf diff --git a/assets/queries/terraform/aws/efs_without_kms_key_id/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/efs_without_kms_key_id/test/positive_expected_result.json rename to assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/efs_without_kms_key_id/metadata.json b/assets/queries/terraform/aws/efs_without_kms_key_id/metadata.json deleted file mode 100644 index 6116b30caff..00000000000 --- a/assets/queries/terraform/aws/efs_without_kms_key_id/metadata.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "id": "25d251f3-f348-4f95-845c-1090e41a615c", - "queryName": "EFS Without KMS", - "severity": "HIGH", - "category": "Secret Management", - "descriptionText": "Elastic File System (EFS) must have KMS Key ID", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#kms_key_id", - "platform": "Terraform" -} diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json index c9328b04c63..e3fb35d9290 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/metadata.json @@ -1,7 +1,7 @@ { "id": "2f37c4a3-58b9-4afe-8a87-d7f1d2286f84", "queryName": "IAM Policies With Full Privileges", - "severity": "MEDIUM", + "severity": "HIGH", "category": "Access Control", "descriptionText": "IAM policies that allow full administrative privileges (for all resources)", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy", diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 7bf4f1f3969..1aefb714054 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -1,7 +1,7 @@ [ { "queryName": "IAM Policies With Full Privileges", - "severity": "MEDIUM", + "severity": "HIGH", "line": 5 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json index d02d1baca9c..b708ee3ecc2 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/metadata.json @@ -1,9 +1,9 @@ { - "id": "64a222aa-7793-4e40-915f-4b302c76e4d4", + "id": "38c5ee0d-7f22-4260-ab72-5073048df100", "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "HIGH", "category": "Access Control", - "descriptionText": "S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy", + "descriptionText": "S3 bucket with public READ/WRITE access", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket", "platform": "Terraform" -} +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego index 1f8516bed32..6bc47a67c8b 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/query.rego @@ -1,24 +1,18 @@ package Cx -import data.generic.common as commonLib -import data.generic.terraform as terraLib - CxPolicy[result] { - pl := {"aws_s3_bucket_policy", "aws_s3_bucket"} - resource := input.document[i].resource[pl[r]][name] - - policy := commonLib.json_unmarshal(resource.policy) - statement := policy.Statement[_] - - statement.Effect == "Allow" - terraLib.anyPrincipal(statement) - commonLib.containsOrInArrayContains(statement.Action, "write_acp") + resource := input.document[i].resource.aws_s3_bucket[name] + publicAccessACL(resource.acl) result := { "documentId": input.document[i].id, - "searchKey": sprintf("%s[%s].policy", [pl[r], name]), + "searchKey": sprintf("aws_s3_bucket[%s].acl=%s", [name, resource.acl]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("%s[%s].policy.Action is not a 'Write_ACP' action", [pl[r], name]), - "keyActualValue": sprintf("%s[%s].policy.Action is a 'Write_ACP' action", [pl[r], name]), + "keyExpectedValue": "'acl' is equal 'private'", + "keyActualValue": sprintf("'acl' is equal '%s'", [resource.acl]), } } + +publicAccessACL("public-read") = true + +publicAccessACL("public-read-write") = true diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/negative.tf b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/negative.tf index de2402ea980..fb261679539 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/negative.tf +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/negative.tf @@ -1,25 +1,13 @@ resource "aws_s3_bucket" "negative1" { - bucket = "my_tf_test_bucket" -} + bucket = "my-tf-test-bucket" + acl = "private" -resource "aws_s3_bucket_policy" "negative2" { - bucket = aws_s3_bucket.b.id + tags = { + Name = "My bucket" + Environment = "Dev" + } - policy = < Date: Thu, 1 Apr 2021 18:45:38 +0300 Subject: [PATCH 02/15] [kicsbot] Update queries catalog (#2676) Co-authored-by: rogeriopeixotocx --- docs/queries/all-queries.md | 1274 ++++++++++++------------ docs/queries/ansible-queries.md | 210 ++-- docs/queries/cloudformation-queries.md | 264 ++--- docs/queries/dockerfile-queries.md | 52 +- docs/queries/kubernetes-queries.md | 70 +- docs/queries/terraform-queries.md | 352 +++---- 6 files changed, 1111 insertions(+), 1111 deletions(-) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 4e3628b8a14..b342954cce4 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -4,867 +4,867 @@ This page contains all queries. | Query |Platform|Severity|Category|Description|Help| |-----------------------------|---|---|---|---|---| |Passwords And Secrets In Infrastructure Code
f996f3cb-00fc-480c-8973-8ab04d44a8cc|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Yum Update Enabled
8f6456be-0018-46db-9ce6-b3b6dc8d34d2|Dockerfile|High|Supply-Chain|Yum update is being used|Documentation
| -|Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2|Dockerfile|High|Supply-Chain|Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container|Documentation
| -|Run Using dnf Update
09fda05e-da85-4ee7-ab8d-2800a5e6e756|Dockerfile|High|Supply-Chain|Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages|Documentation
| -|Run Using Upgrade Commands
682fe378-c180-4bd5-8a14-95fc285fb269|Dockerfile|High|Supply-Chain|Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|COPY '--from' Without FROM Alias Defined Previously
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Medium|Build Process|COPY command with the flag '--from' should mention a previously defined FROM alias|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Changing Default Shell Using SHELL Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Insecure Defaults|Using the command SHELL to override the default shell instead of the RUN command|Documentation
| -|Secrets Stored In Dockerfile
c3e1b6ae-d92c-44b3-8ed5-1f5442bab6a4|Dockerfile|Medium|Secret Management|Scan Dockerfile to ensure that there are no secrets stored|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Run Using Zypper Update
d4895357-dd49-4ba5-b726-1bb81cb50989|Dockerfile|Medium|Supply-Chain|'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|If the user only needs execution permissions on the file and not ownership, don't use --chown option|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers.|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Low|Build Process|Should use COPY instead of ADD unless, running a tar file|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| |IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| |ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| |S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| |S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Storage Container with Public Access
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| |OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Check if 'network_rules' is open to public.|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| |SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| |User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| |Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| |Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|High|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| -|S3 Bucket Without Server-side-encryption
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|S3 bucket should have encryption defined|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'kms_key_id' field is 'false' or undefined and 'engine_mode' field is null or empty.|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| |Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| |IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| |EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|Base64 Shell Script must be encoded|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|S3 Bucket Without Server-side-encryption
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|S3 bucket should have encryption defined|Documentation
| |ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'kms_key_id' field is 'false' or undefined and 'engine_mode' field is null or empty.|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|S3 Bucket SSE Disabled
ad03cb46-f174-4674-bf8e-2880a7000edd|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|Base64 Shell Script must be encoded|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| |DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| |SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| |High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|Terraform|High|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|DB Security Group Has Public IP
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP must not be Public|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| |SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|High|Insecure Configurations|S3 bucket without versioning|Documentation
| |S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without enabled MFA Delete|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| |KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| |DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|DB Security Group Has Public IP
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP must not be Public|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Insecure Configurations|The Ip Range Must Contain Ips|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Insecure Configurations|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|Terraform|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| |Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| |Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| |Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| |COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|High|Insecure Configurations|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| |GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Terraform|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|Terraform|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| |Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| |Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| |NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| |Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| |HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| |DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| |EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| |Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| |ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Networking and Firewall|Check if 'network_rules' is open to public.|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| |Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| |RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| |CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Object Versioning Not Enabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| |Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| |IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Object Versioning Not Enabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| |Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|S3 Bucket SSE Disabled
ad03cb46-f174-4674-bf8e-2880a7000edd|Terraform|High|Secret Management|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Secret Management|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| |Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| |Key Vault Logging Disabled
bb2d6cbc-b3af-4da7-9b1c-d91652dd9ead|Terraform|High|Secret Management|Logging for Azure Key Vault is disabled|Documentation
| |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| |S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| |ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| |SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|SQS policy with public access|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| |Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|Medium|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| |IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Access Control|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| |Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| |Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| |Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|Medium|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| |Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Medium|Availability|Liveness Probe must be defined|Documentation
| |RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|RDS configured without backup|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| |Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| |IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| |Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| |Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| |API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| |Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| |Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| |VM CSEK Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'sha256' must also be defined and not empty|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| |GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| |API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| -|Lambda Function Without Tags
875b86b1-7fd4-4728-9a18-de63d87ad82f|Terraform|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| |Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Lambda Function Without Tags
875b86b1-7fd4-4728-9a18-de63d87ad82f|Terraform|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| |MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Insecure Configurations|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Insecure Configurations|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Insecure Configurations|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| -|Google Storage Bucket Level Access Enabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Validates if the Google Storage Bucket Level Access is Enabled|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Insecure Configurations|Check if SSH keys are enabled project-wide in VM instances|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| |Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| +|Google Storage Bucket Level Access Enabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Validates if the Google Storage Bucket Level Access is Enabled|Documentation
| |Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Insecure Configurations|Check if SSH keys are enabled project-wide in VM instances|Documentation
| |Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| +|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| |Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| |PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| |PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| |Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| |PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| |Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Terraform|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| |API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| |SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| |RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| |Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| |Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|X-ray Tracing is not enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| |API Gateway V2 Stage Access Logging Settings Not Defined
9111f9a5-6b80-40f9-bc82-c05f970779c3|Terraform|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|X-ray Tracing is not enabled|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| |Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| |Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket without versioning|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| |MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| |Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| |PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Disconnections Is Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| |Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL DB Server Log Retention Is Low
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be specified|Documentation
| |CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be specified|Documentation
| |CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be specified|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be specified|Documentation
| |Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| |Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| |Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| |IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| |Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| |StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| |Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| |StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| |Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|S3 Bucket With Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket with ignore public ACL|Documentation
| |Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Terraform|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|S3 Bucket With Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket with ignore public ACL|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| |Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| |Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Low|Observability|S3 bucket without logging|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| |CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Low|Observability|S3 bucket without logging|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| |CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| |Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|Info|Access Control|S3 bucket with public READ/WRITE access|Documentation
| |Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Cloudformation|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| -|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Ansible|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Access Control|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Access Control|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|Blob Container With Public Access
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Access Control|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Access Control|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|SQL DB Instance Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|High|Encryption|EBS Encryption should be enabled|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|High|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| -|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| -|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Ansible|High|Encryption|Check if any KMS rotation period surpasses 365 days.|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|DB Security Group Has Public IP
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP must not be Public|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Networking and Firewall|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|High|Observability|S3 bucket without versioning|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Object Versioning Not Enabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Object Versioning not fully enabled on Cloud Storage Bucket|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|High|Resource Management|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Secret Management|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Secret Management|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|SQS policy with public access|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|Medium|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Access Control|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|RDS configured without backup|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Encryption|Make sure Encryption keys changes after 90 days|Documentation
| -|VM CSEK Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'raw_key' must also be defined and not empty|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag immutable|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|Check if any instance disables OSLogin.|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Ansible|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Check if serial ports are enabled in Google Compute Engine VM instances|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access.|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| -|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|Log Disconnections Is Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|Check if the VM Instance doesn't block project-wide SSH keys.|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Low|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| -|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Low|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Kubernetes|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow Unsafe Sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an Unsafe Sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Medium|Availability|Liveness Probe must be defined.|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Check if containers are running as root unduly.|Documentation
| -|Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b|Kubernetes|Medium|Best Practices|Minimize the admission of privileged resources|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| -|Default Service Account In Use
b93e973e-9066-4455-a63b-c1c0e1ec3a48|Kubernetes|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|Using Default Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Volume Mount with OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be specified|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be specified|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Missing App Armor Config
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|Low|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|StatefulSets Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Root Container Not Mounted As Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Image Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Sees if Kubernetes Image Host Port is Specified|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined.|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Access Control|It's dangerous disabling a block public access settings in bucket or writing a bucket policy that grants public read access|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Access Control|Check if the root user has any access keys associated to it.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| +|Run Using dnf Update
09fda05e-da85-4ee7-ab8d-2800a5e6e756|Dockerfile|High|Supply-Chain|Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages|Documentation
| +|Run Using Upgrade Commands
682fe378-c180-4bd5-8a14-95fc285fb269|Dockerfile|High|Supply-Chain|Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used|Documentation
