From 20dcb5c1e00c5923ce8ce9aae686142923085b19 Mon Sep 17 00:00:00 2001 From: ruigomescx Date: Wed, 10 Mar 2021 11:10:18 +0000 Subject: [PATCH 1/2] [create-pull-request] automated change --- docs/queries/ansible-queries.md | 236 +++++++++---------- docs/queries/cloudformation-queries.md | 212 ++++++++--------- docs/queries/dockerfile-queries.md | 48 ++-- docs/queries/kubernetes-queries.md | 74 +++--- docs/queries/terraform-queries.md | 302 ++++++++++++------------- 5 files changed, 436 insertions(+), 436 deletions(-) diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 346aace5328..56c3c94ca9e 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -5,101 +5,101 @@ This page contains all queries from Ansible, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| -|Blob Container With Public Access
4d3817db-dd35-4de4-a80d-3867157e7f7f|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Access Control|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Admin User Is Enabled for Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Access Control|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Access Control|Check if 'network_acls' is open to public.|Documentation
| -|S3 Bucket Access Allowed All
3ab1f27d-52cc-4943-af1d-43c1939e739a|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| |ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Access Control|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|All Auth Users Get Read Access
75480b31-f349-4b9a-861f-bce19588e674|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|RDS Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Access Control|Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|S3 Bucket Access Allowed All
3ab1f27d-52cc-4943-af1d-43c1939e739a|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| |ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| +|RDS Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Access Control|Check if 'publicly_accessible' field is true (default is false)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| |All Users Group Gets Read Access
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Access Control|It's not recommended to allow read access for all user groups.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.|Documentation
| |S3 Bucket Allows Write_ACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| +|All Auth Users Get Read Access
75480b31-f349-4b9a-861f-bce19588e674|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| |Cloud SQL DB Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Access Control|Check if any Cloud SQL instances are publicly accessible.|Documentation
| |VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|SQL Database Backup Configuration Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Backup & Disaster Recovery|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|User Data Contains RSA Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Data Security|User Data contains an encoded RSA Private Key|Documentation
| -|EBS Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Data Security|EBS Encryption should be enabled|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Data Security|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Data Security|User Data Shell Script must be encoded|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Data Security|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|RDS CA Certificate Identifier Is Expired
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Data Security|The CA certificate Identifier must be rds-ca-2019|Documentation
| -|RDS Auto Minor Version Upgrade Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Data Security|RDS instance auto minor version upgrade feature must be true|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Data Security|IAM Database Auth Enabled must be configured to true|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Data Security|The parameter storage_encrypted in aws_db_instance must be true (the default is false)|Documentation
| -|ECS Task Definition Container Has Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Data Security|It's not recommend to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|SSL Connection Is Enabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|SSL Enforce Is Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|HTTPS Traffic Disabled
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|EFS Is Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|Admin User Is Enabled for Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Access Control|Admin user is enabled for Container Registry|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Access Control|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|Blob Container With Public Access
4d3817db-dd35-4de4-a80d-3867157e7f7f|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Access Control|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Access Control|Check if 'network_acls' is open to public.|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Access Control|Ensure Trusted Microsoft Services have Storage Account access.|Documentation
| +|SQL Database Backup Configuration Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|S3 Bucket Rules With Master Key Id Null
309edc5b-5a59-42b4-a357-d4d098311fd4|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Encryption|The parameter storage_encrypted in aws_db_instance must be true (the default is false)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| |Secure Ciphers Not Used
218413a0-c716-4b94-9e08-0bb70d854709|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Encryption|User Data Shell Script must be encoded|Documentation
| +|User Data Contains RSA Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Encryption|User Data contains an encoded RSA Private Key|Documentation
| |Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|S3 Bucket Rules With Master Key Id Null
309edc5b-5a59-42b4-a357-d4d098311fd4|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|RDS Auto Minor Version Upgrade Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Encryption|RDS instance auto minor version upgrade feature must be true|Documentation
| +|EBS Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Encryption|EBS Encryption should be enabled|Documentation