| +|Yum Update Enabled
8f6456be-0018-46db-9ce6-b3b6dc8d34d2|Dockerfile|High|Supply-Chain|Yum update is being used|Documentation
| +|Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2|Dockerfile|High|Supply-Chain|Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|COPY '--from' Without FROM Alias Defined Previously
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Medium|Build Process|COPY command with the flag '--from' should mention a previously defined FROM alias|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Changing Default Shell Using SHELL Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Insecure Defaults|Using the command SHELL to override the default shell instead of the RUN command|Documentation
| +|Secrets Stored In Dockerfile
c3e1b6ae-d92c-44b3-8ed5-1f5442bab6a4|Dockerfile|Medium|Secret Management|Scan Dockerfile to ensure that there are no secrets stored|Documentation
| +|Run Using Zypper Update
d4895357-dd49-4ba5-b726-1bb81cb50989|Dockerfile|Medium|Supply-Chain|'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|If the user only needs execution permissions on the file and not ownership, don't use --chown option|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers.|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Low|Build Process|Should use COPY instead of ADD unless, running a tar file|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| |Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')])|Documentation
| |S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| |IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted|Documentation
| -|CloudTrail Log Files Not Encrypted
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|High|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| |Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled.|Documentation
| |Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. |Documentation
| -|Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Ensure that the Viewer Protocol is only HTTPS Compliant|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|ELB Without SSL
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL for secure communication|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|AWS RDS DB Instance should be encrypted|Documentation
| +|CloudTrail Log Files Not Encrypted
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|High|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted|Documentation
| |ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. |Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| |Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled.|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| +|Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Ensure that the Viewer Protocol is only HTTPS Compliant|Documentation
| |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Without SSL
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL for secure communication|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| |ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| |S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
| |SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|AWS RDS DB Instance should be encrypted|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Insecure Configurations|Route53 HostedZone must have the Record Set defined.|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Insecure Configurations|The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')])|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| |DB Security Group Has Public IP
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|It's dangerous disabling a block public access settings in bucket or writing a bucket policy that grants public read access|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|Check if the root user has any access keys associated to it.|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| +|DB Security Group with Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| |HTTP Port Open
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| |Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Security Groups set as default must be denied traffic.|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|Security Groups allows all traffic for SSH (port:22)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| |EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Networking and Firewall|Checks if the policy is vulnerable and needs updating|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|Security Groups allows all traffic for SSH (port:22)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Security Groups set as default must be denied traffic.|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| |Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| |Remote Desktop Port Open
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| |ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|All Application Load Balancers (ALB) should block connection requests over HTTP|Documentation
| -|DB Security Group with Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Secret Management|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| |ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not be wildcard.|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| |ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| |RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have lowercase letter|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least 14 characters|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one uppercase letter|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| |IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Medium|Best Practices|AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| |IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Best Practices|S3 bucket versioning should be enabled|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one uppercase letter|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have lowercase letter|Documentation
| |IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one symbol|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Medium|Best Practices|AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| |Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least 14 characters|Documentation
| |EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| |CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Should have EncryptionKey defined|Documentation
| |API Gateway Without Content Encoding
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|Enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760.|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| |EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|EC2 Instance Has Public IP
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|Medium|Insecure Configurations|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials.|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| |SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials.|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|EC2 Instance Has Public IP
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|Medium|Insecure Configurations|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| |MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|Medium|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| |API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| |Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| |Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| |Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| |Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled.|Documentation
| |API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|X-Ray Tracing is not enabled|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| |CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| |CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|AWS CloudTrail should have IsMultiRegionTrail set to true|Documentation
| |CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|Make sure AWS CloudFront distribution has access log enabled|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled.|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket versioning should be enabled|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|AWS CloudTrail should have IsMultiRegionTrail set to true|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|SQS with SSE disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Secret Management|AWS SQS Queue should have a KMS Master Key defined|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| |Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| |Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| +|SQS with SSE disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Secret Management|AWS SQS Queue should have a KMS Master Key defined|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|Check if any IAM Policy grants 'AssumeRole' permission across all services.|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|Low|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|Low|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways approaches or goes beyond the limit in a particular VPC|Documentation
| |RDS With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Low|Best Practices|IAM User should embed managed policies instead of inline policies|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Low|Best Practices|AWS Security Group Rule should have description defined|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'|Documentation
| |Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| |CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Low|Best Practices|IAM User should embed managed policies instead of inline policies|Documentation
| |Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Low|Best Practices|AWS Security Group Rule should have description defined|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |Open Access To Resources Through API
60112997-8bd0-4c4c-9140-e5111706ea6f|CloudFormation|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|VPC hasn't got any FlowLog associated|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| |S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Low|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| |SNS Topic is Publicly Accessible For Subscription
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|Low|Observability|Ensure appropriate subscribers to each SNS topic|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|VPC hasn't got any FlowLog associated|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow Unsafe Sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an Unsafe Sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Kubernetes|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Medium|Availability|Liveness Probe must be defined.|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b|Kubernetes|Medium|Best Practices|Minimize the admission of privileged resources|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Check if containers are running as root unduly.|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Using Default Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Default Service Account In Use
b93e973e-9066-4455-a63b-c1c0e1ec3a48|Kubernetes|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|Volume Mount with OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be specified|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be specified|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing App Armor Config
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|Low|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| +|StatefulSets Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|Root Container Not Mounted As Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| +|Image Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Sees if Kubernetes Image Host Port is Specified|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined.|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| +|Invalid Image
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| +|ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Ansible|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Access Control|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| +|SQL DB Instance Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|High|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| +|High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|Ansible|High|Encryption|Check if any KMS rotation period surpasses 365 days.|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|DB Security Group Has Public IP
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP must not be Public|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| +|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Object Versioning Not Enabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Object Versioning not fully enabled on Cloud Storage Bucket|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|High|Resource Management|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|SQS policy with public access|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|RDS configured without backup|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS Encryption should be enabled|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| +|VM CSEK Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'raw_key' must also be defined and not empty|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Encryption|Make sure Encryption keys changes after 90 days|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag immutable|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|Check if any instance disables OSLogin.|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Ansible|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| +|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access.|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Check if serial ports are enabled in Google Compute Engine VM instances|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket without versioning|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|Check if the VM Instance doesn't block project-wide SSH keys.|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| +|SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Low|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| +|Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Low|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index a9cd5c45214..90aa6a11b6f 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -3,198 +3,198 @@ This page contains all queries from Ansible. | Query |Severity|Category|Description|Help| |-----------------------------|--------|--------|-----------|----| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| |S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| |ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Access Control|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| |S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| |DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Access Control|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|Blob Container With Public Access
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Access Control|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Access Control|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| |SQL DB Instance Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Check if 'network_acls' is open to public.|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| |SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| |User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data contains an encoded RSA Private Key|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| |Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|High|Encryption|EBS Encryption should be enabled|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b|High|Encryption|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|High|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| -|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| |Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| |IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| |EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| |ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| |DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| |SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| |High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4|High|Encryption|Check if any KMS rotation period surpasses 365 days.|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| |Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| |DB Security Group Has Public IP
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP must not be Public|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| |Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| |Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| |Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| |Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| |Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| |GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| |Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| |HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| |DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Networking and Firewall|Checks if the policy is vulnerable and needs updating.|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| |Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| |Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| |ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| |Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| |GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|High|Observability|S3 bucket without versioning|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Object Versioning Not Enabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Object Versioning not fully enabled on Cloud Storage Bucket|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| |Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Object Versioning Not Enabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Object Versioning not fully enabled on Cloud Storage Bucket|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| |PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| |COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|High|Resource Management|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Secret Management|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Secret Management|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| |S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| |ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|SQS policy with public access|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| |Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Medium|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| |IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Access Control|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| |AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| |RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|RDS configured without backup|Documentation
| |Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| |IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|Check if IAM account password has at least one number|Documentation
| |Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| |Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Medium|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| |SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| |Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS Encryption should be enabled|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| |Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Encryption|Make sure Encryption keys changes after 90 days|Documentation
| |VM CSEK Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'raw_key' must also be defined and not empty|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Encryption|Make sure Encryption keys changes after 90 days|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| |API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag immutable|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|Check if any instance disables OSLogin.|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| |Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|Check if any instance disables OSLogin.|Documentation
| |Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Medium|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| |Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| +|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| |API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| |SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| |SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Check if serial ports are enabled in Google Compute Engine VM instances|Documentation
| |RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access.|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Check if serial ports are enabled in Google Compute Engine VM instances|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| |Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| |API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket without versioning|Documentation
| |CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| -|Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| |AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| |Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| |PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| |Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|Log Disconnections Is Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| |No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| |Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access key should not be in plaintext.|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|Check if the VM Instance doesn't block project-wide SSH keys.|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| |IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| |Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| |SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Low|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| |Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| |S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Low|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail Log Files should have validation enabled|Documentation
| |Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Low|Secret Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index ff7dfa63e8a..5ff49a0a9b0 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -3,224 +3,224 @@ This page contains all queries from CloudFormation. | Query |Severity|Category|Description|Help| |-----------------------------|--------|--------|-----------|----| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Access Control|It's dangerous disabling a block public access settings in bucket or writing a bucket policy that grants public read access|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Access Control|Check if the root user has any access keys associated to it.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| |Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')])|Documentation