| +|ECS Task Definition Container Has Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Encryption|It's not recommend to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Encryption & Key Management|AWS AMI Encryption is not enabled|Documentation
| -|Cloud SQL Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Encryption & Key Management|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Encryption & Key Management|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|KMS Rotation Period Is Higher Than 365 Days
79f45008-60b3-4a0a-a302-8311fd3701b4|Encryption & Key Management|Check if any KMS rotation period surpasses 365 days.|Documentation
| -|Web App Accepts Not Only HTTPS Traffic
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azurerm Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|EFS Is Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| +|RDS CA Certificate Identifier Is Expired
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Encryption|The CA certificate Identifier must be rds-ca-2019|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|HTTPS Traffic Disabled
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|KMS Rotation Period Is Higher Than 365 Days
79f45008-60b3-4a0a-a302-8311fd3701b4|Encryption|Check if any KMS rotation period surpasses 365 days.|Documentation
| +|Cloud SQL Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Encryption|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| +|SSL Enforce Is Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| +|SSL Connection Is Enabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| |DB Security Group Has Public IP
5330b503-3319-44ff-9b1c-00ee873f728a|Insecure Configurations|The CIDR IP must not be Public|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| |Root Account Has Associated Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|Legacy Authorization is Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|Network Policy is Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Insecure Configurations|Check if 'publicly_accessible' field is true (default is false)|Documentation
| |BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Insecure Configurations|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|Log Min Duration Statement Wrong Value
aed98a2a-e680-497a-8886-277cea0f4514|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| +|GKE Basic Authentication is Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| +|Network Policy is Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| |Cluster Labels are Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| |Cloud MYSQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|Client Certificate is Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|IP Aliasing is Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| |Private Cluster is Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| +|Legacy Authorization is Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| +|Client Certificate is Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| |Master Authentication is Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|GKE Basic Authentication is Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Log Min Duration Statement Wrong Value
aed98a2a-e680-497a-8886-277cea0f4514|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Network Ports Security|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|SSH' (TCP:22) in Public Scope
57ced4b9-6ba4-487b-8843-b65562b90c77|Network Ports Security|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Network Ports Security|The remote desktop port is open|Documentation
| -|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Network Ports Security|HTTP port is open to the internet|Documentation
| -|Fully Open Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Network Ports Security|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Network Ports Security|AWS Security Group should not have public port wide|Documentation
| -|Default Security Group Does Not Restrict All Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Network Ports Security|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Network Ports Security|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Network Ports Security|AWS Security Group should restrict ingress access|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Networking and Firewall|The IP range filter should be defined|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SQLServer Ingress from Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|IP Aliasing is Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| +|Azurerm Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Web App Accepts Not Only HTTPS Traffic
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| +|Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341|Networking and Firewall|The remote desktop port is open|Documentation
| +|SSH' (TCP:22) in Public Scope
57ced4b9-6ba4-487b-8843-b65562b90c77|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|ALB protocol is HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e|Networking and Firewall|HTTP port is open to the internet|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| +|Fully Open Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| |DB Security Group Higher than 256
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Networking and Firewall|DB Security CIDR must be lower than 256 (/24)|Documentation
| |DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Networking and Firewall|AWS DB Security Group's CIDR must be different than 0.0.0.0/0|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| |Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| |KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Networking and Firewall|Checks if the policy is vulnerable and needs updating.|Documentation
| -|ALB protocol is HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|Default Security Group Does Not Restrict All Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| |GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Config Configuration Aggregator All Regions Not Enabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Networking and Firewall|The IP range filter should be defined|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|SQLServer Ingress from Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| |S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Observability|S3 bucket without versioning|Documentation
| +|Config Configuration Aggregator All Regions Not Enabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Observability|Checks if we have enabled logging in the CloudTrail|Documentation
| |Stackdriver Monitoring is Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|PostgreSQL log_connections Flag Not Set To ON
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| +|Stackdriver Logging is Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| |Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Observability|Cloud storage bucket with logging not enabled|Documentation
| |Log Temp Files Wrong Value
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Stackdriver Logging is Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| |Object Versioning Not Enabled
7814ddda-e758-4a56-8be3-289a81ded929|Observability|Object Versioning not fully enabled on Cloud Storage Bucket|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Resource Management|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| +|PostgreSQL log_connections Flag Not Set To ON
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| |Node Auto Upgrade Not Enabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Resource Management|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Resource Management|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| |Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Secret Management|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| @@ -107,81 +107,81 @@ This page contains all queries from Ansible, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Access Control|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|AKS Without RBAC
149fa56c-4404-4f90-9e25-d34b676d5b39|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Public ECR policy
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| |S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Access Control|S3 Bucket allows public access|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| |SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Access Control|SQS policy with public access|Documentation
| |AMI Shared To Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| |SQS Policy Allows ALL (*) Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Public ECR policy
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| |IAM Policy Allows All ('*') In Policy Statement
b5ed026d-a772-4f07-97f9-664ba0b116f8|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Access Control|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| +|AKS Without RBAC
149fa56c-4404-4f90-9e25-d34b676d5b39|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| |RDS Without Backup
e69890e6-fce5-461d-98ad-cb98318dfc96|Backup|RDS configured without backup|Documentation
| -|SQL Server Accessibility is Not Minimal
3f23c96c-f9f5-488d-9b17-605b8da5842f|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| |IAM Password Without Numbers
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Best Practices|Check if IAM account password has at least one number|Documentation
| +|IAM Password Without Valid Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Best Practices|Check if IAM account password has the required minimum length|Documentation
| |Incorrect Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Best Practices|No password expiration policy|Documentation
| |No Password Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| |IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Best Practices|Check if IAM account password has at least one lowercase letter|Documentation
| -|IAM Password Without Valid Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Best Practices|Check if IAM account password has the required minimum length|Documentation
| |Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Best Practices|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Accessibility is Not Minimal
3f23c96c-f9f5-488d-9b17-605b8da5842f|Best Practices|Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| |CloudFormation Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Config Rule For Encrypted Volumes Is Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |Not Encrypted Data In Launch Configuration
66477506-6abb-49ed-803d-3fa174cd5f6a|Encryption|AWS Autoscaling Launch Configurations should have encryption enabled|Documentation
| |CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Encryption|CodeBuild Project should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Is Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|VM CSEK Encryption is Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Encryption & Key Management|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'raw_key' must also be defined and not empty|Documentation
| -|Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Encryption & Key Management|Make sure Encryption keys changes after 90 days|Documentation
| -|Google Compute SSL Policy Weak Cipher Suits is Enabled
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Encryption & Key Management|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| +|Google Compute SSL Policy Weak Cipher Suits is Enabled
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Encryption|Make sure Encryption keys changes after 90 days|Documentation
| +|VM CSEK Encryption is Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'raw_key' must also be defined and not empty|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| |CloudFormation Without Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Insecure Configurations|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Unchangeable password
e28ceb92-d588-4166-aac5-766c8f5b7472|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Insecure Configurations|ECR should have an image tag immutable|Documentation
| -|Google Container Node Pool Auto Repair is Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| -|Shielded VM is Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Insecure Configurations|Check if any instance disables OSLogin.|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Insecure Configurations|SSL Client Certificate should be enabled in aws_api_gateway|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| +|Unchangeable password