| |S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| |S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| |IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted|Documentation
| -|CloudTrail Log Files Not Encrypted
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|High|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| |User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| |Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled.|Documentation
| |Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. |Documentation
| -|Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Ensure that the Viewer Protocol is only HTTPS Compliant|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|ELB Without SSL
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL for secure communication|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|AWS RDS DB Instance should be encrypted|Documentation
| +|CloudTrail Log Files Not Encrypted
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|High|Encryption|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted|Documentation
| |ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. |Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| |Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled.|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| +|Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Ensure that the Viewer Protocol is only HTTPS Compliant|Documentation
| |EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|ELB Without SSL
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL for secure communication|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| |ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| |S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| |SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|AWS RDS DB Instance should be encrypted|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Insecure Configurations|Route53 HostedZone must have the Record Set defined.|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Insecure Configurations|The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')])|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| |DB Security Group Has Public IP
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|It's dangerous disabling a block public access settings in bucket or writing a bucket policy that grants public read access|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|Check if the root user has any access keys associated to it.|Documentation
| |Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| +|DB Security Group with Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| |HTTP Port Open
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| |Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Security Groups set as default must be denied traffic.|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|Security Groups allows all traffic for SSH (port:22)|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| |EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|High|Networking and Firewall|Checks if the policy is vulnerable and needs updating|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|Security Groups allows all traffic for SSH (port:22)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Security Groups set as default must be denied traffic.|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| |Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| |Remote Desktop Port Open
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| |ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|All Application Load Balancers (ALB) should block connection requests over HTTP|Documentation
| -|DB Security Group with Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| |S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| |CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Secret Management|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| |ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request.|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not be wildcard.|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| |ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| |RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| |Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| |Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM user resource Login Profile Password should have lowercase letter|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM user resource Login Profile Password should have at least 14 characters|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM user resource Login Profile Password should have at least one uppercase letter|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| |IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Medium|Best Practices|AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| |IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Best Practices|S3 bucket versioning should be enabled|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM user resource Login Profile Password should have at least one uppercase letter|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM user resource Login Profile Password should have lowercase letter|Documentation
| |IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM user resource Login Profile Password should have at least one symbol|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Medium|Best Practices|AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| |Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM user resource Login Profile Password should have at least 14 characters|Documentation
| |EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| |CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Should have EncryptionKey defined|Documentation
| |API Gateway Without Content Encoding
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|Enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760.|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| |EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|EC2 Instance Has Public IP
b3de4e4c-14be-4159-b99d-9ad194365e4c|Medium|Insecure Configurations|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials.|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| |SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials.|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| +|EC2 Instance Has Public IP
b3de4e4c-14be-4159-b99d-9ad194365e4c|Medium|Insecure Configurations|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| |MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|Medium|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| |S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| |API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| |Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| |Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| |GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|Medium|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| |Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|Medium|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| |Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| |Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled.|Documentation
| |API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|X-Ray Tracing is not enabled|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| |CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| |CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|AWS CloudTrail should have IsMultiRegionTrail set to true|Documentation
| |CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|Make sure AWS CloudFront distribution has access log enabled|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled|Documentation
| |ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled.|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket versioning should be enabled|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|AWS CloudTrail should have IsMultiRegionTrail set to true|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|SQS with SSE disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Secret Management|AWS SQS Queue should have a KMS Master Key defined|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| |Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| |DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| |Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| +|SQS with SSE disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Secret Management|AWS SQS Queue should have a KMS Master Key defined|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|Check if any IAM Policy grants 'AssumeRole' permission across all services.|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|Low|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|Low|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways approaches or goes beyond the limit in a particular VPC|Documentation
| |RDS With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Low|Best Practices|IAM User should embed managed policies instead of inline policies|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Low|Best Practices|AWS Security Group Rule should have description defined|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'|Documentation
| |Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| |CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Low|Best Practices|IAM User should embed managed policies instead of inline policies|Documentation
| |Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Low|Best Practices|AWS Security Group Rule should have description defined|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| |DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |Open Access To Resources Through API
60112997-8bd0-4c4c-9140-e5111706ea6f|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|VPC hasn't got any FlowLog associated|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| |S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Low|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| |SNS Topic is Publicly Accessible For Subscription
ae53ce91-42b5-46bf-a84f-9a13366a4f13|Low|Observability|Ensure appropriate subscribers to each SNS topic|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|VPC hasn't got any FlowLog associated|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 5e5b480d24e..8bc69b61eb8 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -4,56 +4,56 @@ This page contains all queries from Dockerfile. | Query |Severity|Category|Description|Help| |-----------------------------|--------|--------|-----------|----| |UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| |Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| |Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| |Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| |Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Yum Update Enabled
8f6456be-0018-46db-9ce6-b3b6dc8d34d2|High|Supply-Chain|Yum update is being used|Documentation
| -|Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2|High|Supply-Chain|Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container|Documentation
| |Run Using dnf Update
09fda05e-da85-4ee7-ab8d-2800a5e6e756|High|Supply-Chain|Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages|Documentation
| |Run Using Upgrade Commands
682fe378-c180-4bd5-8a14-95fc285fb269|High|Supply-Chain|Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used|Documentation
| +|Yum Update Enabled
8f6456be-0018-46db-9ce6-b3b6dc8d34d2|High|Supply-Chain|Yum update is being used|Documentation
| +|Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2|High|Supply-Chain|Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container|Documentation
| |Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| |Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| |COPY '--from' Without FROM Alias Defined Previously
68a51e22-ae5a-4d48-8e87-b01a323605c9|Medium|Build Process|COPY command with the flag '--from' should mention a previously defined FROM alias|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| |Changing Default Shell Using SHELL Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Insecure Defaults|Using the command SHELL to override the default shell instead of the RUN command|Documentation
| |Secrets Stored In Dockerfile
c3e1b6ae-d92c-44b3-8ed5-1f5442bab6a4|Medium|Secret Management|Scan Dockerfile to ensure that there are no secrets stored|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| +|Run Using Zypper Update
d4895357-dd49-4ba5-b726-1bb81cb50989|Medium|Supply-Chain|'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| |Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| |Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| |Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| |Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| |Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| |Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| |Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Run Using Zypper Update
d4895357-dd49-4ba5-b726-1bb81cb50989|Medium|Supply-Chain|'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| |Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|If the user only needs execution permissions on the file and not ownership, don't use --chown option|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged|Documentation
| |MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| |Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers.|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| |Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Low|Build Process|Should use COPY instead of ADD unless, running a tar file|Documentation
| |Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| |APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index 3cd0b6dca69..af76ce4943f 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -3,83 +3,83 @@ This page contains all queries from Kubernetes. | Query |Severity|Category|Description|Help| |-----------------------------|--------|--------|-----------|----| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| |Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| |Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow Unsafe Sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an Unsafe Sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|High|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| |Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| |Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| |NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|High|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| |Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| |Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| |RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| |Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Medium|Availability|Liveness Probe must be defined.|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| |Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b|Medium|Best Practices|Minimize the admission of privileged resources|Documentation
| |Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| |Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Check if containers are running as root unduly.|Documentation
| -|Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b|Medium|Best Practices|Minimize the admission of privileged resources|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| |NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Using Default Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| |Default Service Account In Use
b93e973e-9066-4455-a63b-c1c0e1ec3a48|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| |Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|Using Default Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| |PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| |PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| |PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have added capability|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| |Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| |Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| +|Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| |Volume Mount with OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be specified|Documentation
| |CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be specified|Documentation
| |CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be specified|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be specified|Documentation
| |Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| |ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Missing App Armor Config
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| |Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing App Armor Config
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| |RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Low|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| |StatefulSets Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| |HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| |StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| |Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| |No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| |Root Container Not Mounted As Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| |StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| |Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Image Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Sees if Kubernetes Image Host Port is Specified|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod|Documentation
| |Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined.|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Image Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Sees if Kubernetes Image Host Port is Specified|Documentation
| |Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| |CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined.|Documentation
| |Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| |Invalid Image
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 88d667aca40..a9c8b5835f6 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -3,316 +3,316 @@ This page contains all queries from Terraform. | Query |Severity|Category|Description|Help| |-----------------------------|--------|--------|-----------|----| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 bucket with public READ/WRITE access|Documentation
| |IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| |ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| |S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| |S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Storage Container with Public Access
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| |VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| |Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| |OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Check if 'network_rules' is open to public.|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| |SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| |User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| |Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| +|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| |Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|High|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| -|S3 Bucket Without Server-side-encryption
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|S3 bucket should have encryption defined|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'kms_key_id' field is 'false' or undefined and 'engine_mode' field is null or empty.|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| |Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|High|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| |Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|High|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| |IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| |EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|Base64 Shell Script must be encoded|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| +|S3 Bucket Without Server-side-encryption
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|S3 bucket should have encryption defined|Documentation
| |ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'kms_key_id' field is 'false' or undefined and 'engine_mode' field is null or empty.|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|S3 Bucket SSE Disabled
ad03cb46-f174-4674-bf8e-2880a7000edd|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|Base64 Shell Script must be encoded|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| |DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| |SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| |High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027|High|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| +|DB Security Group Has Public IP
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP must not be Public|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| |S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| |SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|High|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|High|Insecure Configurations|S3 bucket without versioning|Documentation
| |S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without enabled MFA Delete|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| |KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| |DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|The field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|DB Security Group Has Public IP
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP must not be Public|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Insecure Configurations|The Ip Range Must Contain Ips|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Insecure Configurations|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| |Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| |Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| |Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| |COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|High|Insecure Configurations|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| +|Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| |GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0|High|Insecure Configurations|A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.|Documentation
| |Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Admission of privileged containers should be minimized|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| |Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Do not allow container to be privileged.|Documentation
| |NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|High|Insecure Configurations|Containers should drop 'NET_RAW' or 'ALL' capabilities|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|High|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|High|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| |Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| |Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| |HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open in a Security Group|Documentation
| |DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| |EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| |Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
| |Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open in a Security Group|Documentation
| |ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Networking and Firewall|Check if 'network_rules' is open to public.|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| |Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The Ip Range Must Contain Ips|Documentation
| |RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| |CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7|High|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Object Versioning Not Enabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|High|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket with logging not enabled|Documentation
| |Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| |IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| +|Object Versioning Not Enabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| |Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|S3 Bucket SSE Disabled
ad03cb46-f174-4674-bf8e-2880a7000edd|High|Secret Management|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Secret Management|Elastic File System (EFS) must have KMS Key ID|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| |Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| |Key Vault Logging Disabled
bb2d6cbc-b3af-4da7-9b1c-d91652dd9ead|High|Secret Management|Logging for Azure Key Vault is disabled|Documentation
| |Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| |S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| |ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| |SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|SQS policy with public access|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| |Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Medium|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| |IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Medium|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Medium|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Medium|Access Control|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| |Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| |Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| |Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Medium|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Minimize access to secrets (RBAC)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| |ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| |Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Medium|Availability|Liveness Probe must be defined|Documentation
| |RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|RDS configured without backup|Documentation
| |Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| |Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| |IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|Check if IAM account password has the required symbols|Documentation
| |Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|Check if IAM account password has the required minimum length|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Best Practices|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| |Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| |API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| |Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| |Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| |VM CSEK Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'sha256' must also be defined and not empty|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Encryption|Make sure Encryption keys change after 90 days|Documentation
| |Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| |GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| |API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| -|Lambda Function Without Tags
875b86b1-7fd4-4728-9a18-de63d87ad82f|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| |Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| +|Lambda Function Without Tags
875b86b1-7fd4-4728-9a18-de63d87ad82f|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| |MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Insecure Configurations|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Insecure Configurations|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Insecure Configurations|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| -|Google Storage Bucket Level Access Enabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Validates if the Google Storage Bucket Level Access is Enabled|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Insecure Configurations|Check if SSH keys are enabled project-wide in VM instances|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| |Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| +|Google Storage Bucket Level Access Enabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Validates if the Google Storage Bucket Level Access is Enabled|Documentation
| |Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Insecure Configurations|Check if SSH keys are enabled project-wide in VM instances|Documentation
| |Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| +|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| |Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Kubernetes Pod should not have extra capabilities allowed|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| |PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged|Documentation
| |PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| |Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| |PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| |Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Medium|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| |API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| |Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| |SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| |RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| |Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| |Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|X-ray Tracing is not enabled|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| |API Gateway V2 Stage Access Logging Settings Not Defined
9111f9a5-6b80-40f9-bc82-c05f970779c3|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|X-ray Tracing is not enabled|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| |VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Medium|Observability|VPC hasn't got any FlowLog associated|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| |Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| |Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket without versioning|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|Check if MultiRegion is Enabled|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| |Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| |MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| |Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| |PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Log Disconnections Is Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| |Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL DB Server Log Retention Is Low
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| |No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be specified|Documentation
| |CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be specified|Documentation
| |CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be specified|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be specified|Documentation
| |Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| |Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| |Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| |IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM role allows All services or principals to assume it|Documentation
| |IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| |Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Low|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| |StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| |Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Low|Best Practices|IAM policies should be attached only to groups or roles|Documentation
| |Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| |Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| |StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| |Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|S3 Bucket With Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket with ignore public ACL|Documentation
| |Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Low|Insecure Configurations|Open access to back-end resources through API|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|S3 Bucket With Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket with ignore public ACL|Documentation
| |Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| |Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| |Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| |Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Low|Observability|S3 bucket without logging|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| |API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| |CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Low|Observability|S3 bucket without logging|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| |CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| |Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Low|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| |Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Info|Access Control|S3 bucket with public READ/WRITE access|Documentation
| From c9f7396c86e9ce1d87aaab08f92f8502d383be46 Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Thu, 1 Apr 2021 17:38:05 +0100 Subject: [PATCH 03/15] Docs changes should not trigger CI #2677 (#2678) --- .github/workflows/go-ci-integration.yml | 4 ++++ .github/workflows/go-ci.yml | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 442bd924f02..346fabff81c 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -3,6 +3,10 @@ name: go-ci-integration on: pull_request: branches: [master] + paths-ignore: + - 'docs/**' + - README.md + - mkdocs.yml jobs: integration-tests: diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 849491dda12..39c1ede41e5 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -4,6 +4,12 @@ name: go-ci on: pull_request: branches: [master] + paths-ignore: + - 'docs/**' + - README.md + - mkdocs.yml + - Dockerfile + - Dockerfile.integration jobs: lint: From 9bcae347ca512fb41dc5072d4dbc479c569d7c6f Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Thu, 1 Apr 2021 17:47:27 +0100 Subject: [PATCH 04/15] Adding .DS_Store to gitignore (#2672) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rogério Peixoto --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index c774fcd8267..406868b3150 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,10 @@ bin *.so *.dylib +# MacOS finder files +.DS_Store +**/.DS_Store + # Test binary, built with `go test -c` *.test From f3474cdae1b2797fa62b8ebb4462c3f65ceb0293 Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Mon, 5 Apr 2021 10:20:02 +0100 Subject: [PATCH 05/15] Revert "Docs changes should not trigger CI #2677 (#2678)" (#2681) This reverts commit c9f7396c86e9ce1d87aaab08f92f8502d383be46. --- .github/workflows/go-ci-integration.yml | 4 ---- .github/workflows/go-ci.yml | 6 ------ 2 files changed, 10 deletions(-) diff --git a/.github/workflows/go-ci-integration.yml b/.github/workflows/go-ci-integration.yml index 346fabff81c..442bd924f02 100644 --- a/.github/workflows/go-ci-integration.yml +++ b/.github/workflows/go-ci-integration.yml @@ -3,10 +3,6 @@ name: go-ci-integration on: pull_request: branches: [master] - paths-ignore: - - 'docs/**' - - README.md - - mkdocs.yml jobs: integration-tests: diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 39c1ede41e5..849491dda12 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -4,12 +4,6 @@ name: go-ci on: pull_request: branches: [master] - paths-ignore: - - 'docs/**' - - README.md - - mkdocs.yml - - Dockerfile - - Dockerfile.integration jobs: lint: From 9d47ce4a712db4761cb730766a58cfcc6aac3f85 Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Mon, 5 Apr 2021 10:52:51 +0100 Subject: [PATCH 06/15] Nightly build conditional refactor - fixes #2686 (#2687) nightly build is broken due to invalid syntax, refactoring conditionals to avoid many if statements --- .github/workflows/nightly-release.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index bb28a0f9a18..29fe4430a1e 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -6,8 +6,10 @@ on: workflow_dispatch: jobs: - goreleaser: + pre_release_job: runs-on: ubuntu-latest + outputs: + commits: ${{ steps.sincelasttag.outputs.commits }} steps: - name: Checkout uses: actions/checkout@v2 @@ -16,17 +18,23 @@ jobs: - name: Check if there are new commits since last nightly id: sincelasttag run: echo "::set-output name=commits=$(git log --oneline $(git describe --tags --match 'nightly' --abbrev=0)..HEAD)" + goreleaser: + needs: pre_release_job + if: ${{ needs.pre_release_job.outputs.commits != "" }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 - name: Set up Go - if: steps.sincelasttag.outputs.commits != "" uses: actions/setup-go@v2 with: go-version: 1.16 - name: Set short hash - if: steps.sincelasttag.outputs.commits != "" id: shorthash run: echo "::set-output name=sha8::$(echo ${GITHUB_SHA} | cut -c1-8)" - name: Run GoReleaser - if: steps.sincelasttag.outputs.commits != "" uses: goreleaser/goreleaser-action@v2 with: version: latest @@ -34,7 +42,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: delete release - if: steps.sincelasttag.outputs.commits != "" uses: dev-drprasad/delete-tag-and-release@v0.2.0 with: delete_release: true # default: false @@ -42,7 +49,6 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create Release - if: steps.sincelasttag.outputs.commits != "" id: create_release uses: actions/create-release@v1 env: @@ -53,11 +59,9 @@ jobs: draft: false prerelease: true - name: Display assets - if: steps.sincelasttag.outputs.commits != "" run: | ls -l /home/runner/work/kics/kics/dist - name: Upload Release Asset Linux - if: steps.sincelasttag.outputs.commits != "" id: upload-release-asset-linux uses: actions/upload-release-asset@v1 env: @@ -68,7 +72,6 @@ jobs: asset_name: kics_nightly-release_linux_amd64.tar.gz asset_content_type: application/gzip - name: Upload Release Asset Darwin - if: steps.sincelasttag.outputs.commits != "" id: upload-release-asset-darwin uses: actions/upload-release-asset@v1 env: @@ -79,7 +82,6 @@ jobs: asset_name: kics_nightly-release_darwin_amd64.tar.gz asset_content_type: application/gzip - name: Upload Release Asset Windows - if: steps.sincelasttag.outputs.commits != "" id: upload-release-asset-windows uses: actions/upload-release-asset@v1 env: @@ -90,7 +92,6 @@ jobs: asset_name: kics_nightly-release_windows_amd64.zip asset_content_type: application/zip - name: Upload Release Asset Checksum - if: steps.sincelasttag.outputs.commits != "" id: upload-release-asset-checksums uses: actions/upload-release-asset@v1 env: @@ -102,6 +103,8 @@ jobs: asset_content_type: text/plain push_to_registry: name: Push Docker image to Docker Hub + needs: pre_release_job + if: ${{ needs.pre_release_job.outputs.commits != "" }} runs-on: ubuntu-latest steps: - name: Check out the repo From bbb0d95c9ff6997042ad9f41280d8feef115a1df Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Apr 2021 11:06:41 +0100 Subject: [PATCH 07/15] Bump golangci/golangci-lint-action from v2.5.1 to v2.5.2 (#2683) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from v2.5.1 to v2.5.2. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/v2.5.1...5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/go-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index 849491dda12..641159f4cdf 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -18,7 +18,7 @@ jobs: with: go-version: 1.16.x - name: golangci-lint - uses: golangci/golangci-lint-action@v2.5.1 + uses: golangci/golangci-lint-action@v2.5.2 with: version: v1.37 args: -c .golangci.yml From 623c5f15e0ee1a33bfc757e89539443875c08bde Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Mon, 5 Apr 2021 11:07:27 +0100 Subject: [PATCH 08/15] removing patch from alpine semver in dockerfile (#2679) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit this should avoid too many dependabot PR's Signed-off-by: Rogério Peixoto --- Dockerfile.integration | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.integration b/Dockerfile.integration index 4eec6871ff5..9e75d4afaf5 100644 --- a/Dockerfile.integration +++ b/Dockerfile.integration @@ -32,7 +32,7 @@ USER Checkmarx HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt #runtime image -FROM alpine:3.13.4 +FROM alpine:3.13 COPY --from=build_env /app/bin/kics /app/bin/kics COPY --from=build_env /app/assets/ /app/bin/assets/ From db528125089a9f5c52cbe4140127794d88b54d21 Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Mon, 5 Apr 2021 11:15:33 +0100 Subject: [PATCH 09/15] Nightly build conditional check syntax fix (#2688) --- .github/workflows/nightly-release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 29fe4430a1e..ccf7f321876 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -20,7 +20,7 @@ jobs: run: echo "::set-output name=commits=$(git log --oneline $(git describe --tags --match 'nightly' --abbrev=0)..HEAD)" goreleaser: needs: pre_release_job - if: ${{ needs.pre_release_job.outputs.commits != "" }} + if: ${{ needs.pre_release_job.outputs.commits != '' }} runs-on: ubuntu-latest steps: - name: Checkout @@ -104,7 +104,7 @@ jobs: push_to_registry: name: Push Docker image to Docker Hub needs: pre_release_job - if: ${{ needs.pre_release_job.outputs.commits != "" }} + if: ${{ needs.pre_release_job.outputs.commits != '' }} runs-on: ubuntu-latest steps: - name: Check out the repo From 115ac1cab7e7212f5c007ff6e7aa0ce6d60d24c4 Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Mon, 5 Apr 2021 11:40:10 +0100 Subject: [PATCH 10/15] Fixing nightly build workflow conditional (#2689) --- .github/new_changes.sh | 7 +++++++ .github/workflows/nightly-release.yml | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) create mode 100755 .github/new_changes.sh diff --git a/.github/new_changes.sh b/.github/new_changes.sh new file mode 100755 index 00000000000..193dcc51e61 --- /dev/null +++ b/.github/new_changes.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +CHANGES=$(git log --oneline $(git describe --tags --match 'nightly' --abbrev=0)..HEAD) +if [[ -n ${CHANGES} ]]; then + echo true +else + echo false +fi diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index ccf7f321876..4be536231f5 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -17,10 +17,10 @@ jobs: fetch-depth: 0 - name: Check if there are new commits since last nightly id: sincelasttag - run: echo "::set-output name=commits=$(git log --oneline $(git describe --tags --match 'nightly' --abbrev=0)..HEAD)" + run: echo "::set-output name=commits=$(bash ./.github/new_changes.sh)" goreleaser: needs: pre_release_job - if: ${{ needs.pre_release_job.outputs.commits != '' }} + if: ${{ needs.pre_release_job.outputs.commits == 'true' }} runs-on: ubuntu-latest steps: - name: Checkout @@ -104,7 +104,7 @@ jobs: push_to_registry: name: Push Docker image to Docker Hub needs: pre_release_job - if: ${{ needs.pre_release_job.outputs.commits != '' }} + if: ${{ needs.pre_release_job.outputs.commits == 'true' }} runs-on: ubuntu-latest steps: - name: Check out the repo From e4a37cc75c94d9a88f194de57c75a27f15988576 Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Mon, 5 Apr 2021 12:05:21 +0100 Subject: [PATCH 11/15] Fixing nightly build workflow conditional (#2693) --- .github/{new_changes.sh => new_changes_nightly.sh} | 4 ++-- .github/workflows/nightly-release.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) rename .github/{new_changes.sh => new_changes_nightly.sh} (85%) diff --git a/.github/new_changes.sh b/.github/new_changes_nightly.sh similarity index 85% rename from .github/new_changes.sh rename to .github/new_changes_nightly.sh index 193dcc51e61..01e0a6ec072 100755 --- a/.github/new_changes.sh +++ b/.github/new_changes_nightly.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash CHANGES=$(git log --oneline $(git describe --tags --match 'nightly' --abbrev=0)..HEAD) if [[ -n ${CHANGES} ]]; then - echo true + echo 'yes' else - echo false + echo 'no' fi diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 4be536231f5..39e1b030b39 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -9,18 +9,18 @@ jobs: pre_release_job: runs-on: ubuntu-latest outputs: - commits: ${{ steps.sincelasttag.outputs.commits }} + changes: ${{ steps.lasttag.outputs.newchanges }} steps: - name: Checkout uses: actions/checkout@v2 with: fetch-depth: 0 - name: Check if there are new commits since last nightly - id: sincelasttag - run: echo "::set-output name=commits=$(bash ./.github/new_changes.sh)" + id: lasttag + run: echo "::set-output name=newchanges=$(bash ./.github/new_changes_nightly.sh)" goreleaser: needs: pre_release_job - if: ${{ needs.pre_release_job.outputs.commits == 'true' }} + if: ${{ needs.pre_release_job.outputs.changes == 'yes' }} runs-on: ubuntu-latest steps: - name: Checkout @@ -104,7 +104,7 @@ jobs: push_to_registry: name: Push Docker image to Docker Hub needs: pre_release_job - if: ${{ needs.pre_release_job.outputs.commits == 'true' }} + if: ${{ needs.pre_release_job.outputs.changes == 'yes' }} runs-on: ubuntu-latest steps: - name: Check out the repo From 54f745dafb450d2fd019888c4dc8a9a771fce5dd Mon Sep 17 00:00:00 2001 From: Rogerio Peixoto Date: Mon, 5 Apr 2021 12:30:52 +0100 Subject: [PATCH 12/15] fixing nightly build workflow (#2696) --- .github/workflows/nightly-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml index 39e1b030b39..584d087ca49 100644 --- a/.github/workflows/nightly-release.yml +++ b/.github/workflows/nightly-release.yml @@ -17,7 +17,7 @@ jobs: fetch-depth: 0 - name: Check if there are new commits since last nightly id: lasttag - run: echo "::set-output name=newchanges=$(bash ./.github/new_changes_nightly.sh)" + run: echo "::set-output name=newchanges::$(bash ./.github/new_changes_nightly.sh)" goreleaser: needs: pre_release_job if: ${{ needs.pre_release_job.outputs.changes == 'yes' }} From 848697f2fdc99a38338a068c6057d5569391ed05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Reigota?