e28ceb92-d588-4166-aac5-766c8f5b7472|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| |Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| |Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Insecure Configurations|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| +|Shielded VM is Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Google Container Node Pool Auto Repair is Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Insecure Configurations|Verifies if Google Container Node Pool Auto Repair is Enabled|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Insecure Configurations|Check if any instance disables OSLogin.|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Insecure Configurations|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| |Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Insecure Defaults|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Network Ports Security|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Networking and Firewall|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d|Insecure Defaults|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| |API Gateway Endpoint Config is Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Networking and Firewall|Type of Endpoint Configuration is Private|Documentation
| -|IP Forwarding is Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Networking and Firewall|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| +|SSH Access Is Not Restricted From The Internet
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| |Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Networking and Firewall|Check if serial ports are enabled in Google Compute Engine VM instances|Documentation
| |RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access.|Documentation
| -|SSH Access Is Not Restricted From The Internet
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block).|Documentation
| -|Log Duration Is Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|AKS Logging To Azure Monitoring Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Activity Log Retention Period Less Than 365
37fafbea-dedb-4e0d-852e-d16ee0589326|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Logs Checkpoints Is On
7ab33ac0-e4a3-418f-a673-50da4e34df21|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Log Connections Is Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Log Disconnections Is Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|IP Forwarding is Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Observability|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| |CloudFormation Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Observability|AWS CloudFormation should have stack notifications enabled|Documentation
| |CloudTrail Log Files Without Validation
4d8681a2-3d30-4c89-8070-08acd142748e|Observability|CloudTrail Log Files should have validation enabled|Documentation
| -|API Gateway Has Cloudwatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Observability|Check if MultiRegion is Enabled|Documentation
| -|Cloudfront Logging is Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| |API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| +|Cloudfront Logging is Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Observability|AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| |CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Observability|Check if MultiRegion is Enabled|Documentation
| |CloudTrail SNS Topic Name Is Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Observability|Check if there is a CloudTrail resource that doesn't have the appropriate SNS topic name to notify the log file delivery|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Observability|CloudTrail Log Files should be encrypted with Key Management Service (KMS)|Documentation
| +|API Gateway Has Cloudwatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| |PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| |Log Min Messages Invalid Value
28a757fc-3d8f-424a-90c0-4233363b2711|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| +|PostgreSQL Logs Checkpoints Is On
7ab33ac0-e4a3-418f-a673-50da4e34df21|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|Activity Log Retention Period Less Than 365
37fafbea-dedb-4e0d-852e-d16ee0589326|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|Log Disconnections Is Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|Log Duration Is Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Connections Is Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|AKS Logging To Azure Monitoring Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| |Lambda Hardcoded AWS Access Key
f34508b9-f574-4330-b42d-88c44cced645|Secret Management|Lambda access key should not be in plaintext.|Documentation
| |Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Secret Management|Check if the VM Instance doesn't block project-wide SSH keys.|Documentation
| @@ -190,15 +190,15 @@ This page contains all queries from Ansible, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| -|IAM Role Allows Public Assume
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Access Control|IAM role allows All services or principals to assume it|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Access Control|IAM role allows all services or principals to assume it|Documentation
| |IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Unprotected S3 Storage
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Access Control|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|IAM Role Allows Public Assume
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Access Control|IAM role allows All services or principals to assume it|Documentation
| |Unprotected SQS Queue
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Encryption| SQS Queue should be protected with CMK encryption|Documentation
| -|EC2 Instance Has Hardcoded Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Encryption & Key Management|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| +|Unprotected S3 Storage
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| +|EC2 Instance Has Hardcoded Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Encryption|Check if the user data in the EC2 instance has the access key hardcoded|Documentation
| |Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Insecure Configurations|CloudFront Distribution without WAF enabled|Documentation
| -|Lambda Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Observability|Lambda should have X-Ray tracing enabled|Documentation
| |S3 Bucket Without Logging