= Date: Mon, 5 Apr 2021 13:06:37 +0100 Subject: [PATCH 13/15] Added New Flag '--ci' (#2692) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: João Reigota --- docs/getting-started.md | 2 ++ internal/console/kics.go | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/docs/getting-started.md b/docs/getting-started.md index 926b19e8b13..6c575ae79cc 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -80,6 +80,7 @@ Available Commands: version Displays the current version Flags: + --ci display only log messages to CLI output -h, --help help for kics -l, --log-file writes log messages to log file --log-level string determines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL) (default "INFO") @@ -126,6 +127,7 @@ Flags: (Ansible, CloudFormation, Dockerfile, Kubernetes, Terraform) Global Flags: + --ci display only log messages to CLI output -l, --log-file writes log messages to log file --log-level string determines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL) (default "INFO") --log-path string path to log files, (defaults to ${PWD}/info.log) diff --git a/internal/console/kics.go b/internal/console/kics.go index ed56dcfb510..dd98eb0ca12 100644 --- a/internal/console/kics.go +++ b/internal/console/kics.go @@ -33,6 +33,7 @@ var ( logLevel string noColor bool silent bool + ci bool warnings = make(map[string]bool) @@ -68,6 +69,11 @@ func initialize() error { "write logs to stdout too (mutually exclusive with silent)") rootCmd.PersistentFlags().BoolVarP(&silent, "silent", "s", false, "silence stdout messages (mutually exclusive with verbose)") rootCmd.PersistentFlags().BoolVarP(&noColor, "no-color", "", false, "disable CLI color output") + rootCmd.PersistentFlags().BoolVarP(&ci, + "ci", + "", + false, + "display only log messages to CLI output") if err := viper.BindPFlags(rootCmd.PersistentFlags()); err != nil { return err @@ -116,6 +122,7 @@ func setupLogs() error { if noColor { color.Disable() + consoleLogger.NoColor = true } if logPath == "" { @@ -139,6 +146,12 @@ func setupLogs() error { os.Stdout = nil } + if ci { + color.SetOutput(io.Discard) + consoleLogger = zerolog.ConsoleWriter{Out: os.Stdout, NoColor: true} + os.Stdout = nil + } + mw := io.MultiWriter(consoleLogger, fileLogger) log.Logger = log.Output(mw) From 595c9f9b73973c6f9c886d8a967a935333f02fad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Reigota?= Date: Mon, 5 Apr 2021 13:08:02 +0100 Subject: [PATCH 14/15] fix gosec issues #2694 (#2695) --- internal/console/kics.go | 2 +- pkg/engine/source/filesystem.go | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/console/kics.go b/internal/console/kics.go index dd98eb0ca12..f0f49172a82 100644 --- a/internal/console/kics.go +++ b/internal/console/kics.go @@ -134,7 +134,7 @@ func setupLogs() error { } if logFile { - file, err := os.OpenFile(logPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, os.ModePerm) + file, err := os.OpenFile(filepath.Clean(logPath), os.O_APPEND|os.O_CREATE|os.O_WRONLY, os.ModePerm) if err != nil { return err } diff --git a/pkg/engine/source/filesystem.go b/pkg/engine/source/filesystem.go index c0869381458..970c4b856bb 100644 --- a/pkg/engine/source/filesystem.go +++ b/pkg/engine/source/filesystem.go @@ -218,7 +218,12 @@ func ReadMetadata(queryDir string) map[string]interface{} { return nil } - defer f.Close() + defer func() { + if err := f.Close(); err != nil { + log.Err(err). + Msgf("Queries provider can't close file, file=%s", filepath.Clean(path.Join(queryDir, MetadataFileName))) + } + }() var metadata map[string]interface{} if err := json.NewDecoder(f).Decode(&metadata); err != nil { From 2bf7a18d03ca81828e9787bc6f2e078cada9b3f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Reigota?= Date: Mon, 5 Apr 2021 14:50:25 +0100 Subject: [PATCH 15/15] Refactored Vulnerability Builder (#2531) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Rogério Peixoto --- go.sum | 2 - internal/console/helpers/helpers.go | 8 +- internal/constants/constants.go | 5 + pkg/detector/default_detect.go | 56 ++ pkg/detector/default_detect_test.go | 156 +++++ pkg/detector/detector.go | 49 ++ pkg/detector/detector_test.go | 151 +++++ pkg/detector/docker/docker_detect.go | 85 +++ pkg/detector/docker/docker_detect_test.go | 140 +++++ pkg/detector/helm/helm_detect.go | 187 ++++++ pkg/detector/helm/helm_detect_test.go | 193 ++++++ pkg/detector/helper.go | 222 +++++++ pkg/detector/helper_test.go | 332 ++++++++++ pkg/engine/inspector.go | 14 +- pkg/engine/inspector_test.go | 8 + pkg/engine/vulnerability_builder.go | 487 +-------------- pkg/engine/vulnerability_builder_test.go | 722 +--------------------- pkg/kics/resolver_sink.go | 52 ++ pkg/kics/service.go | 82 +-- pkg/kics/service_test.go | 14 +- pkg/kics/sink.go | 47 ++ pkg/model/model.go | 57 +- pkg/model/summary.go | 20 +- pkg/report/template/html/report.tmpl | 11 +- pkg/resolver/helm/resolver.go | 2 +- test/queries_content_test.go | 3 +- 26 files changed, 1780 insertions(+), 1325 deletions(-) create mode 100644 pkg/detector/default_detect.go create mode 100644 pkg/detector/default_detect_test.go create mode 100644 pkg/detector/detector.go create mode 100644 pkg/detector/detector_test.go create mode 100644 pkg/detector/docker/docker_detect.go create mode 100644 pkg/detector/docker/docker_detect_test.go create mode 100644 pkg/detector/helm/helm_detect.go create mode 100644 pkg/detector/helm/helm_detect_test.go create mode 100644 pkg/detector/helper.go create mode 100644 pkg/detector/helper_test.go create mode 100644 pkg/kics/resolver_sink.go create mode 100644 pkg/kics/sink.go diff --git a/go.sum b/go.sum index b7c8f784d19..4bc7e95d49d 100644 --- a/go.sum +++ b/go.sum @@ -1319,7 +1319,6 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1566,7 +1565,6 @@ golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= -golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/internal/console/helpers/helpers.go b/internal/console/helpers/helpers.go index 00ad6364698..401ae8e2d7e 100644 --- a/internal/console/helpers/helpers.go +++ b/internal/console/helpers/helpers.go @@ -174,11 +174,11 @@ func printFiles(query *model.VulnerableQuery, printer *Printer) { query.Files[fileIdx].FileName, printer.Success.Sprint(query.Files[fileIdx].Line)) if !printer.minimal { fmt.Println() - for lineIdx, line := range query.Files[fileIdx].VulnLines.Lines { - if query.Files[fileIdx].VulnLines.Positions[lineIdx] == query.Files[fileIdx].Line { - printer.Line.Printf("\t\t%03d: %s\n", query.Files[fileIdx].VulnLines.Positions[lineIdx], line) + for _, line := range query.Files[fileIdx].VulnLines { + if line.Position == query.Files[fileIdx].Line { + printer.Line.Printf("\t\t%03d: %s\n", line.Position, line.Line) } else { - fmt.Printf("\t\t%03d: %s\n", query.Files[fileIdx].VulnLines.Positions[lineIdx], line) + fmt.Printf("\t\t%03d: %s\n", line.Position, line.Line) } } fmt.Print("\n\n") diff --git a/internal/constants/constants.go b/internal/constants/constants.go index bd5df2a972a..045914250ee 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -1,5 +1,7 @@ package constants +import "math" + // Version - current KICS version var Version = "dev" @@ -20,3 +22,6 @@ const MinimumPreviewLines = 1 // MaximumPreviewLines - default maximum preview lines number const MaximumPreviewLines = 30 + +// MaxInteger - max possible integer in golang +const MaxInteger = math.MaxInt64 diff --git a/pkg/detector/default_detect.go b/pkg/detector/default_detect.go new file mode 100644 index 00000000000..0356ec9220a --- /dev/null +++ b/pkg/detector/default_detect.go @@ -0,0 +1,56 @@ +package detector + +import ( + "strconv" + "strings" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/rs/zerolog" +) + +const ( + undetectedVulnerabilityLine = -1 +) + +type defaultDetectLine struct { +} + +// DetectLine searches vulnerability line if kindDetectLine is not in detectors +func (d defaultDetectLine) DetectLine(file *model.FileMetadata, searchKey string, + logWithFields *zerolog.Logger, outputLines int) model.VulnerabilityLines { + text := strings.ReplaceAll(file.OriginalData, "\r", "") + lines := strings.Split(text, "\n") + foundAtLeastOne := false + currentLine := 0 + isBreak := false + var extractedString [][]string + extractedString = GetBracketValues(searchKey, extractedString, "") + sanitizedSubstring := searchKey + for idx, str := range extractedString { + sanitizedSubstring = strings.Replace(sanitizedSubstring, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1) + } + + for _, key := range strings.Split(sanitizedSubstring, ".") { + substr1, substr2 := GenerateSubstrings(key, extractedString) + + foundAtLeastOne, currentLine, isBreak = DetectCurrentLine(lines, substr1, substr2, currentLine, foundAtLeastOne) + + if isBreak { + break + } + } + + if foundAtLeastOne { + return model.VulnerabilityLines{ + Line: currentLine + 1, + VulnLines: GetAdjacentVulnLines(currentLine, outputLines, lines), + } + } + + logWithFields.Warn().Msgf("Failed to detect line, query response %s", searchKey) + + return model.VulnerabilityLines{ + Line: undetectedVulnerabilityLine, + VulnLines: []model.CodeLine{}, + } +} diff --git a/pkg/detector/default_detect_test.go b/pkg/detector/default_detect_test.go new file mode 100644 index 00000000000..1f4d39221c5 --- /dev/null +++ b/pkg/detector/default_detect_test.go @@ -0,0 +1,156 @@ +package detector + +import ( + "reflect" + "testing" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/Checkmarx/kics/test" + "github.com/rs/zerolog" + "github.com/stretchr/testify/require" +) + +// Test_detectLine tests the functions [detectLine()] and all the methods called by them +func Test_detectLine(t *testing.T) { //nolint + type args struct { + file *model.FileMetadata + searchKey string + } + type feilds struct { + outputLines int + } + tests := []struct { + name string + args args + feilds feilds + want model.VulnerabilityLines + }{ + { + name: "detect_line", + args: args{ + file: &model.FileMetadata{ + ScanID: "scanID", + ID: "Test", + Kind: model.KindTerraform, + OriginalData: `resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" + acl = "authenticated-read" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + } + `, + }, + searchKey: "aws_s3_bucket[b].acl", + }, + feilds: feilds{ + outputLines: 3, + }, + want: model.VulnerabilityLines{ + Line: 3, + VulnLines: []model.CodeLine{ + { + Position: 2, + Line: ` bucket = "my-tf-test-bucket"`, + }, + { + Position: 3, + Line: ` acl = "authenticated-read"`, + }, + { + Position: 4, + Line: "", + }, + }, + LineWithVulnerabilty: "", + }, + }, + { + name: "detect_line_with_curly_brackets", + args: args{ + file: &model.FileMetadata{ + ScanID: "scanID", + ID: "Test", + Kind: model.KindTerraform, + OriginalData: `resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" + acl = "authenticated-read" + + tags = { + Name = "My bucket" + Environment = "Dev.123" + Environment = "test" + } + } + `, + }, + searchKey: "aws_s3_bucket[b].Environment={{Dev.123}}", + }, + feilds: feilds{ + outputLines: 3, + }, + want: model.VulnerabilityLines{ + Line: 7, + VulnLines: []model.CodeLine{ + { + Position: 6, + Line: ` Name = "My bucket"`, + }, + { + Position: 7, + Line: ` Environment = "Dev.123"`, + }, + { + Position: 8, + Line: ` Environment = "test"`, + }, + }, + LineWithVulnerabilty: "", + }, + }, + { + name: "detect_line_error", + args: args{ + file: &model.FileMetadata{ + ScanID: "scanID", + ID: "Test", + Kind: model.KindTerraform, + OriginalData: `resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" + acl = "authenticated-read" + + tags = { + Name = "My bucket" + Environment = "Dev.123" + Environment = "test" + } + } + `, + }, + searchKey: "testing.error", + }, + feilds: feilds{ + outputLines: 3, + }, + want: model.VulnerabilityLines{ + Line: -1, + VulnLines: []model.CodeLine{}, + }, + }, + } + for _, tt := range tests { + detector := NewDetectLine(tt.feilds.outputLines) + t.Run(tt.name, func(t *testing.T) { + got := detector.defaultDetector.DetectLine(tt.args.file, tt.args.searchKey, &zerolog.Logger{}, 3) + gotStrVulnerabilities, err := test.StringifyStruct(got) + require.Nil(t, err) + wantStrVulnerabilities, err := test.StringifyStruct(tt.want) + require.Nil(t, err) + if !reflect.DeepEqual(gotStrVulnerabilities, wantStrVulnerabilities) { + t.Errorf("detectLine() = %v, want %v", gotStrVulnerabilities, wantStrVulnerabilities) + } + }) + } +} diff --git a/pkg/detector/detector.go b/pkg/detector/detector.go new file mode 100644 index 00000000000..6e9b75c50e7 --- /dev/null +++ b/pkg/detector/detector.go @@ -0,0 +1,49 @@ +package detector + +import ( + "github.com/Checkmarx/kics/pkg/model" + "github.com/rs/zerolog" +) + +type kindDetectLine interface { + DetectLine(file *model.FileMetadata, searchKey string, + logWithFields *zerolog.Logger, outputLines int) model.VulnerabilityLines +} + +// DetectLine is a struct that associates a kindDetectLine to its FileKind +type DetectLine struct { + detectors map[model.FileKind]kindDetectLine + outputLines int + logWithFields *zerolog.Logger + defaultDetector kindDetectLine +} + +// NewDetectLine creates a new DetectLine's reference +func NewDetectLine(outputLines int) *DetectLine { + return &DetectLine{ + detectors: make(map[model.FileKind]kindDetectLine), + logWithFields: &zerolog.Logger{}, + outputLines: outputLines, + defaultDetector: defaultDetectLine{}, + } +} + +// SetupLogs will change the logger feild to be used in kindDetectLine DetectLine method +func (d *DetectLine) SetupLogs(logger *zerolog.Logger) { + d.logWithFields = logger +} + +// Add adds a new kindDetectLine to the caller and returns it +func (d *DetectLine) Add(detector kindDetectLine, kind model.FileKind) *DetectLine { + d.detectors[kind] = detector + return d +} + +// DetectLine will use the correct kindDetectLine according to the files kind +// if file kind is not in detectors default detect line is called +func (d *DetectLine) DetectLine(file *model.FileMetadata, searchKey string) model.VulnerabilityLines { + if det, ok := d.detectors[file.Kind]; ok { + return det.DetectLine(file, searchKey, d.logWithFields, d.outputLines) + } + return d.defaultDetector.DetectLine(file, searchKey, d.logWithFields, d.outputLines) +} diff --git a/pkg/detector/detector_test.go b/pkg/detector/detector_test.go new file mode 100644 index 00000000000..e4834606a49 --- /dev/null +++ b/pkg/detector/detector_test.go @@ -0,0 +1,151 @@ +package detector + +import ( + "reflect" + "testing" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/rs/zerolog" + "github.com/rs/zerolog/log" +) + +type mockkindDetectLine struct { +} + +type mockDefaultDetector struct { +} + +func (m mockkindDetectLine) DetectLine(file *model.FileMetadata, searchKey string, + logWithFields *zerolog.Logger, outputLines int) model.VulnerabilityLines { + return model.VulnerabilityLines{ + Line: 1, + } +} + +func (m mockDefaultDetector) DetectLine(file *model.FileMetadata, searchKey string, + logWithFields *zerolog.Logger, outputLines int) model.VulnerabilityLines { + return model.VulnerabilityLines{ + Line: 5, + } +} + +func TestDetector_Add(t *testing.T) { + var mock mockkindDetectLine + det := initDetector() + type args struct { + kindDetector kindDetectLine + fileKind model.FileKind + } + tests := []struct { + name string + args args + }{ + { + name: "test_add", + args: args{ + kindDetector: mock, + fileKind: model.KindDOCKER, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + det = det.Add(tt.args.kindDetector, tt.args.fileKind) + got, ok := det.detectors[tt.args.fileKind] + if !ok { + t.Errorf("Add(), mockKindDetectLine is not in detectors") + } + if !reflect.DeepEqual(got, mock) { + t.Errorf("Add() = %v, want = %v", got, mock) + } + }) + } +} + +func TestDetector_SetupLogs(t *testing.T) { + det := initDetector() + type args struct { + log zerolog.Logger + } + tests := []struct { + name string + args args + }{ + { + name: "test_setup_logs", + args: args{ + log: log.With(). + Str("scanID", "Test"). + Str("fileName", "Test_file_name"). + Str("queryName", "Test_Query_name"). + Logger(), + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + det.SetupLogs(&tt.args.log) + got := det.logWithFields + if !reflect.DeepEqual(*got, tt.args.log) { + t.Errorf("SetupLogs() = %v, want = %v", got, tt.args.log) + } + }) + } +} + +func TestDetector_DetectLine(t *testing.T) { + var mock mockkindDetectLine + var defaultmock mockDefaultDetector + det := initDetector().Add(mock, model.KindCOMMON) + det.defaultDetector = defaultmock + + type args struct { + file *model.FileMetadata + searchKey string + } + tests := []struct { + name string + args args + want model.VulnerabilityLines + }{ + { + name: "test_kind_detect_line", + args: args{ + file: &model.FileMetadata{ + Kind: model.KindCOMMON, + }, + searchKey: "", + }, + want: model.VulnerabilityLines{ + Line: 1, + }, + }, + { + name: "test_default_detect_line", + args: args{ + file: &model.FileMetadata{ + Kind: model.KindTerraform, + }, + searchKey: "", + }, + want: model.VulnerabilityLines{ + Line: 5, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := det.DetectLine(tt.args.file, tt.args.searchKey) + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("DetectLine() = %v, want = %v", got, tt.want) + } + }) + } +} + +func initDetector() *DetectLine { + return NewDetectLine(3) +} diff --git a/pkg/detector/docker/docker_detect.go b/pkg/detector/docker/docker_detect.go new file mode 100644 index 00000000000..9d94d481f30 --- /dev/null +++ b/pkg/detector/docker/docker_detect.go @@ -0,0 +1,85 @@ +package docker + +import ( + "regexp" + "strconv" + "strings" + + "github.com/Checkmarx/kics/pkg/detector" + "github.com/Checkmarx/kics/pkg/model" + "github.com/rs/zerolog" +) + +// DetectKindLine defines a kindDetectLine type +type DetectKindLine struct { +} + +const ( + undetectedVulnerabilityLine = -1 +) + +var ( + nameRegexDockerFileML = regexp.MustCompile(`.+\s+\\$`) +) + +// DetectLine searches vulnerability line in docker files +func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, + logWithFields *zerolog.Logger, outputLines int) model.VulnerabilityLines { + text := strings.ReplaceAll(file.OriginalData, "\r", "") + lines := prepareDockerFileLines(text) + isBreak := false + foundAtLeastOne := false + currentLine := 0 + var extractedString [][]string + extractedString = detector.GetBracketValues(searchKey, extractedString, "") + sKey := searchKey + for idx, str := range extractedString { + sKey = strings.Replace(sKey, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1) + } + + for _, key := range strings.Split(sKey, ".") { + substr1, substr2 := detector.GenerateSubstrings(key, extractedString) + + foundAtLeastOne, currentLine, isBreak = detector.DetectCurrentLine(lines, substr1, substr2, + currentLine, foundAtLeastOne) + + if isBreak { + break + } + } + + if foundAtLeastOne { + return model.VulnerabilityLines{ + Line: currentLine + 1, + VulnLines: detector.GetAdjacentVulnLines(currentLine, outputLines, strings.Split(text, "\n")), + } + } + + logWithFields.Warn().Msgf("Failed to detect Docker line, query response %s", searchKey) + + return model.VulnerabilityLines{ + Line: undetectedVulnerabilityLine, + VulnLines: []model.CodeLine{}, + } +} + +func prepareDockerFileLines(text string) []string { + textSplit := strings.Split(text, "\n") + for idx, key := range textSplit { + textSplit[idx] = multiLineSpliter(textSplit, key, idx) + } + return textSplit +} + +func multiLineSpliter(textSplit []string, key string, idx int) string { + if nameRegexDockerFileML.MatchString(key) { + i := idx + 1 + for textSplit[i] == "" { + i++ + } + textSplit[idx] = strings.ReplaceAll(textSplit[idx], " \\", " "+textSplit[i]) + textSplit[i] = "" + textSplit[idx] = multiLineSpliter(textSplit, textSplit[idx], idx) + } + return textSplit[idx] +} diff --git a/pkg/detector/docker/docker_detect_test.go b/pkg/detector/docker/docker_detect_test.go new file mode 100644 index 00000000000..26a9b807e48 --- /dev/null +++ b/pkg/detector/docker/docker_detect_test.go @@ -0,0 +1,140 @@ +package docker + +import ( + "fmt" + "testing" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/rs/zerolog" + "github.com/stretchr/testify/require" +) + +// TestDetectDockerLine tests the functions [DetectDockerLine()] and all the methods called by them +func TestDetectDockerLine(t *testing.T) { //nolint + testCases := []struct { + expected model.VulnerabilityLines + searchKey string + file *model.FileMetadata + }{ + { + expected: model.VulnerabilityLines{ + Line: 10, + VulnLines: []model.CodeLine{ + { + Position: 9, + Line: "RUN apk update", + }, + { + Position: 10, + Line: "RUN apk update && apk upgrade && apk add kubectl=1.20.0-r0 \\", + }, + { + Position: 11, + Line: "\t&& rm -rf /var/cache/apk/*", + }, + }, + }, + searchKey: "FROM={{alpine:3.9}}.RUN={{apk update && apk upgrade && apk add kubectl=1.20.0-r0 \u0026\u0026 rm -rf /var/cache/apk/*}}", + file: &model.FileMetadata{ + ScanID: "Test2", + ID: "Test2", + Kind: model.KindDOCKER, + OriginalData: `FROM alpine:3.7 +RUN apk update \ + && apk upgrade \ + && apk add kubectl=1.20.0-r0 \ + && rm -rf /var/cache/apk/* +ENTRYPOINT ["kubectl"] + +FROM alpine:3.9 +RUN apk update +RUN apk update && apk upgrade && apk add kubectl=1.20.0-r0 \ + && rm -rf /var/cache/apk/* +ENTRYPOINT ["kubectl"] +`, + }, + }, + { + expected: model.VulnerabilityLines{ + Line: 17, + VulnLines: []model.CodeLine{ + { + Position: 16, + Line: "ARG JAR_FILE", + }, + { + Position: 17, + Line: "ADD ${JAR_FILE} apps.jar", + }, + { + Position: 18, + Line: "", + }, + }, + }, + searchKey: "FROM=openjdk:11-jdk.{{ADD ${JAR_FILE} apps.jar}}", + file: &model.FileMetadata{ + ScanID: "Test3", + ID: "Test3", + Kind: model.KindDOCKER, + OriginalData: `FROM openjdk:10-jdk +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} app.jar + +FROM openjdk:11-jdk +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} apps.jar +`, + }, + }, + { + expected: model.VulnerabilityLines{ + Line: 6, + VulnLines: []model.CodeLine{ + { + Position: 5, + Line: ` && apk add kubectl=1.20.0-r0 \`, + }, + { + Position: 6, + Line: " && rm -rf /var/cache/apk/*", + }, + { + Position: 7, + Line: `ENTRYPOINT ["kubectl"]`, + }, + }, + }, + searchKey: "FROM={{alpine:3.7}}.ENTRYPOINT[kubectl]", + file: &model.FileMetadata{ + ScanID: "Test", + ID: "Test", + Kind: model.KindDOCKER, + OriginalData: `FROM alpine:3.7 +RUN apk update \ + && apk upgrade \ + && apk add kubectl=1.20.0-r0 \ + && rm -rf /var/cache/apk/* +ENTRYPOINT ["kubectl"]`, + }, + }, + } + + for i, testCase := range testCases { + detector := DetectKindLine{} + t.Run(fmt.Sprintf("detectDockerLine-%d", i), func(t *testing.T) { + v := detector.DetectLine(testCase.file, testCase.searchKey, &zerolog.Logger{}, 3) + require.Equal(t, testCase.expected, v) + }) + } +} diff --git a/pkg/detector/helm/helm_detect.go b/pkg/detector/helm/helm_detect.go new file mode 100644 index 00000000000..0abe1f244d9 --- /dev/null +++ b/pkg/detector/helm/helm_detect.go @@ -0,0 +1,187 @@ +package helm + +import ( + "fmt" + "sort" + "strconv" + "strings" + + "github.com/Checkmarx/kics/pkg/detector" + "github.com/Checkmarx/kics/pkg/model" + "github.com/agnivade/levenshtein" + "github.com/rs/zerolog" +) + +// DetectKindLine defines a kindDetectLine type +type DetectKindLine struct { +} + +type detectCurlLine struct { + foundRes bool + lineRes int + breakRes bool + lastUnique dupHistory +} + +// dupHistory keeps the history of uniques +type dupHistory struct { + unique bool + lastUniqueLine int +} + +const ( + undetectedVulnerabilityLine = -1 +) + +// DetectLine is used to detect line on the helm template, +// it looks only at the keys of the template and will make use of the auxiliary added +// lines (ex: "# KICS_HELM_ID_") +func (d DetectKindLine) DetectLine(file *model.FileMetadata, searchKey string, + logWithFields *zerolog.Logger, outputLines int) model.VulnerabilityLines { + searchKey = fmt.Sprintf("%s.%s", strings.TrimRight(strings.TrimLeft(file.HelmID, "# "), ":"), searchKey) + text := strings.ReplaceAll(file.OriginalData, "\r", "") + lines := strings.Split(text, "\n") + curLineRes := detectCurlLine{ + foundRes: false, + lineRes: 0, + breakRes: false, + } + var extractedString [][]string + extractedString = detector.GetBracketValues(searchKey, extractedString, "") + sanitizedSubstring := searchKey + for idx, str := range extractedString { + sanitizedSubstring = strings.Replace(sanitizedSubstring, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1) + } + + helmID, err := strconv.Atoi(strings.TrimSuffix(strings.TrimPrefix(file.HelmID, "# KICS_HELM_ID_"), ":")) + if err != nil { + helmID = -1 + } + + // Since we are only looking at keys we can ignore the second value passed through '=' and '[]' + for _, key := range strings.Split(sanitizedSubstring, ".") { + substr1, _ := detector.GenerateSubstrings(key, extractedString) + curLineRes = curLineRes.detectCurrentLine(lines, fmt.Sprintf("%s:", substr1), "", true, file.IDInfo, helmID) + + if curLineRes.breakRes { + break + } + } + + // Look at dupHistory to see if the last element was duplicate, if so + // change the line to the last unique key + if !curLineRes.lastUnique.unique { + curLineRes.lineRes = curLineRes.lastUnique.lastUniqueLine + } + + if curLineRes.foundRes { + lineRemove := make(map[int]int) + count := 0 + for i, line := range lines { // Remove auxiliary lines + if strings.Contains(line, "# KICS_HELM_ID_") { + count++ + lineRemove[i] = count + lines = append(lines[:i], lines[i+1:]...) + } + } + // Update found line + curLineRes.lineRes = removeLines(curLineRes.lineRes, lineRemove) + return model.VulnerabilityLines{ + Line: curLineRes.lineRes + 1, + VulnLines: detector.GetAdjacentVulnLines(curLineRes.lineRes, outputLines, lines), + LineWithVulnerabilty: strings.Split(lines[curLineRes.lineRes], ": ")[0], + } + } + + logWithFields.Warn().Msgf("Failed to detect line, query response %s", searchKey) + + return model.VulnerabilityLines{ + Line: undetectedVulnerabilityLine, + VulnLines: []model.CodeLine{}, + } +} + +// removeLines is used to update the vulnerability line after removing the "# KICS_HELM_ID_" +func removeLines(current int, lineRemove map[int]int) int { + orderByKey := make([]int, len(lineRemove)) + i := 0 + for k := range lineRemove { + orderByKey[i] = k + i++ + } + remove := 0 + sort.Ints(orderByKey) + for _, k := range orderByKey { + if current > k { + remove = lineRemove[k] + } else { + break + } + } + current -= remove + return current +} + +func (d detectCurlLine) detectCurrentLine(lines []string, str1, + str2 string, byKey bool, idInfo map[int]interface{}, id int) detectCurlLine { + distances := make(map[int]int) + for i := d.lineRes; i < len(lines); i++ { + if str1 != "" && str2 != "" { + if strings.Contains(lines[i], str1) && strings.Contains(lines[i], str2) { + distances[i] = levenshtein.ComputeDistance(detector.ExtractLineFragment(lines[i], str2, byKey), str2) + } + } else if str1 != "" { + if strings.Contains(lines[i], str1) { + distances[i] = levenshtein.ComputeDistance( + detector.ExtractLineFragment(strings.TrimSpace(lines[i]), str1, byKey), str1) + } + } + } + + lastSingle := d.lastUnique.lastUniqueLine + + if len(distances) == 0 { + return detectCurlLine{ + foundRes: d.foundRes, + lineRes: d.lineRes, + breakRes: true, + lastUnique: dupHistory{ + lastUniqueLine: lastSingle, + unique: d.lastUnique.unique, + }, + } + } + + lineResponse := detector.SelectLineWithMinimumDistance(distances, d.lineRes) + // if lineResponse is unique + unique := detectLastSingle(lineResponse, distances, idInfo, id) + if unique { + lastSingle = lineResponse + } + + return detectCurlLine{ + foundRes: true, + lineRes: lineResponse, + breakRes: false, + lastUnique: dupHistory{ + unique: unique, + lastUniqueLine: lastSingle, + }, + } +} + +// detectLastSingle checks if the line is unique or a duplicate +func detectLastSingle(line int, dis map[int]int, idInfo map[int]interface{}, id int) bool { + if idInfo == nil { + return true + } + for key, value := range dis { + if value == dis[line] && key != line { + // check if we are only looking at original data equivalent to the vulnerability + if ok := idInfo[id].(map[int]int)[key]; ok != 0 { + return false + } + } + } + return true +} diff --git a/pkg/detector/helm/helm_detect_test.go b/pkg/detector/helm/helm_detect_test.go new file mode 100644 index 00000000000..c33c29544f9 --- /dev/null +++ b/pkg/detector/helm/helm_detect_test.go @@ -0,0 +1,193 @@ +package helm + +import ( + "reflect" + "testing" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/rs/zerolog" +) + +func TestEngine_detectHelmLine(t *testing.T) { //nolint + type args struct { + file *model.FileMetadata + searchKey string + logWithFields *zerolog.Logger + outputLines int + } + + tests := []struct { + name string + args args + want model.VulnerabilityLines + }{ + { + name: "test_detect_helm_line", + args: args{ + file: &model.FileMetadata{ + ID: "1", + ScanID: "console", + Document: model.Document{}, + Kind: model.KindHELM, + FileName: "test-connection.yaml", + HelmID: "# KICS_HELM_ID_0", + OriginalData: `# KICS_HELM_ID_0: +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test_helm.fullname" . }}-test-connection" + labels: + {{- include "test_helm.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never +`, + Content: ``, + }, + searchKey: "KICS_HELM_ID_0.metadata.name={{RELEASE-NAME-test_helm-test-connection}}.spec.containers", + logWithFields: &zerolog.Logger{}, + outputLines: 1, + }, + want: model.VulnerabilityLines{ + Line: 10, + VulnLines: []model.CodeLine{ + { + Position: 10, + Line: " containers:", + }, + }, + LineWithVulnerabilty: " containers:", + }, + }, + { + name: "test_dup_values", + args: args{ + file: &model.FileMetadata{ + ID: "1", + ScanID: "console", + Document: model.Document{}, + Kind: model.KindHELM, + FileName: "test-dup_values.yaml", + IDInfo: map[int]interface{}{0: map[int]int{0: 0, 1: 1, 2: 2, 3: 3, 4: 4, + 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, 10: 10, 11: 11, 12: 12, 13: 13, 14: 14, 15: 15, 16: 16, 17: 17, + 18: 18, 19: 19, 21: 21, 22: 22}}, + HelmID: "# KICS_HELM_ID_0", + OriginalData: `# KICS_HELM_ID_0: +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test_helm.fullname" . }}-test-connection" + labels: + {{- include "test_helm.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never + containers: + - name: wget2 + image: busybox + command: ['wget'] + args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never +`, + Content: ``, + }, + searchKey: "KICS_HELM_ID_0.metadata.name={{RELEASE-NAME-test_helm-test-connection}}.spec.containers", + logWithFields: &zerolog.Logger{}, + outputLines: 1, + }, + want: model.VulnerabilityLines{ + Line: 9, + VulnLines: []model.CodeLine{ + { + Position: 9, + Line: "spec:", + }, + }, + LineWithVulnerabilty: "spec:", + }, + }, + { + name: "test_detect_helm_with_dups", + args: args{ + file: &model.FileMetadata{ + ID: "1", + ScanID: "console", + Document: model.Document{}, + Kind: model.KindHELM, + FileName: "test-dups.yaml", + HelmID: "# KICS_HELM_ID_1", + OriginalData: `# KICS_HELM_ID_0: +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test_helm.fullname" . }}-test-connection" + labels: + {{- include "test_helm.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never +--- +# KICS_HELM_ID_1: +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "test_helm.fullname" . }}-test-dups" + labels: + {{- include "test_helm.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never +`, + Content: ``, + }, + searchKey: "KICS_HELM_ID_1.metadata.name={{RELEASE-NAME-test_helm-test-connection}}.spec.containers", + logWithFields: &zerolog.Logger{}, + outputLines: 1, + }, + want: model.VulnerabilityLines{ + Line: 26, + VulnLines: []model.CodeLine{ + { + Position: 26, + Line: " containers:", + }, + }, + LineWithVulnerabilty: " containers:", + }, + }, + } + + for _, tt := range tests { + detector := DetectKindLine{} + t.Run(tt.name, func(t *testing.T) { + got := detector.DetectLine(tt.args.file, tt.args.searchKey, tt.args.logWithFields, tt.args.outputLines) + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("detectHelmLine() = %v, want = %v", got, tt.want) + } + }) + } +} diff --git a/pkg/detector/helper.go b/pkg/detector/helper.go new file mode 100644 index 00000000000..c3d1454aa56 --- /dev/null +++ b/pkg/detector/helper.go @@ -0,0 +1,222 @@ +package detector + +import ( + "fmt" + "regexp" + "strconv" + "strings" + + "github.com/Checkmarx/kics/internal/constants" + "github.com/Checkmarx/kics/pkg/model" + "github.com/agnivade/levenshtein" +) + +var ( + nameRegex = regexp.MustCompile(`^([A-Za-z0-9-_]+)\[([A-Za-z0-9-_{}]+)]$`) + nameRegexDocker = regexp.MustCompile(`{{(.*?)}}`) +) + +const ( + namePartsLength = 3 + valuePartsLength = 2 +) + +// GetBracketValues gets values inside "{{ }}" ignoring any "{{" or "}}" inside +func GetBracketValues(expr string, list [][]string, restOfString string) [][]string { + var tempList []string + firstOpen := strings.Index(expr, "{{") + firstClose := strings.Index(expr, "}}") + switchVal := firstClose - firstOpen + if switchVal == 0 { // if there is no "{{" and no "}}" + if expr != "" { + tempList = append(tempList, fmt.Sprintf("{{%s}}", expr), expr) + list = append(list, tempList) + } + if restOfString == "" { + return list // if there is no more string to read from return value of list + } + list = GetBracketValues(restOfString, list, "") // recursive call to the rest of the string + } else if switchVal > 0 { // if the position of the first "}}" is bigger than than the position of "{{" + // recursive with the value inside of curly brackets + list = GetBracketValues(expr[firstOpen+2:firstClose], list, expr[firstClose+2:]) + } else { // if the position of the first "{{" is bigger than than the position of "}}" + nextClose := strings.Index(restOfString, "}}") + tempList = append(tempList, fmt.Sprintf("{{%s%s}}", expr, restOfString[nextClose:]), + fmt.Sprintf("%s%s", expr, restOfString[nextClose:])) + list = append(list, tempList) + list = GetBracketValues(restOfString[nextClose+2:], list, "") // recursive call to the rest of the string + } + return list +} + +// GenerateSubstrings returns the substrings used for line searching depending on search key +// '.' is new line +// '=' is value in the same line +// '[]' is in the same line +func GenerateSubstrings(key string, extractedString [][]string) (substr1Res, substr2Res string) { + var substr1, substr2 string + if parts := nameRegex.FindStringSubmatch(key); len(parts) == namePartsLength { + substr1, substr2 = getKeyWithCurlyBrackets(key, extractedString, parts) + } else if parts := strings.Split(key, "="); len(parts) == valuePartsLength { + substr1, substr2 = getKeyWithCurlyBrackets(key, extractedString, parts) + } else { + parts := []string{key, ""} + substr1, substr2 = getKeyWithCurlyBrackets(key, extractedString, parts) + } + return substr1, substr2 +} + +func getKeyWithCurlyBrackets(key string, extractedString [][]string, parts []string) (substr1Res, substr2Res string) { + var substr1, substr2 string + extractedPart := nameRegexDocker.FindStringSubmatch(key) + if len(extractedPart) == valuePartsLength { + for idx, key := range parts { + if extractedPart[0] == key { + switch idx { + case (len(parts) - 2): + i, _ := strconv.Atoi(extractedPart[1]) + substr1 = extractedString[i][1] + case len(parts) - 1: + i, _ := strconv.Atoi(extractedPart[1]) + substr2 = extractedString[i][1] + } + } else { + substr1 = generateSubstr(substr1, parts, 2) + substr2 = generateSubstr(substr2, parts, 1) + } + } + } else { + substr1 = parts[len(parts)-2] + substr2 = parts[len(parts)-1] + } + + return substr1, substr2 +} + +func generateSubstr(substr string, parts []string, leng int) string { + if substr == "" { + substr = parts[len(parts)-leng] + } + return substr +} + +// GetAdjacentVulnLines is used to get the lines adjecent to the line that contains the vulnerability +// adj is the amount of lines wanted +func GetAdjacentVulnLines(idx, adj int, lines []string) []model.CodeLine { + var endPos int + var startPos int + if adj <= len(lines) { + endPos = idx + adj/2 + 1 // if adj lines passes the number of lines in file + if len(lines) < endPos { + endPos = len(lines) + } + startAdj := adj + if adj%2 == 0 { + startAdj-- + } + + startPos = idx - startAdj/2 // if adj lines passes the first line in the file + if startPos < 0 { + startPos = 0 + } + } else { // in case adj is bigger than number of lines in file + adj = len(lines) + endPos = len(lines) + startPos = 0 + } + + switch idx { + case 0: + // case vulnerability is the first line of the file + return createVulnLines(1, lines[:adj]) + case len(lines) - 1: + // case vulnerability is the last line of the file + return createVulnLines(startPos+1, lines[len(lines)-adj:]) + default: + // case vulnerability is in the midle of the file + return createVulnLines(startPos+1, lines[startPos:endPos]) + } +} + +// createVulnLines is the function that will generate the array that contains the lines numbers +// used to alter the color of the line that contains the vulnerability +func createVulnLines(startPos int, lines []string) []model.CodeLine { + vulns := make([]model.CodeLine, len(lines)) + for idx, line := range lines { + vulns[idx] = model.CodeLine{ + Line: line, + Position: startPos, + } + startPos++ + } + return vulns +} + +// SelectLineWithMinimumDistance will search a map of levenshtein distances to find the minimum distance +func SelectLineWithMinimumDistance(distances map[int]int, startingFrom int) int { + minDistance, lineOfMinDistance := constants.MaxInteger, startingFrom + for line, distance := range distances { + if distance < minDistance || distance == minDistance && line < lineOfMinDistance { + minDistance = distance + lineOfMinDistance = line + } + } + + return lineOfMinDistance +} + +// ExtractLineFragment will prepare substr for line detection +func ExtractLineFragment(line, substr string, key bool) string { + // If detecting line by keys only + if key { + return line[:strings.Index(line, ":")] + } + start := strings.Index(line, substr) + end := start + len(substr) + + for start >= 0 { + if line[start] == ' ' { + break + } + + start-- + } + + for end < len(line) { + if line[end] == ' ' { + break + } + + end++ + } + + result := line[start+1 : end] + // workaround for selecting yaml keys + if result[len(result)-1] == ':' { + end-- + } + return line[start+1 : end] +} + +// DetectCurrentLine uses levenshtein distance to find the most acurate line for the vulnerability +func DetectCurrentLine(lines []string, str1, str2 string, + curLine int, foundOne bool) (foundRes bool, lineRes int, breakRes bool) { + distances := make(map[int]int) + for i := curLine; i < len(lines); i++ { + if str1 != "" && str2 != "" { + if strings.Contains(lines[i], str1) && strings.Contains(lines[i], str2) { + distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(lines[i], str2, false), str2) + } + } else if str1 != "" { + if strings.Contains(lines[i], str1) { + distances[i] = levenshtein.ComputeDistance(ExtractLineFragment(lines[i], str1, false), str1) + } + } + } + + if len(distances) == 0 { + return foundOne, curLine, true + } + + return true, SelectLineWithMinimumDistance(distances, curLine), false +} diff --git a/pkg/detector/helper_test.go b/pkg/detector/helper_test.go new file mode 100644 index 00000000000..9ded0b25b18 --- /dev/null +++ b/pkg/detector/helper_test.go @@ -0,0 +1,332 @@ +package detector + +import ( + "fmt" + "reflect" + "testing" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/Checkmarx/kics/test" + "github.com/stretchr/testify/require" +) + +// TestSelectLineWithMinimumDistance tests the functions [SelectLineWithMinimumDistance()] and all the methods called by them +func TestSelectLineWithMinimumDistance(t *testing.T) { + values := []struct { + distances map[int]int + startingFrom int + expectedResult int + }{ + { + distances: map[int]int{ + 12: 0, + }, + startingFrom: 0, + expectedResult: 12, + }, + { + distances: map[int]int{ + 12: 0, + 24: 0, + }, + startingFrom: 11, + expectedResult: 12, + }, + { + distances: map[int]int{ + 1: 26, + 2: 5, + 3: 0, + }, + startingFrom: 1, + expectedResult: 3, + }, + } + + for i, testCase := range values { + t.Run(fmt.Sprintf("selectLineWithMinimumDistance-%d", i), func(t *testing.T) { + v := SelectLineWithMinimumDistance(testCase.distances, testCase.startingFrom) + require.Equal(t, testCase.expectedResult, v) + }) + } +} + +// TestGetBracketValues tests the functions [getBracketValues()] and all the methods called by them +func TestGetBracketValues(t *testing.T) { + type args struct { + expr string + } + tests := []struct { + name string + args args + want [][]string + }{ + { + name: "no_brackets", + args: args{ + expr: "password", + }, + want: [][]string{ + { + "{{password}}", + "password", + }, + }, + }, + { + name: "single_brackets", + args: args{ + expr: "{{password}}", + }, + want: [][]string{ + { + "{{password}}", + "password", + }, + }, + }, + { + name: "double_brackets", + args: args{ + expr: "{{ {{password}} }}", + }, + want: [][]string{ + { + "{{ {{password}}}}", + " {{password}}", + }, + }, + }, + { + name: "multiple_brackets", + args: args{ + expr: "FROM={{open-jdk}}.{{ {{password}} }}", + }, + want: [][]string{ + { + "{{open-jdk}}", + "open-jdk", + }, + { + "{{ {{password}}}}", + " {{password}}", + }, + }, + }, + } + + for _, tt := range tests { + var got [][]string + t.Run(tt.name, func(t *testing.T) { + got = GetBracketValues(tt.args.expr, got, "") + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("DefaultVulnerabilityBuilder() = %v, want %v", got, tt.want) + } + }) + } +} + +// TestGetAdjacents tests the functions [GetAdjacents()] and all the methods called by them +func TestGetAdjacents(t *testing.T) { //nolint + type args struct { + idx int + adj int + lines []string + } + tests := []struct { + name string + args args + want []model.CodeLine + }{ + { + name: "test_start_of_file", + args: args{ + idx: 0, + adj: 3, + lines: []string{ + "firstline", + "secondline", + "thirdline", + "forthline", + }, + }, + want: []model.CodeLine{ + { + Position: 1, + Line: "firstline", + }, + { + Position: 2, + Line: "secondline", + }, + { + Position: 3, + Line: "thirdline", + }, + }, + }, + { + name: "test_end_of_file", + args: args{ + idx: 3, + adj: 3, + lines: []string{ + "firstline", + "secondline", + "thirdline", + "forthline", + }, + }, + want: []model.CodeLine{ + { + Position: 3, + Line: "secondline", + }, + { + Position: 4, + Line: "thirdline", + }, + { + Position: 5, + Line: "forthline", + }, + }, + }, + { + name: "test_midle_of_file", + args: args{ + idx: 1, + adj: 3, + lines: []string{ + "firstline", + "secondline", + "thirdline", + "forthline", + }, + }, + want: []model.CodeLine{ + { + Position: 1, + Line: "firstline", + }, + { + Position: 2, + Line: "secondline", + }, + { + Position: 3, + Line: "thirdline", + }, + }, + }, + { + name: "test_even_adj", + args: args{ + idx: 1, + adj: 2, + lines: []string{ + "firstline", + "secondline", + "thirdline", + "forthline", + }, + }, + want: []model.CodeLine{ + { + Position: 2, + Line: "secondline", + }, + { + Position: 3, + Line: "thirdline", + }, + }, + }, + { + name: "test_even_adj_first_line", + args: args{ + idx: 0, + adj: 2, + lines: []string{ + "firstline", + "secondline", + "thirdline", + "forthline", + }, + }, + want: []model.CodeLine{ + { + Position: 1, + Line: "firstline", + }, + { + Position: 2, + Line: "secondline", + }, + }, + }, + { + name: "test_one_adj", + args: args{ + idx: 3, + adj: 1, + lines: []string{ + "firstline", + "secondline", + "thirdline", + "forthline", + }, + }, + want: []model.CodeLine{ + { + Position: 4, + Line: "forthline", + }, + }, + }, + { + name: "test_adj_bigger_than_file", + args: args{ + idx: 3, + adj: 5, + lines: []string{ + "firstline", + "secondline", + "thirdline", + "forthline", + }, + }, + want: []model.CodeLine{ + { + Position: 1, + Line: "firstline", + }, + { + Position: 2, + Line: "secondline", + }, + { + Position: 3, + Line: "thirdline", + }, + { + Position: 4, + Line: "forthline", + }, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := GetAdjacentVulnLines(tt.args.idx, tt.args.adj, tt.args.lines) + gotStrVulnerabilities, err := test.StringifyStruct(got) + require.Nil(t, err) + wantStrVulnerabilities, err := test.StringifyStruct(tt.want) + require.Nil(t, err) + if !reflect.DeepEqual(gotStrVulnerabilities, wantStrVulnerabilities) { + t.Errorf("getAdjacents() = %v, want = %v", gotStrVulnerabilities, wantStrVulnerabilities) + } + }) + } +} diff --git a/pkg/engine/inspector.go b/pkg/engine/inspector.go index 5c3ef6a4950..10653ae9f15 100644 --- a/pkg/engine/inspector.go +++ b/pkg/engine/inspector.go @@ -9,6 +9,9 @@ import ( "time" consoleHelpers "github.com/Checkmarx/kics/internal/console/helpers" + "github.com/Checkmarx/kics/pkg/detector" + "github.com/Checkmarx/kics/pkg/detector/docker" + "github.com/Checkmarx/kics/pkg/detector/helm" "github.com/Checkmarx/kics/pkg/engine/source" "github.com/Checkmarx/kics/pkg/model" "github.com/getsentry/sentry-go" @@ -40,7 +43,8 @@ var ErrNoResult = errors.New("query: not result") var ErrInvalidResult = errors.New("query: invalid result format") // VulnerabilityBuilder represents a function that will build a vulnerability -type VulnerabilityBuilder func(ctx *QueryContext, tracker Tracker, v interface{}) (model.Vulnerability, error) +type VulnerabilityBuilder func(ctx *QueryContext, tracker Tracker, v interface{}, + detector *detector.DetectLine) (model.Vulnerability, error) // Tracker wraps an interface that contain basic methods: TrackQueryLoad, TrackQueryExecution and FailedDetectLine // TrackQueryLoad increments the number of loaded queries @@ -68,6 +72,7 @@ type Inspector struct { tracker Tracker failedQueries map[string]error excludeResults map[string]bool + detector *detector.DetectLine enableCoverageReport bool coverageReport cover.Report @@ -157,12 +162,17 @@ func NewInspector( log.Info(). Msgf("Inspector initialized, number of queries=%d", queriesNumber) + lineDetctor := detector.NewDetectLine(tracker.GetOutputLines()). + Add(helm.DetectKindLine{}, model.KindHELM). + Add(docker.DetectKindLine{}, model.KindDOCKER) + return &Inspector{ queries: opaQueries, vb: vb, tracker: tracker, failedQueries: failedQueries, excludeResults: excludeResults, + detector: lineDetctor, }, nil } @@ -310,7 +320,7 @@ func (c *Inspector) decodeQueryResults(ctx *QueryContext, results rego.ResultSet vulnerabilities := make([]model.Vulnerability, 0, len(queryResultItems)) failedDetectLine := false for _, queryResultItem := range queryResultItems { - vulnerability, err := c.vb(ctx, c.tracker, queryResultItem) + vulnerability, err := c.vb(ctx, c.tracker, queryResultItem, c.detector) if err != nil { sentry.CaptureException(err) log.Err(err). diff --git a/pkg/engine/inspector_test.go b/pkg/engine/inspector_test.go index 24df144dfcf..f820feb0ad3 100644 --- a/pkg/engine/inspector_test.go +++ b/pkg/engine/inspector_test.go @@ -11,6 +11,9 @@ import ( "github.com/Checkmarx/kics/internal/tracker" + "github.com/Checkmarx/kics/pkg/detector" + "github.com/Checkmarx/kics/pkg/detector/docker" + "github.com/Checkmarx/kics/pkg/detector/helm" "github.com/Checkmarx/kics/pkg/engine/source" "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/test" @@ -110,6 +113,9 @@ func TestInspector_GetCoverageReport(t *testing.T) { // TestInspect tests the functions [Inspect()] and all the methods called by them func TestInspect(t *testing.T) { //nolint + inspDetector := detector.NewDetectLine(3). + Add(helm.DetectKindLine{}, model.KindHELM). + Add(docker.DetectKindLine{}, model.KindDOCKER) ctx := context.Background() opaQuery, _ := rego.New( rego.Query(regoQuery), @@ -240,6 +246,7 @@ func TestInspect(t *testing.T) { //nolint QueryURI: "https://github.com/Checkmarx/kics/", Severity: model.SeverityInfo, Line: -1, + VulnLines: []model.CodeLine{}, IssueType: "IncorrectValue", SearchKey: "{{ADD ${JAR_FILE} app.jar}}", KeyExpectedValue: "'COPY' app.jar", @@ -288,6 +295,7 @@ func TestInspect(t *testing.T) { //nolint enableCoverageReport: tt.fields.enableCoverageReport, coverageReport: tt.fields.coverageReport, excludeResults: tt.fields.excludeResults, + detector: inspDetector, } got, err := c.Inspect(tt.args.ctx, tt.args.scanID, tt.args.files, true, filepath.FromSlash("assets/queries/")) if tt.wantErr { diff --git a/pkg/engine/vulnerability_builder.go b/pkg/engine/vulnerability_builder.go index 76cd0f26360..317cf6d6bb5 100644 --- a/pkg/engine/vulnerability_builder.go +++ b/pkg/engine/vulnerability_builder.go @@ -3,48 +3,16 @@ package engine import ( "encoding/json" "fmt" - "regexp" - "sort" "strconv" "strings" + "github.com/Checkmarx/kics/pkg/detector" "github.com/Checkmarx/kics/pkg/model" - "github.com/agnivade/levenshtein" "github.com/pkg/errors" "github.com/rs/zerolog" "github.com/rs/zerolog/log" ) -var ( - nameRegex = regexp.MustCompile(`^([A-Za-z0-9-_]+)\[([A-Za-z0-9-_{}]+)]$`) - nameRegexDocker = regexp.MustCompile(`{{(.