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Observability|S3 bucket without debug_botocore_endpoint_logs|Documentation
| +|Lambda Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Observability|Lambda should have X-Ray tracing enabled|Documentation
| diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index ea53ae38f1d..10b5cf01c19 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -5,197 +5,197 @@ This page contains all queries from CloudFormation, classified by severity level | Query |Category|Description|Help| |-----------------------------|---|---|---| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|Access Control|S3 Buckets must not allow Delete Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Access Control|Check if any IAM Policy grants 'AssumeRole' permission across all services.|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|Access Control|S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| |IAM Access Keys Associated To Root Account
4c137350-7307-4803-8c04-17c09a7a9fcf|Access Control|Check if the root user has any access keys associated to it.|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| -|ECS Service Admin Role Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Bucket Website Host Is Disabled
90501b1b-cded-4cc1-9e8b-206b85cda317|Access Control|It's dangerous disabling a block public access settings in bucket or write a bucket policy that grants public read access|Documentation
| -|SQS Queue Policy With Wildcard Principals
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| |Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| -|IAM Policy Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|Access Control|IAM policies shouldn't allow full administrative privileges|Documentation
| -|S3 Bucket ACL Allows Read to AllUsers
219f4c95-aa50-44e0-97de-cf71f4641170|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| |S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|Access Control|S3 Buckets must not allow Put Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Access Control|Check if any IAM Policy grants 'AssumeRole' permission across all services.|Documentation
| -|S3 Bucket ACL Allows Read Or Write to AllUsers
07dda8de-d90d-469e-9b37-1aca53526ced|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|Access Control|S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| +|S3 Bucket Allows Put Or Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|Access Control|S3 Buckets must not allow Put or Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put or Restore, for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to AllUsers
219f4c95-aa50-44e0-97de-cf71f4641170|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| +|IAM Policy Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|Access Control|IAM policies shouldn't allow full administrative privileges|Documentation
| |S3 Bucket Allows All Actions From All Principals
4ae8af91-5108-42cb-9471-3bdbe596eac9|Access Control|S3 Buckets must not allow All Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| +|S3 Bucket ACL Allows Read Or Write to AllUsers
07dda8de-d90d-469e-9b37-1aca53526ced|Access Control|S3 Buckets sould not be readable and writable to all users|Documentation
| |S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|Access Control|S3 Buckets must not allow List Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Put Or Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|Access Control|S3 Buckets must not allow Put or Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put or Restore, for all Principals.|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|Data Security|Specifying credentials in the template itself is probably not safe to do.|Documentation
| +|S3 Bucket Website Host Is Disabled
90501b1b-cded-4cc1-9e8b-206b85cda317|Access Control|It's dangerous disabling a block public access settings in bucket or write a bucket policy that grants public read access|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|Access Control|S3 Buckets must not allow Delete Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|ECS Service Admin Role Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| +|SQS Queue Policy With Wildcard Principals
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|Encryption|Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. |Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| |Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|Kinesis Stream Without SSE
7f65be75-90ab-4036-8c2a-410aef7bb650|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|ElastiCache with disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| -|DynamoDB with AWS Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| -|Viewer Protocol Policy Allows HTTP Protocol
31733ee2-fef0-4e87-9778-65da22a8ecf1|Encryption|Ensure that the Viewer Protocol is only HTTPS Compliant|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled|Documentation
| |ELB Without SSL
80908a75-586b-4c61-ab04-490f4f4525b8|Encryption|Check if the ELB is setup with SSL for secure communication|Documentation
| +|Viewer Protocol Policy Allows HTTP Protocol
31733ee2-fef0-4e87-9778-65da22a8ecf1|Encryption|Ensure that the Viewer Protocol is only HTTPS Compliant|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|EFS Not Encrypted With KMS CMK
6d087495-2a42-4735-abf7-02ef5660a7e6|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| |Redshift Cluster Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|Encryption|AWS Redshift Cluster should be encrypted|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| +|Kinesis Stream Without SSE
7f65be75-90ab-4036-8c2a-410aef7bb650|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| |Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled|Documentation
| -|S3 Bucket Without Server Side Encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| +|ElastiCache with disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| |S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| +|DynamoDB with AWS Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| |RDS DB Instance Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|Encryption|AWS RDS DB Instance should be encrypted|Documentation
| +|S3 Bucket Without Server Side Encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| |ElastiCache with disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| -|EFS Not Encrypted With KMS CMK