*?)}}`) - nameRegexDockerFileML = regexp.MustCompile(`.+\s+\\$`) -) - -const ( - namePartsLength = 3 - valuePartsLength = 2 -) - -type vulnerabilityLines struct { - line int - vulnLine model.VulnLines - lineWithVulnerabilty string -} - -type detectCurlLine struct { - foundRes bool - lineRes int - breakRes bool - lastUnique dupHistory -} - -// dupHistory keeps the history of uniques -type dupHistory struct { - unique bool - lastUniqueLine int -} - func getStringFromMap(vulnParam, defaultParam string, vOjb map[string]interface{}, logWithFields *zerolog.Logger) string { ts, err := mapKeyToString(vOjb, vulnParam, false) if err != nil { @@ -56,7 +24,8 @@ func getStringFromMap(vulnParam, defaultParam string, vOjb map[string]interface{ } // DefaultVulnerabilityBuilder defines a vulnerability builder to execute default actions of scan -var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v interface{}) (model.Vulnerability, error) { +var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, + v interface{}, detector *detector.DetectLine) (model.Vulnerability, error) { vObj, ok := v.(map[string]interface{}) if !ok { return model.Vulnerability{}, ErrInvalidResult @@ -90,23 +59,17 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v int Str("queryName", ctx.query.metadata.Query). Logger() - linesVulne := vulnerabilityLines{ - line: UndetectedVulnerabilityLine, - vulnLine: model.VulnLines{}, + detector.SetupLogs(&logWithFields) + + linesVulne := model.VulnerabilityLines{ + Line: -1, + VulnLines: []model.CodeLine{}, } + searchKey := "" if s, ok := vObj["searchKey"]; ok { searchKey = s.(string) - switch file.Kind { - case model.KindDOCKER: - linesVulne = detectDockerLine(&file, searchKey, &logWithFields, tracker.GetOutputLines()) - case model.KindHELM: - // Update search key to make use of the auxiliary lines - tempSearchKey := fmt.Sprintf("%s.%s", strings.TrimRight(strings.TrimLeft(file.HelmID, "# "), ":"), searchKey) - linesVulne = detectHelmLine(&file, tempSearchKey, &logWithFields, tracker.GetOutputLines()) - default: - linesVulne = detectLine(&file, searchKey, &logWithFields, tracker.GetOutputLines()) - } + linesVulne = detector.DetectLine(&file, searchKey) } else { logWithFields.Error().Msg("Saving result. failed to detect line") } @@ -165,8 +128,8 @@ var DefaultVulnerabilityBuilder = func(ctx *QueryContext, tracker Tracker, v int Description: getStringFromMap("descriptionText", "", vObj, &logWithFields), Severity: severity, Platform: getStringFromMap("platform", "", vObj, &logWithFields), - Line: linesVulne.line, - VulnLines: linesVulne.vulnLine, + Line: linesVulne.Line, + VulnLines: linesVulne.VulnLines, IssueType: issueType, SearchKey: searchKey, SearchValue: searchValue, @@ -189,288 +152,6 @@ func mergeWithMetadata(base, additional map[string]interface{}) map[string]inter return base } -/* - detectHelmLine is used to detect line on the helm template, - it looks only at the keys of the template and will make use of the auxiliary added - lines (ex: "# KICS_HELM_ID_") -*/ -func detectHelmLine(file *model.FileMetadata, searchKey string, logWithFields *zerolog.Logger, outputLines int) vulnerabilityLines { - text := strings.ReplaceAll(file.OriginalData, "\r", "") - lines := strings.Split(text, "\n") - curLineRes := detectCurlLine{ - foundRes: false, - lineRes: 0, - breakRes: false, - } - var extractedString [][]string - extractedString = getBracketValues(searchKey, extractedString, "") - sanitizedSubstring := searchKey - for idx, str := range extractedString { - sanitizedSubstring = strings.Replace(sanitizedSubstring, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1) - } - - helmID, err := strconv.Atoi(strings.TrimSuffix(strings.TrimPrefix(file.HelmID, "# KICS_HELM_ID_"), ":")) - if err != nil { - helmID = -1 - } - - // Since we are only looking at keys we can ignore the second value passed through '=' and '[]' - for _, key := range strings.Split(sanitizedSubstring, ".") { - substr1, _ := generateSubstrings(key, extractedString) - curLineRes = curLineRes.detectCurrentLine(lines, fmt.Sprintf("%s:", substr1), "", true, file.IDInfo, helmID) - - if curLineRes.breakRes { - break - } - } - - // Look at dupHistory to see if the last element was duplicate, if so - // change the line to the last unique key - if !curLineRes.lastUnique.unique { - curLineRes.lineRes = curLineRes.lastUnique.lastUniqueLine - } - - if curLineRes.foundRes { - lineRemove := make(map[int]int) - count := 0 - for i, line := range lines { // Remove auxiliary lines - if strings.Contains(line, "# KICS_HELM_ID_") { - count++ - lineRemove[i] = count - lines = append(lines[:i], lines[i+1:]...) - } - } - // Update found line - curLineRes.lineRes = removeLines(curLineRes.lineRes, lineRemove) - return vulnerabilityLines{ - line: curLineRes.lineRes + 1, - vulnLine: getAdjacentLines(curLineRes.lineRes, outputLines, lines), - lineWithVulnerabilty: strings.Split(lines[curLineRes.lineRes], ": ")[0], - } - } - - logWithFields.Warn().Msgf("failed to detect line, query response %s", searchKey) - - return vulnerabilityLines{ - line: UndetectedVulnerabilityLine, - vulnLine: model.VulnLines{}, - } -} - -// removeLines is used to update the vulnerability line after removing the "# KICS_HELM_ID_" -func removeLines(current int, lineRemove map[int]int) int { - orderByKey := make([]int, len(lineRemove)) - i := 0 - for k := range lineRemove { - orderByKey[i] = k - i++ - } - remove := 0 - sort.Ints(orderByKey) - for _, k := range orderByKey { - if current > k { - remove = lineRemove[k] - } else { - break - } - } - current -= remove - return current -} - -func detectDockerLine(file *model.FileMetadata, searchKey string, logWithFields *zerolog.Logger, outputLines int) vulnerabilityLines { - text := strings.ReplaceAll(file.OriginalData, "\r", "") - lines := prepareDockerFileLines(text) - curLineRes := detectCurlLine{ - foundRes: false, - lineRes: 0, - breakRes: false, - } - var extractedString [][]string - extractedString = getBracketValues(searchKey, extractedString, "") - sKey := searchKey - for idx, str := range extractedString { - sKey = strings.Replace(sKey, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1) - } - - for _, key := range strings.Split(sKey, ".") { - substr1, substr2 := generateSubstrings(key, extractedString) - - curLineRes = curLineRes.detectCurrentLine(lines, substr1, substr2, false, nil, -1) - - if curLineRes.breakRes { - break - } - } - - if curLineRes.foundRes { - return vulnerabilityLines{ - line: curLineRes.lineRes + 1, - vulnLine: getAdjacentLines(curLineRes.lineRes, outputLines, strings.Split(text, "\n")), - } - } - - logWithFields.Warn().Msgf("Failed to detect Docker line, query response %s", searchKey) - - return vulnerabilityLines{ - line: UndetectedVulnerabilityLine, - vulnLine: model.VulnLines{}, - } -} - -func detectLine(file *model.FileMetadata, searchKey string, logWithFields *zerolog.Logger, outputLines int) vulnerabilityLines { - text := strings.ReplaceAll(file.OriginalData, "\r", "") - lines := strings.Split(text, "\n") - curLineRes := detectCurlLine{ - foundRes: false, - lineRes: 0, - breakRes: false, - } - var extractedString [][]string - extractedString = getBracketValues(searchKey, extractedString, "") - sanitizedSubstring := searchKey - for idx, str := range extractedString { - sanitizedSubstring = strings.Replace(sanitizedSubstring, str[0], `{{`+strconv.Itoa(idx)+`}}`, -1) - } - - for _, key := range strings.Split(sanitizedSubstring, ".") { - substr1, substr2 := generateSubstrings(key, extractedString) - - curLineRes = curLineRes.detectCurrentLine(lines, substr1, substr2, false, nil, -1) - - if curLineRes.breakRes { - break - } - } - - if curLineRes.foundRes { - return vulnerabilityLines{ - line: curLineRes.lineRes + 1, - vulnLine: getAdjacentLines(curLineRes.lineRes, outputLines, lines), - lineWithVulnerabilty: lines[curLineRes.lineRes], - } - } - - logWithFields.Warn().Msgf("Failed to detect line, query response %s", searchKey) - - return vulnerabilityLines{ - line: UndetectedVulnerabilityLine, - vulnLine: model.VulnLines{}, - } -} - -// getAdjacent is used to get the lines adjecent to the line that contains the vulnerability -// adj is the amount of lines wanted -func getAdjacentLines(idx, adj int, lines []string) model.VulnLines { - var endPos int - var startPos int - if adj <= len(lines) { - endPos = idx + adj/2 + 1 // if adj lines passes the number of lines in file - if len(lines) < endPos { - endPos = len(lines) - } - startAdj := adj - if adj%2 == 0 { - startAdj-- - } - - startPos = idx - startAdj/2 // if adj lines passes the first line in the file - if startPos < 0 { - startPos = 0 - } - } else { // in case adj is bigger than number of lines in file - adj = len(lines) - endPos = len(lines) - startPos = 0 - } - - switch idx { - case 0: - return model.VulnLines{ // case vulnerability is the first line of the file - Positions: generatePosArr(adj, 1), - Lines: lines[:adj], - } - case len(lines) - 1: // case vulnerability is the last line of the file - return model.VulnLines{ - Positions: generatePosArr(adj, startPos+1), - Lines: lines[len(lines)-adj:], - } - default: - return model.VulnLines{ // case vulnerability is in the midle of the file - Positions: generatePosArr(adj, startPos+1), - Lines: lines[startPos:endPos], - } - } -} - -// generatePosArr is the function that will generate the array that contains the lines numbers -// used to alter the color of the line that contains the vulnerability -func generatePosArr(adj, start int) []int { - posArr := make([]int, adj) - for i := 0; i < adj; i++ { - posArr[i] = start - start++ - } - return posArr -} - -func generateSubstrings(key string, extractedString [][]string) (substr1Res, substr2Res string) { - var substr1, substr2 string - if parts := nameRegex.FindStringSubmatch(key); len(parts) == namePartsLength { - substr1, substr2 = getKeyWithCurlyBrackets(key, extractedString, parts) - } else if parts := strings.Split(key, "="); len(parts) == valuePartsLength { - substr1, substr2 = getKeyWithCurlyBrackets(key, extractedString, parts) - } else { - parts := []string{key, ""} - substr1, substr2 = getKeyWithCurlyBrackets(key, extractedString, parts) - } - return substr1, substr2 -} - -func selectLineWithMinimumDistance(distances map[int]int, startingFrom int) int { - minDistance, lineOfMinDistance := 1000000000000, startingFrom - for line, distance := range distances { - if distance < minDistance || distance == minDistance && line < lineOfMinDistance { - minDistance = distance - lineOfMinDistance = line - } - } - - return lineOfMinDistance -} - -func extractLineFragment(line, substr string, key bool) string { - // If detecting line by keys only - if key { - return line[:strings.Index(line, ":")] - } - start := strings.Index(line, substr) - end := start + len(substr) - - for start >= 0 { - if line[start] == ' ' { - break - } - - start-- - } - - for end < len(line) { - if line[end] == ' ' { - break - } - - end++ - } - - result := line[start+1 : end] - // workaround for selecting yaml keys - if result[len(result)-1] == ':' { - end-- - } - return line[start+1 : end] -} - func mustMapKeyToString(m map[string]interface{}, key string) *string { res, err := mapKeyToString(m, key, true) if err != nil && key != "value" { @@ -528,147 +209,3 @@ func ptrStringToString(v *string) string { } return *v } - -func getKeyWithCurlyBrackets(key string, extractedString [][]string, parts []string) (substr1Res, substr2Res string) { - var substr1, substr2 string - extractedPart := nameRegexDocker.FindStringSubmatch(key) - if len(extractedPart) == valuePartsLength { - for idx, key := range parts { - if extractedPart[0] == key { - switch idx { - case (len(parts) - 2): - i, _ := strconv.Atoi(extractedPart[1]) - substr1 = extractedString[i][1] - case len(parts) - 1: - i, _ := strconv.Atoi(extractedPart[1]) - substr2 = extractedString[i][1] - } - } else { - substr1 = generateSubstr(substr1, parts, 2) - substr2 = generateSubstr(substr2, parts, 1) - } - } - } else { - substr1 = parts[len(parts)-2] - substr2 = parts[len(parts)-1] - } - - return substr1, substr2 -} - -func generateSubstr(substr string, parts []string, leng int) string { - if substr == "" { - substr = parts[len(parts)-leng] - } - return substr -} - -func prepareDockerFileLines(text string) []string { - textSplit := strings.Split(text, "\n") - for idx, key := range textSplit { - textSplit[idx] = multiLineSpliter(textSplit, key, idx) - } - return textSplit -} - -func (d detectCurlLine) detectCurrentLine(lines []string, str1, - str2 string, byKey bool, idInfo map[int]interface{}, id int) detectCurlLine { - distances := make(map[int]int) - for i := d.lineRes; i < len(lines); i++ { - if str1 != "" && str2 != "" { - if strings.Contains(lines[i], str1) && strings.Contains(lines[i], str2) { - distances[i] = levenshtein.ComputeDistance(extractLineFragment(lines[i], str2, byKey), str2) - } - } else if str1 != "" { - if strings.Contains(lines[i], str1) { - distances[i] = levenshtein.ComputeDistance(extractLineFragment(strings.TrimSpace(lines[i]), str1, byKey), str1) - } - } - } - - lastSingle := d.lastUnique.lastUniqueLine - - if len(distances) == 0 { - return detectCurlLine{ - foundRes: d.foundRes, - lineRes: d.lineRes, - breakRes: true, - lastUnique: dupHistory{ - lastUniqueLine: lastSingle, - unique: d.lastUnique.unique, - }, - } - } - - lineResponse := selectLineWithMinimumDistance(distances, d.lineRes) - // if lineResponse is unique - unique := detectLastSingle(lineResponse, distances, idInfo, id) - if unique { - lastSingle = lineResponse - } - - return detectCurlLine{ - foundRes: true, - lineRes: lineResponse, - breakRes: false, - lastUnique: dupHistory{ - unique: unique, - lastUniqueLine: lastSingle, - }, - } -} - -// detectLastSingle checks if the line is unique or a duplicate -func detectLastSingle(line int, dis map[int]int, idInfo map[int]interface{}, id int) bool { - if idInfo == nil { - return true - } - for key, value := range dis { - if value == dis[line] && key != line { - // check if we are only looking at original data equivalent to the vulnerability - if ok := idInfo[id].(map[int]int)[key]; ok != 0 { - return false - } - } - } - return true -} - -func multiLineSpliter(textSplit []string, key string, idx int) string { - if nameRegexDockerFileML.MatchString(key) { - i := idx + 1 - for textSplit[i] == "" { - i++ - } - textSplit[idx] = strings.ReplaceAll(textSplit[idx], " \\", " "+textSplit[i]) - textSplit[i] = "" - textSplit[idx] = multiLineSpliter(textSplit, textSplit[idx], idx) - } - return textSplit[idx] -} - -// getBracketValues gets values inside "{{ }}" ignoring any "{{" or "}}" inside -func getBracketValues(expr string, list [][]string, restOfString string) [][]string { - var tempList []string - firstOpen := strings.Index(expr, "{{") - firstClose := strings.Index(expr, "}}") - switchVal := firstClose - firstOpen - if switchVal == 0 { // if there is no "{{" and no "}}" - if expr != "" { - tempList = append(tempList, fmt.Sprintf("{{%s}}", expr), expr) - list = append(list, tempList) - } - if restOfString == "" { - return list // if there is no more string to read from return value of list - } - list = getBracketValues(restOfString, list, "") // recursive call to the rest of the string - } else if switchVal > 0 { // if the position of the first "}}" is bigger than than the position of "{{" - list = getBracketValues(expr[firstOpen+2:firstClose], list, expr[firstClose+2:]) // recursive with the value inside of curly brackets - } else { // if the position of the first "{{" is bigger than than the position of "}}" - nextClose := strings.Index(restOfString, "}}") - tempList = append(tempList, fmt.Sprintf("{{%s%s}}", expr, restOfString[nextClose:]), fmt.Sprintf("%s%s", expr, restOfString[nextClose:])) - list = append(list, tempList) - list = getBracketValues(restOfString[nextClose+2:], list, "") // recursive call to the rest of the string - } - return list -} diff --git a/pkg/engine/vulnerability_builder_test.go b/pkg/engine/vulnerability_builder_test.go index f27d4947466..95f3b31b6a7 100644 --- a/pkg/engine/vulnerability_builder_test.go +++ b/pkg/engine/vulnerability_builder_test.go @@ -6,174 +6,11 @@ import ( "testing" "github.com/Checkmarx/kics/internal/tracker" + "github.com/Checkmarx/kics/pkg/detector" "github.com/Checkmarx/kics/pkg/model" - "github.com/Checkmarx/kics/test" - "github.com/rs/zerolog" "github.com/stretchr/testify/require" ) -// TestDetectDockerLine tests the functions [DetectDockerLine()] and all the methods called by them -func TestDetectDockerLine(t *testing.T) { //nolint - testCases := []struct { - expected vulnerabilityLines - searchKey string - ctx *QueryContext - file *model.FileMetadata - }{ - { - expected: vulnerabilityLines{ - line: 10, - vulnLine: model.VulnLines{ - Positions: []int{9, 10, 11}, - Lines: []string{ - "RUN apk update", - "RUN apk update && apk upgrade && apk add kubectl=1.20.0-r0 \\", - "\t&& rm -rf /var/cache/apk/*", - }, - }, - }, - searchKey: "FROM={{alpine:3.9}}.RUN={{apk update && apk upgrade && apk add kubectl=1.20.0-r0 \u0026\u0026 rm -rf /var/cache/apk/*}}", - ctx: &QueryContext{ - scanID: "Test2", - }, - file: &model.FileMetadata{ - ScanID: "Test2", - ID: "Test2", - Kind: model.KindDOCKER, - OriginalData: `FROM alpine:3.7 -RUN apk update \ - && apk upgrade \ - && apk add kubectl=1.20.0-r0 \ - && rm -rf /var/cache/apk/* -ENTRYPOINT ["kubectl"] - -FROM alpine:3.9 -RUN apk update -RUN apk update && apk upgrade && apk add kubectl=1.20.0-r0 \ - && rm -rf /var/cache/apk/* -ENTRYPOINT ["kubectl"] -`, - }, - }, - { - expected: vulnerabilityLines{ - line: 17, - vulnLine: model.VulnLines{ - Positions: []int{16, 17, 18}, - Lines: []string{ - "ARG JAR_FILE", - "ADD ${JAR_FILE} apps.jar", - "", - }, - }, - }, - searchKey: "FROM=openjdk:11-jdk.{{ADD ${JAR_FILE} apps.jar}}", - ctx: &QueryContext{ - scanID: "Test3", - }, - file: &model.FileMetadata{ - ScanID: "Test3", - ID: "Test3", - Kind: model.KindDOCKER, - OriginalData: `FROM openjdk:10-jdk -VOLUME /tmp -ADD http://source.file/package.file.tar.gz /temp -RUN tar -xjf /temp/package.file.tar.gz \ - && make -C /tmp/package.file \ - && rm /tmp/ package.file.tar.gz -ARG JAR_FILE -ADD ${JAR_FILE} app.jar - -FROM openjdk:11-jdk -VOLUME /tmp -ADD http://source.file/package.file.tar.gz /temp -RUN tar -xjf /temp/package.file.tar.gz \ - && make -C /tmp/package.file \ - && rm /tmp/ package.file.tar.gz -ARG JAR_FILE -ADD ${JAR_FILE} apps.jar -`, - }, - }, - { - expected: vulnerabilityLines{ - line: 6, - vulnLine: model.VulnLines{ - Positions: []int{5, 6, 7}, - Lines: []string{ - ` && apk add kubectl=1.20.0-r0 \`, - " && rm -rf /var/cache/apk/*", - `ENTRYPOINT ["kubectl"]`, - }, - }, - }, - searchKey: "FROM={{alpine:3.7}}.ENTRYPOINT[kubectl]", - ctx: &QueryContext{ - scanID: "Test", - }, - file: &model.FileMetadata{ - ScanID: "Test", - ID: "Test", - Kind: model.KindDOCKER, - OriginalData: `FROM alpine:3.7 -RUN apk update \ - && apk upgrade \ - && apk add kubectl=1.20.0-r0 \ - && rm -rf /var/cache/apk/* -ENTRYPOINT ["kubectl"]`, - }, - }, - } - - for i, testCase := range testCases { - t.Run(fmt.Sprintf("detectDockerLine-%d", i), func(t *testing.T) { - v := detectDockerLine(testCase.file, testCase.searchKey, &zerolog.Logger{}, 3) - require.Equal(t, testCase.expected, v) - }) - } -} - -// TestSelectLineWithMinimumDistance tests the functions [SelectLineWithMinimumDistance()] and all the methods called by them -func TestSelectLineWithMinimumDistance(t *testing.T) { - values := []struct { - distances map[int]int - startingFrom int - expectedResult int - }{ - { - distances: map[int]int{ - 12: 0, - }, - startingFrom: 0, - expectedResult: 12, - }, - { - distances: map[int]int{ - 12: 0, - 24: 0, - }, - startingFrom: 11, - expectedResult: 12, - }, - { - distances: map[int]int{ - 1: 26, - 2: 5, - 3: 0, - }, - startingFrom: 1, - expectedResult: 3, - }, - } - - for i, testCase := range values { - t.Run(fmt.Sprintf("selectLineWithMinimumDistance-%d", i), func(t *testing.T) { - v := selectLineWithMinimumDistance(testCase.distances, testCase.startingFrom) - require.Equal(t, testCase.expectedResult, v) - }) - } -} - // TestMapKeyToString tests the functions [MapKeyToString()] and all the methods called by them func TestMapKeyToString(t *testing.T) { testCases := []struct { @@ -267,135 +104,6 @@ func Test_mergeWithMetadata(t *testing.T) { } } -// Test_detectLine tests the functions [detectLine()] and all the methods called by them -func Test_detectLine(t *testing.T) { //nolint - type args struct { - ctx *QueryContext - file *model.FileMetadata - searchKey string - } - tests := []struct { - name string - args args - want vulnerabilityLines - }{ - { - name: "detect_line", - args: args{ - ctx: &QueryContext{ - scanID: "scanID", - }, - file: &model.FileMetadata{ - ScanID: "scanID", - ID: "Test", - Kind: model.KindTerraform, - OriginalData: `resource "aws_s3_bucket" "b" { - bucket = "my-tf-test-bucket" - acl = "authenticated-read" - - tags = { - Name = "My bucket" - Environment = "Dev" - } - } - `, - }, - searchKey: "aws_s3_bucket[b].acl", - }, - want: vulnerabilityLines{ - line: 3, - vulnLine: model.VulnLines{ - Positions: []int{2, 3, 4}, - Lines: []string{ - ` bucket = "my-tf-test-bucket"`, - ` acl = "authenticated-read"`, - "", - }, - }, - lineWithVulnerabilty: "\t\t\t\t\t\tacl = \"authenticated-read\"", - }, - }, - { - name: "detect_line_with_curly_brackets", - args: args{ - ctx: &QueryContext{ - scanID: "scanID", - }, - file: &model.FileMetadata{ - ScanID: "scanID", - ID: "Test", - Kind: model.KindTerraform, - OriginalData: `resource "aws_s3_bucket" "b" { - bucket = "my-tf-test-bucket" - acl = "authenticated-read" - - tags = { - Name = "My bucket" - Environment = "Dev.123" - Environment = "test" - } - } - `, - }, - searchKey: "aws_s3_bucket[b].Environment={{Dev.123}}", - }, - want: vulnerabilityLines{ - line: 7, - vulnLine: model.VulnLines{ - Positions: []int{6, 7, 8}, - Lines: []string{ - ` Name = "My bucket"`, - ` Environment = "Dev.123"`, - ` Environment = "test"`, - }, - }, - lineWithVulnerabilty: "\t\t\t\t\t\t Environment = \"Dev.123\"", - }, - }, - { - name: "detect_line_error", - args: args{ - ctx: &QueryContext{ - scanID: "scanID", - }, - file: &model.FileMetadata{ - ScanID: "scanID", - ID: "Test", - Kind: model.KindTerraform, - OriginalData: `resource "aws_s3_bucket" "b" { - bucket = "my-tf-test-bucket" - acl = "authenticated-read" - - tags = { - Name = "My bucket" - Environment = "Dev.123" - Environment = "test" - } - } - `, - }, - searchKey: "testing.error", - }, - want: vulnerabilityLines{ - line: -1, - vulnLine: model.VulnLines{}, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got := detectLine(tt.args.file, tt.args.searchKey, &zerolog.Logger{}, 3) - gotStrVulnerabilities, err := test.StringifyStruct(got) - require.Nil(t, err) - wantStrVulnerabilities, err := test.StringifyStruct(tt.want) - require.Nil(t, err) - if !reflect.DeepEqual(gotStrVulnerabilities, wantStrVulnerabilities) { - t.Errorf("detectLine() = %v, want %v", gotStrVulnerabilities, wantStrVulnerabilities) - } - }) - } -} - // Test_mustMapKeyToString tests the functions [mustMapKeyToString()] and all the methods called by them func Test_mustMapKeyToString(t *testing.T) { type args struct { @@ -515,6 +223,7 @@ func TestDefaultVulnerabilityBuilder(t *testing.T) { QueryURI: "https://github.com/Checkmarx/kics/", Severity: model.SeverityInfo, Line: -1, + VulnLines: []model.CodeLine{}, IssueType: "IncorrectValue", SearchKey: "testSearchKey", KeyActualValue: "", @@ -527,8 +236,9 @@ func TestDefaultVulnerabilityBuilder(t *testing.T) { } for _, tt := range tests { + insDetector := detector.NewDetectLine(3) t.Run(tt.name, func(t *testing.T) { - got, err := DefaultVulnerabilityBuilder(tt.args.ctx, tt.args.tracker, tt.args.v) + got, err := DefaultVulnerabilityBuilder(tt.args.ctx, tt.args.tracker, tt.args.v, insDetector) if (err != nil) != tt.wantErr { t.Errorf("DefaultVulnerabilityBuilder() error = %v, wantErr %v", err, tt.wantErr) return @@ -539,427 +249,3 @@ func TestDefaultVulnerabilityBuilder(t *testing.T) { }) } } - -// TestGetBracketValues tests the functions [getBracketValues()] and all the methods called by them -func TestGetBracketValues(t *testing.T) { - type args struct { - expr string - } - tests := []struct { - name string - args args - want [][]string - }{ - { - name: "no_brackets", - args: args{ - expr: "password", - }, - want: [][]string{ - { - "{{password}}", - "password", - }, - }, - }, - { - name: "single_brackets", - args: args{ - expr: "{{password}}", - }, - want: [][]string{ - { - "{{password}}", - "password", - }, - }, - }, - { - name: "double_brackets", - args: args{ - expr: "{{ {{password}} }}", - }, - want: [][]string{ - { - "{{ {{password}}}}", - " {{password}}", - }, - }, - }, - { - name: "multiple_brackets", - args: args{ - expr: "FROM={{open-jdk}}.{{ {{password}} }}", - }, - want: [][]string{ - { - "{{open-jdk}}", - "open-jdk", - }, - { - "{{ {{password}}}}", - " {{password}}", - }, - }, - }, - } - - for _, tt := range tests { - var got [][]string - t.Run(tt.name, func(t *testing.T) { - got = getBracketValues(tt.args.expr, got, "") - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("DefaultVulnerabilityBuilder() = %v, want %v", got, tt.want) - } - }) - } -} - -// TestGetAdjacents tests the functions [GetAdjacents()] and all the methods called by them -func TestGetAdjacents(t *testing.T) { //nolint - type args struct { - idx int - adj int - lines []string - } - tests := []struct { - name string - args args - want model.VulnLines - }{ - { - name: "test_start_of_file", - args: args{ - idx: 0, - adj: 3, - lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - want: model.VulnLines{ - Positions: []int{1, 2, 3}, - Lines: []string{ - "firstline", - "secondline", - "thirdline", - }, - }, - }, - { - name: "test_end_of_file", - args: args{ - idx: 3, - adj: 3, - lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - want: model.VulnLines{ - Positions: []int{3, 4, 5}, - Lines: []string{ - "secondline", - "thirdline", - "forthline", - }, - }, - }, - { - name: "test_midle_of_file", - args: args{ - idx: 1, - adj: 3, - lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - want: model.VulnLines{ - Positions: []int{1, 2, 3}, - Lines: []string{ - "firstline", - "secondline", - "thirdline", - }, - }, - }, - { - name: "test_even_adj", - args: args{ - idx: 1, - adj: 2, - lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - want: model.VulnLines{ - Positions: []int{2, 3}, - Lines: []string{ - "secondline", - "thirdline", - }, - }, - }, - { - name: "test_even_adj_first_line", - args: args{ - idx: 0, - adj: 2, - lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - want: model.VulnLines{ - Positions: []int{1, 2}, - Lines: []string{ - "firstline", - "secondline", - }, - }, - }, - { - name: "test_one_adj", - args: args{ - idx: 3, - adj: 1, - lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - want: model.VulnLines{ - Positions: []int{4}, - Lines: []string{ - "forthline", - }, - }, - }, - { - name: "test_adj_bigger_than_file", - args: args{ - idx: 3, - adj: 5, - lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - want: model.VulnLines{ - Positions: []int{1, 2, 3, 4}, - Lines: []string{ - "firstline", - "secondline", - "thirdline", - "forthline", - }, - }, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got := getAdjacentLines(tt.args.idx, tt.args.adj, tt.args.lines) - gotStrVulnerabilities, err := test.StringifyStruct(got) - require.Nil(t, err) - wantStrVulnerabilities, err := test.StringifyStruct(tt.want) - require.Nil(t, err) - if !reflect.DeepEqual(gotStrVulnerabilities, wantStrVulnerabilities) { - t.Errorf("getAdjacents() = %v, want = %v", gotStrVulnerabilities, wantStrVulnerabilities) - } - }) - } -} - -func TestEngine_detectHelmLine(t *testing.T) { //nolint - type args struct { - file *model.FileMetadata - searchKey string - logWithFields *zerolog.Logger - outputLines int - } - - tests := []struct { - name string - args args - want vulnerabilityLines - }{ - { - name: "test_detect_helm_line", - args: args{ - file: &model.FileMetadata{ - ID: "1", - ScanID: "console", - Document: model.Document{}, - Kind: model.KindHELM, - FileName: "test-connection.yaml", - HelmID: "# KICS_HELM_ID_0", - OriginalData: `# KICS_HELM_ID_0: -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "test_helm.fullname" . }}-test-connection" - labels: - {{- include "test_helm.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never -`, - Content: ``, - }, - searchKey: "KICS_HELM_ID_0.metadata.name={{RELEASE-NAME-test_helm-test-connection}}.spec.containers", - logWithFields: &zerolog.Logger{}, - outputLines: 1, - }, - want: vulnerabilityLines{ - line: 10, - vulnLine: model.VulnLines{ - Positions: []int{10}, - Lines: []string{" containers:"}, - }, - lineWithVulnerabilty: " containers:", - }, - }, - { - name: "test_dup_values", - args: args{ - file: &model.FileMetadata{ - ID: "1", - ScanID: "console", - Document: model.Document{}, - Kind: model.KindHELM, - FileName: "test-dup_values.yaml", - IDInfo: map[int]interface{}{0: map[int]int{0: 0, 1: 1, 2: 2, 3: 3, 4: 4, - 5: 5, 6: 6, 7: 7, 8: 8, 9: 9, 10: 10, 11: 11, 12: 12, 13: 13, 14: 14, 15: 15, 16: 16, 17: 17, - 18: 18, 19: 19, 21: 21, 22: 22}}, - HelmID: "# KICS_HELM_ID_0", - OriginalData: `# KICS_HELM_ID_0: -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "test_helm.fullname" . }}-test-connection" - labels: - {{- include "test_helm.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never - containers: - - name: wget2 - image: busybox - command: ['wget'] - args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never -`, - Content: ``, - }, - searchKey: "KICS_HELM_ID_0.metadata.name={{RELEASE-NAME-test_helm-test-connection}}.spec.containers", - logWithFields: &zerolog.Logger{}, - outputLines: 1, - }, - want: vulnerabilityLines{ - line: 9, - vulnLine: model.VulnLines{ - Positions: []int{9}, - Lines: []string{"spec:"}, - }, - lineWithVulnerabilty: "spec:", - }, - }, - { - name: "test_detect_helm_with_dups", - args: args{ - file: &model.FileMetadata{ - ID: "1", - ScanID: "console", - Document: model.Document{}, - Kind: model.KindHELM, - FileName: "test-dups.yaml", - HelmID: "# KICS_HELM_ID_1", - OriginalData: `# KICS_HELM_ID_0: -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "test_helm.fullname" . }}-test-connection" - labels: - {{- include "test_helm.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never ---- -# KICS_HELM_ID_1: -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "test_helm.fullname" . }}-test-dups" - labels: - {{- include "test_helm.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "test_helm.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never -`, - Content: ``, - }, - searchKey: "KICS_HELM_ID_1.metadata.name={{RELEASE-NAME-test_helm-test-connection}}.spec.containers", - logWithFields: &zerolog.Logger{}, - outputLines: 1, - }, - want: vulnerabilityLines{ - line: 26, - vulnLine: model.VulnLines{ - Positions: []int{26}, - Lines: []string{" containers:"}, - }, - lineWithVulnerabilty: " containers:", - }, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - got := detectHelmLine(tt.args.file, tt.args.searchKey, tt.args.logWithFields, tt.args.outputLines) - if !reflect.DeepEqual(got, tt.want) { - t.Errorf("detectHelmLine() = %v, want = %v", got, tt.want) - } - }) - } -} diff --git a/pkg/kics/resolver_sink.go b/pkg/kics/resolver_sink.go new file mode 100644 index 00000000000..aac55228396 --- /dev/null +++ b/pkg/kics/resolver_sink.go @@ -0,0 +1,52 @@ +package kics + +import ( + "context" + "encoding/json" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/getsentry/sentry-go" + "github.com/google/uuid" + "github.com/pkg/errors" + "github.com/rs/zerolog/log" +) + +func (s *Service) resolverSink(ctx context.Context, filename, scanID string) error { + s.Tracker.TrackFileFound() + kind := s.Resolver.GetType(filename) + if kind == model.KindCOMMON { + return nil + } + resFiles, err := s.Resolver.Resolve(filename, kind) + if err != nil { + return errors.Wrap(err, "failed to render file content") + } + for _, rfile := range resFiles.File { + documents, _, err := s.Parser.Parse(rfile.FileName, rfile.Content) + if err != nil { + return errors.Wrap(err, "failed to parse file content") + } + for _, document := range documents { + _, err = json.Marshal(document) + if err != nil { + sentry.CaptureException(err) + log.Err(err).Msgf("failed to marshal content in file: %s", rfile.FileName) + continue + } + + file := model.FileMetadata{ + ID: uuid.New().String(), + ScanID: scanID, + Document: document, + OriginalData: string(rfile.OriginalData), + Kind: kind, + FileName: rfile.FileName, + Content: string(rfile.Content), + HelmID: rfile.SplitID, + IDInfo: rfile.IDInfo, + } + s.saveToFile(ctx, &file) + } + } + return nil +} diff --git a/pkg/kics/service.go b/pkg/kics/service.go index 21e9d13d434..b7fac6639c3 100644 --- a/pkg/kics/service.go +++ b/pkg/kics/service.go @@ -2,7 +2,6 @@ package kics import ( "context" - "encoding/json" "io" "github.com/Checkmarx/kics/pkg/engine" @@ -10,8 +9,6 @@ import ( "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/parser" "github.com/Checkmarx/kics/pkg/resolver" - "github.com/getsentry/sentry-go" - "github.com/google/uuid" "github.com/pkg/errors" "github.com/rs/zerolog/log" ) @@ -46,92 +43,26 @@ type Service struct { Inspector *engine.Inspector Tracker Tracker Resolver *resolver.Resolver + files model.FileMetadatas } // StartScan executes scan over the context, using the scanID as reference func (s *Service) StartScan(ctx context.Context, scanID string, hideProgress bool) error { log.Debug().Msg("service.StartScan()") - var files model.FileMetadatas if err := s.SourceProvider.GetSources( ctx, s.Parser.SupportedExtensions(), func(ctx context.Context, filename string, rc io.ReadCloser) error { - s.Tracker.TrackFileFound() - - content, err := getContent(rc) - if err != nil { - return errors.Wrapf(err, "failed to get file content: %s", filename) - } - - documents, kind, err := s.Parser.Parse(filename, *content) - if err != nil { - return errors.Wrap(err, "failed to parse file content") - } - for _, document := range documents { - _, err = json.Marshal(document) - if err != nil { - sentry.CaptureException(err) - log.Err(err).Msgf("failed to marshal content in file: %s", filename) - continue - } - - file := model.FileMetadata{ - ID: uuid.New().String(), - ScanID: scanID, - Document: document, - OriginalData: string(*content), - Kind: kind, - FileName: filename, - } - files = s.saveToFile(ctx, &file, files) - } - - return errors.Wrap(err, "failed to save file content") + return s.sink(ctx, filename, scanID, rc) }, func(ctx context.Context, filename string) error { // Sink used for resolver files and templates - s.Tracker.TrackFileFound() - kind := s.Resolver.GetType(filename) - if kind == model.KindCOMMON { - return nil - } - resFiles, err := s.Resolver.Resolve(filename, kind) - if err != nil { - return errors.Wrap(err, "failed to render file content") - } - for _, rfile := range resFiles.File { - documents, _, err := s.Parser.Parse(rfile.FileName, rfile.Content) - if err != nil { - return errors.Wrap(err, "failed to parse file content") - } - for _, document := range documents { - _, err = json.Marshal(document) - if err != nil { - sentry.CaptureException(err) - log.Err(err).Msgf("failed to marshal content in file: %s", rfile.FileName) - continue - } - - file := model.FileMetadata{ - ID: uuid.New().String(), - ScanID: scanID, - Document: document, - OriginalData: string(rfile.OriginalData), - Kind: kind, - FileName: rfile.FileName, - Content: string(rfile.Content), - HelmID: rfile.SplitID, - IDInfo: rfile.IDInfo, - } - files = s.saveToFile(ctx, &file, files) - } - } - return nil + return s.resolverSink(ctx, filename, scanID) }, ); err != nil { return errors.Wrap(err, "failed to read sources") } - vulnerabilities, err := s.Inspector.Inspect(ctx, scanID, files, hideProgress, s.SourceProvider.GetBasePath()) + vulnerabilities, err := s.Inspector.Inspect(ctx, scanID, s.files, hideProgress, s.SourceProvider.GetBasePath()) if err != nil { return errors.Wrap(err, "failed to inspect files") } @@ -177,11 +108,10 @@ func (s *Service) GetScanSummary(ctx context.Context, scanIDs []string) ([]model return s.Storage.GetScanSummary(ctx, scanIDs) } -func (s *Service) saveToFile(ctx context.Context, file *model.FileMetadata, files model.FileMetadatas) model.FileMetadatas { +func (s *Service) saveToFile(ctx context.Context, file *model.FileMetadata) { err := s.Storage.SaveFile(ctx, file) if err == nil { - files = append(files, *file) + s.files = append(s.files, *file) s.Tracker.TrackFileParse() } - return files } diff --git a/pkg/kics/service_test.go b/pkg/kics/service_test.go index dd229904448..b25a9ee1013 100644 --- a/pkg/kics/service_test.go +++ b/pkg/kics/service_test.go @@ -16,11 +16,13 @@ import ( jsonParser "github.com/Checkmarx/kics/pkg/parser/json" terraformParser "github.com/Checkmarx/kics/pkg/parser/terraform" yamlParser "github.com/Checkmarx/kics/pkg/parser/yaml" + "github.com/Checkmarx/kics/pkg/resolver" + "github.com/Checkmarx/kics/pkg/resolver/helm" ) // TestService tests the functions [GetVulnerabilities(), GetScanSummary(),StartScan()] and all the methods called by them func TestService(t *testing.T) { - mockParser, mockFilesSource := createParserSourceProvider("../../assets/queries/template") + mockParser, mockFilesSource, mockResolver := createParserSourceProvider("../../test/fixtures/test_helm") type fields struct { SourceProvider provider.SourceProvider @@ -28,6 +30,7 @@ func TestService(t *testing.T) { Parser *parser.Parser Inspector *engine.Inspector Tracker Tracker + Resolver *resolver.Resolver } type args struct { ctx context.Context @@ -53,6 +56,7 @@ func TestService(t *testing.T) { Tracker: &tracker.CITracker{}, Storage: storage.NewMemoryStorage(), SourceProvider: mockFilesSource, + Resolver: mockResolver, }, args: args{ ctx: nil, @@ -73,6 +77,7 @@ func TestService(t *testing.T) { Parser: tt.fields.Parser, Inspector: tt.fields.Inspector, Tracker: tt.fields.Tracker, + Resolver: tt.fields.Resolver, } t.Run(fmt.Sprintf(tt.name+"_get_vulnerabilities"), func(t *testing.T) { got, err := s.GetVulnerabilities(tt.args.ctx, tt.args.scanID) @@ -102,7 +107,8 @@ func TestService(t *testing.T) { } } -func createParserSourceProvider(path string) (*parser.Parser, *provider.FileSystemSourceProvider) { +func createParserSourceProvider(path string) (*parser.Parser, + *provider.FileSystemSourceProvider, *resolver.Resolver) { mockParser, _ := parser.NewBuilder(). Add(&jsonParser.Parser{}). Add(&yamlParser.Parser{}). @@ -112,5 +118,7 @@ func createParserSourceProvider(path string) (*parser.Parser, *provider.FileSyst mockFilesSource, _ := provider.NewFileSystemSourceProvider(path, []string{}) - return mockParser, mockFilesSource + mockResolver, _ := resolver.NewBuilder().Add(&helm.Resolver{}).Build() + + return mockParser, mockFilesSource, mockResolver } diff --git a/pkg/kics/sink.go b/pkg/kics/sink.go new file mode 100644 index 00000000000..76cb37d020a --- /dev/null +++ b/pkg/kics/sink.go @@ -0,0 +1,47 @@ +package kics + +import ( + "context" + "encoding/json" + "io" + + "github.com/Checkmarx/kics/pkg/model" + "github.com/getsentry/sentry-go" + "github.com/google/uuid" + "github.com/pkg/errors" + "github.com/rs/zerolog/log" +) + +func (s *Service) sink(ctx context.Context, filename, scanID string, rc io.Reader) error { + s.Tracker.TrackFileFound() + + content, err := getContent(rc) + if err != nil { + return errors.Wrapf(err, "failed to get file content: %s", filename) + } + + documents, kind, err := s.Parser.Parse(filename, *content) + if err != nil { + return errors.Wrap(err, "failed to parse file content") + } + for _, document := range documents { + _, err = json.Marshal(document) + if err != nil { + sentry.CaptureException(err) + log.Err(err).Msgf("failed to marshal content in file: %s", filename) + continue + } + + file := model.FileMetadata{ + ID: uuid.New().String(), + ScanID: scanID, + Document: document, + OriginalData: string(*content), + Kind: kind, + FileName: filename, + } + s.saveToFile(ctx, &file) + } + + return errors.Wrap(err, "failed to save file content") +} diff --git a/pkg/model/model.go b/pkg/model/model.go index 21ac11d5220..3c388a420a9 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -49,6 +49,13 @@ var ( } ) +// VulnerabilityLines is the representation of the found line for issue +type VulnerabilityLines struct { + Line int + VulnLines []CodeLine + LineWithVulnerabilty string +} + // FileKind is the extension of a file type FileKind string @@ -58,10 +65,10 @@ type Severity string // IssueType is the issue's type string representation type IssueType string -// VulnLines is the lines containing and adjecent to the vulnerability line with their respective positions -type VulnLines struct { - Positions []int - Lines []string +// CodeLine is the lines containing and adjecent to the vulnerability line with their respective positions +type CodeLine struct { + Position int + Line string } // FileMetadata is a representation of basic information and content of a file @@ -91,27 +98,27 @@ type QueryMetadata struct { // Vulnerability is a representation of a detected vulnerability in scanned files // after running a query type Vulnerability struct { - ID int `json:"id"` - ScanID string `db:"scan_id" json:"-"` - SimilarityID string `db:"similarity_id" json:"similarityID"` - FileID string `db:"file_id" json:"-"` - FileName string `db:"file_name" json:"fileName"` - QueryID string `db:"query_id" json:"queryID"` - QueryName string `db:"query_name" json:"queryName"` - QueryURI string `json:"-"` - Category string `json:"category"` - Description string `json:"description"` - Platform string `db:"platform" json:"platform"` - Severity Severity `json:"severity"` - Line int `json:"line"` - VulnLines VulnLines `json:"vulnLines"` - IssueType IssueType `db:"issue_type" json:"issueType"` - SearchKey string `db:"search_key" json:"searchKey"` - SearchValue string `db:"search_value" json:"searchValue"` - KeyExpectedValue string `db:"key_expected_value" json:"expectedValue"` - KeyActualValue string `db:"key_actual_value" json:"actualValue"` - Value *string `db:"value" json:"value"` - Output string `json:"-"` + ID int `json:"id"` + ScanID string `db:"scan_id" json:"-"` + SimilarityID string `db:"similarity_id" json:"similarityID"` + FileID string `db:"file_id" json:"-"` + FileName string `db:"file_name" json:"fileName"` + QueryID string `db:"query_id" json:"queryID"` + QueryName string `db:"query_name" json:"queryName"` + QueryURI string `json:"-"` + Category string `json:"category"` + Description string `json:"description"` + Platform string `db:"platform" json:"platform"` + Severity Severity `json:"severity"` + Line int `json:"line"` + VulnLines []CodeLine `json:"vulnLines"` + IssueType IssueType `db:"issue_type" json:"issueType"` + SearchKey string `db:"search_key" json:"searchKey"` + SearchValue string `db:"search_value" json:"searchValue"` + KeyExpectedValue string `db:"key_expected_value" json:"expectedValue"` + KeyActualValue string `db:"key_actual_value" json:"actualValue"` + Value *string `db:"value" json:"value"` + Output string `json:"-"` } // QueryConfig is a struct that contains the fileKind and platform of the rego query diff --git a/pkg/model/summary.go b/pkg/model/summary.go index c7925815404..b0a0c4c02b9 100644 --- a/pkg/model/summary.go +++ b/pkg/model/summary.go @@ -15,16 +15,16 @@ type SeveritySummary struct { // VulnerableFile contains information of a vulnerable file and where the vulnerability was found type VulnerableFile struct { - FileName string `json:"file_name"` - SimilarityID string `json:"similarity_id"` - Line int `json:"line"` - VulnLines VulnLines `json:"-"` - IssueType IssueType `json:"issue_type"` - SearchKey string `json:"search_key"` - SearchValue string `json:"search_value"` - KeyExpectedValue string `json:"expected_value"` - KeyActualValue string `json:"actual_value"` - Value *string `json:"value"` + FileName string `json:"file_name"` + SimilarityID string `json:"similarity_id"` + Line int `json:"line"` + VulnLines []CodeLine `json:"-"` + IssueType IssueType `json:"issue_type"` + SearchKey string `json:"search_key"` + SearchValue string `json:"search_value"` + KeyExpectedValue string `json:"expected_value"` + KeyActualValue string `json:"actual_value"` + Value *string `json:"value"` } // VulnerableQuery contains a query that tested positive ID, name, severity and a list of files that tested vulnerable diff --git a/pkg/report/template/html/report.tmpl b/pkg/report/template/html/report.tmpl index 6d8b88337cc..56faca5014f 100644 --- a/pkg/report/template/html/report.tmpl +++ b/pkg/report/template/html/report.tmpl @@ -76,15 +76,10 @@ Found: {{ .KeyActualValue }}
- {{- with .VulnLines -}} - {{- $lines := .Lines -}} - {{- range $idx, $position := .Positions -}} -
- {{- if lt $idx (len $lines) -}} - {{ $position }}{{index $lines $idx | trimSpaces }} - {{- end -}} + {{- range .VulnLines -}} +
+ {{ .Position }}{{ trimSpaces .Line }}
- {{- end -}} {{- end}}
diff --git a/pkg/resolver/helm/resolver.go b/pkg/resolver/helm/resolver.go index d59f88f24ac..cb5b17e79fe 100644 --- a/pkg/resolver/helm/resolver.go +++ b/pkg/resolver/helm/resolver.go @@ -123,7 +123,7 @@ func updateName(template []*chart.File, charts *chart.Chart, name string) []*cha } // getIdMap will construct a map with ids with the corresponding lines as keys -// for use in detectline +// for use in detector func getIDMap(originalData []byte) (map[int]interface{}, error) { ids := make(map[int]interface{}) mapLines := make(map[int]int) diff --git a/test/queries_content_test.go b/test/queries_content_test.go index 33c3fa63613..23b7ee7ba3a 100644 --- a/test/queries_content_test.go +++ b/test/queries_content_test.go @@ -13,6 +13,7 @@ import ( "testing" "github.com/Checkmarx/kics/internal/tracker" + "github.com/Checkmarx/kics/pkg/detector" "github.com/Checkmarx/kics/pkg/engine" "github.com/Checkmarx/kics/pkg/engine/mock" "github.com/Checkmarx/kics/pkg/engine/source" @@ -185,7 +186,7 @@ func testQueryHasGoodReturnParams(t *testing.T, entry queryEntry) { inspector, err := engine.NewInspector( ctx, queriesSource, - func(ctx *engine.QueryContext, trk engine.Tracker, v interface{}) (model.Vulnerability, error) { + func(ctx *engine.QueryContext, trk engine.Tracker, v interface{}, detector *detector.DetectLine) (model.Vulnerability, error) { m, ok := v.(map[string]interface{}) require.True(t, ok)