6d087495-2a42-4735-abf7-02ef5660a7e6|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|Encryption|Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. |Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| |Route53 Without Record Set
24d932e1-91f0-46ea-836f-fdbd81694151|Insecure Configurations|Route53 HostedZone must have the Record Set defined.|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|RDS Public Interface
de38e1d5-54cb-4111-a868-6f7722695007|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| |API Gateway Exposed To The Public Internet
4a8daf95-709d-4a36-9132-d3e19878fa34|Insecure Configurations|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|S3 Buckets Are Publicly Accessible
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|Insecure Configurations|The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')])|Documentation
| |CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|Insecure Configurations|CloudFront Minimum Protocol version should be higher than TLS 1.2|Documentation
| -|RDS Public Interface
de38e1d5-54cb-4111-a868-6f7722695007|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| +|S3 Buckets Are Publicly Accessible
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|Insecure Configurations|The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*')])|Documentation
| |Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|Insecure Defaults|Custom SSL certificates allow only defined users to access content by using alternate domain name instead the default one|Documentation
| |WebAcl ALLOW DefaultAction
6d64f311-3da6-45f3-80f1-14db9771ea40|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|Network Ports Security|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|Network Ports Security|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|Load Balancer SSH Is Too Exposed
4ad1f3ab-841f-45b6-ab5a-3cad7875c99b|Network Ports Security|The load balancer of the application with SSH connection is too exposed to the public internet.|Documentation
| -|Security Group Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|Networking and Firewall|Security Groups allows all traffic for SSH (port:22)|Documentation
| -|Security Groups With Meta Ip
adcd0082-e90b-4b63-862b-21899f6e6a48|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| -|EC2 network ACL overlapping ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| -|ECS Service Allows Inbound To All IPv4 And Ports
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| +|RDS Open to Large Scope
0104165b-02d5-426f-abc9-91fb48189899|Networking and Firewall|Amazon RDS must not be open to a large scope, which means the IP Address in its Security Group must not have more than 256 hosts.|Documentation
| |Security Groups With Exhibited Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| +|Load Balancer SSH Is Too Exposed
4ad1f3ab-841f-45b6-ab5a-3cad7875c99b|Networking and Firewall|The load balancer of the application with SSH connection is too exposed to the public internet.|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| +|Security Groups With Meta Ip
adcd0082-e90b-4b63-862b-21899f6e6a48|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| +|Default Security Groups Allow Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|Networking and Firewall|Security Groups set as default must be denied traffic.|Documentation
| +|Security Group Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|Networking and Firewall|Security Groups allows all traffic for SSH (port:22)|Documentation
| |RDS Public Interface Open To Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|Networking and Firewall|Amazon RDS must not have a public interface open to a public scope, which means the IP Address in its Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).|Documentation
| -|RDS Open to Large Scope
0104165b-02d5-426f-abc9-91fb48189899|Networking and Firewall|Amazon RDS must not be open to a large scope, which means the IP Address in its Security Group must not have more than 256 hosts.|Documentation
| |Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| +|ECS Service Allows Inbound To All IPv4 And Ports
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| |EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|Default Security Groups Allow Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|Networking and Firewall|Security Groups set as default must be denied traffic.|Documentation
| +|EC2 network ACL overlapping ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| |CMKs Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|S3 Bucket Disabled Cloudtrail Logging
c3ce69fd-e3df-49c6-be78-1db3f802261c|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| |CloudTrail Not Encrypted
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Observability|Logs delivered by CloudTrail should be encrypted using KMS|Documentation
| +|S3 Bucket Disabled Cloudtrail Logging
c3ce69fd-e3df-49c6-be78-1db3f802261c|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| ### **Medium** | Query |Category|Description|Help| |-----------------------------|---|---|---| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| -|API Gateway Method Does Not Contains An API Key Or Empty Methods
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Access Control|Api Gateway Method should have an API key or empty methods.|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| |IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| +|API Gateway Method Does Not Contains An API Key Or Empty Methods
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Access Control|Api Gateway Method should have an API key or empty methods.|Documentation
| |EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Access Control|SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action|Documentation
| |Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Access Control|Lambda Permission Principal should not be wildcard.|Documentation
| |SQS Queue Policy Allows Not Principal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Access Control|SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| |IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| |EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| |ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Availability|ECS Service should have at least 1 task running|Documentation
| |Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| |RDS Backup Retention Period Insufficient
e649a218-d099-4550-86a4-1231e1fcb60d|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| |RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| -|User IAM Missing PasswordResetRequired
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| +|IAM User Has Policies
edc95c10-7366-4f30-9b4b-f995c84eceb5|Best Practices|IAM User should embed managed policies instead of inline policies|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| +|RDS Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Best Practices|AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| +|S3 Bucket Versioning Not Enabled
a227ec01-f97a-4084-91a4-47b350c1db54|Best Practices|S3 bucket versioning should be enabled|Documentation
| |IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| |ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| +|Access Key Is Not Rotated Within 90 Days
800fa019-49dd-421b-9042-7331fdd83fa2|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|Documentation
| +|User IAM Missing PasswordResetRequired
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| |IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Best Practices|IAM user resource Login Profile Password should have at least one uppercase letter|Documentation
| -|RDS Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Best Practices|AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Best Practices|IAM user resource Login Profile Password should have at least one symbol|Documentation
| |IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Best Practices|IAM user resource Login Profile Password should have at least 14 characters|Documentation
| -|S3 Bucket Versioning Not Enabled
a227ec01-f97a-4084-91a4-47b350c1db54|Best Practices|S3 bucket versioning should be enabled|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|IAM User Has Policies
edc95c10-7366-4f30-9b4b-f995c84eceb5|Best Practices|IAM User should embed managed policies instead of inline policies|Documentation
| -|Access Key Is Not Rotated Within 90 Days
800fa019-49dd-421b-9042-7331fdd83fa2|Best Practices|Check if there is a rule that enforces access keys to be rotated within 90 days.|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Data Security|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| -|RDS DBCluster Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Data Security|RDS DBInstance should have storage encrypted set to true|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Best Practices|IAM user resource Login Profile Password should have lowercase letter|Documentation
| +|KMS EnableKeyRotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| +|Volume Encryption Is Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Encryption|EBS volumes should be encrypted|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| |AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Encryption|AmazonMQ Broker should be Encryption Options defined|Documentation
| |EMR Security Configuration Encryptions Enabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| |Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Encryption|Workspaces should have encryption enabled|Documentation
| |SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Encryption|KmsKeyId attribute should be defined|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|RDS DBCluster Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Encryption|RDS DBInstance should have storage encrypted set to true|Documentation
| |Elastic Search Domain Encryption At Rest Disabled
86a248ab-0e01-4564-a82a-878303e253bb|Encryption|Elastic Search Domain should have encrypt data at rest.|Documentation
| -|Volume Encryption Is Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Encryption|EBS volumes should be encrypted|Documentation
| -|KMS EnableKeyRotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|CodeBuild Without EncryptionKey
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Encryption & Key Management|CodeBuild Should have EncryptionKey defined|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Insecure Configurations|Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials.|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|EC2 Subnet Mapping Public IP On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|Insecure Configurations|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| +|CodeBuild Without EncryptionKey
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Encryption|CodeBuild Should have EncryptionKey defined|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| +|EC2 Instance Under VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| |Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Insecure Configurations|API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.|Documentation
| |Redshift Cluster Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Insecure Configurations|API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| +|EC2 Subnet Mapping Public IP On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|Insecure Configurations|EC2 Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Insecure Configurations|Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials.|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| |SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| -|EC2 Instance Under VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| |Lambda Functions Tracing Disabled
9488c451-074e-4cd3-aee3-7db6104f542c|Insecure Configurations|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| |RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|ALB Listeners Accept HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|Networking and Firewall|All Application Load Balancers (ALB) should block connection requests over HTTP|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| +|Security Groups Without VPC
493d9591-6249-47bf-8dc0-5c10161cc558|Networking and Firewall|Security Groups must have a VPC.|Documentation
| |Security Group Ingress CIDR Open To World
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| |GameLift Fleet EC2InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| |EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|ALB Listeners Accept HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|Networking and Firewall|All Application Load Balancers (ALB) should block connection requests over HTTP|Documentation
| |CloudFront Distribution Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Security Groups Without VPC
493d9591-6249-47bf-8dc0-5c10161cc558|Networking and Firewall|Security Groups must have a VPC.|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| |CloudFront Distribution Access Log Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Observability|Make sure AWS CloudFront distribution has access log enabled|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| |CloudTrail Not Integrated With Cloud Watch
65d07da5-9af5-44df-8983-52d2e6f24c44|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Observability|ELB should have have access log enabled|Documentation
| |CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Observability|AWS CloudTrail should have IsMultiRegionTrail set to true|Documentation
| |API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| |S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Observability|Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Observability|ELB should have have access log enabled|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| |DocDB cluster master password in plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|SQS Queue Without KMS Master Key Id
12726829-93ed-4d51-9cbe-13423f4299e1|Secret Management|AWS SQS Queue should have a KMS Master Key defined|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| |Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|SQS Queue Without KMS Master Key Id
12726829-93ed-4d51-9cbe-13423f4299e1|Secret Management|AWS SQS Queue should have a KMS Master Key defined|Documentation
| |Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| |RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Security, Identity, & Compliance|IAM user resource Login Profile Password should have at least one symbol|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Security, Identity, & Compliance|IAM user resource Login Profile Password should have lowercase letter|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| ### **Low** | Query |Category|Description|Help| |-----------------------------|---|---|---| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Access Control|A IAM user should belong to a group|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| |Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|Access Control|Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Access Control|A IAM user should belong to a group|Documentation
| |VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Availability|The number of gateways approaches or goes beyond the limit in a particular VPC|Documentation
| -|RDS DBInstance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| |AWS RDS Configuration Automatic Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Best Practice|AWS Security Group Rule should have description defined|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| +|RDS DBInstance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| +|Lambda Permission Badly Configured
9b83114b-b2a1-4534-990d-06da015e47aa|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'|Documentation
| |CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Best Practices|Content Delivery Network (CDN) service is used within AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| |Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| -|Lambda Permission Badly Configured
9b83114b-b2a1-4534-990d-06da015e47aa|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Best Practices|AWS Security Group Rule should have description defined|Documentation
| |EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| |DynamoDB With Table Billing Mode Not Recommended
c333e906-8d8b-4275-b999-78b6318f8dc6|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| |Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| |EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|VPC Has FlowLog Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Observability|VPC hasn't any FlowLog associated|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| |SNS Topic Without Subscriber
ae53ce91-42b5-46bf-a84f-9a13366a4f13|Observability|Ensure appropriate subscribers to each SNS topic|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| |CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Observability|CloudTrail log file validation should be enabled|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| +|VPC Has FlowLog Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Observability|VPC hasn't any FlowLog associated|Documentation
| |VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| |SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| |API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index 386b3fd09b5..11a3cdea36a 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -6,17 +6,17 @@ This page contains all queries from Dockerfile, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| |UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| |COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| |WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| |Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Build Process|Different FROMS cant have the same alias defined|Documentation
| |Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| |Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Run Using Upgrade Commands
682fe378-c180-4bd5-8a14-95fc285fb269|Supply-Chain|Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used|Documentation
| |Run Using dnf Update
09fda05e-da85-4ee7-ab8d-2800a5e6e756|Supply-Chain|Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages|Documentation
| -|Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2|Supply-Chain|Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container|Documentation
| |Yum Update Enabled
8f6456be-0018-46db-9ce6-b3b6dc8d34d2|Supply-Chain|Yum update is being used|Documentation
| +|Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2|Supply-Chain|Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container|Documentation
| +|Run Using Upgrade Commands
682fe378-c180-4bd5-8a14-95fc285fb269|Supply-Chain|Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used|Documentation
| ### **Medium** @@ -24,36 +24,36 @@ This page contains all queries from Dockerfile, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| |Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Build Process|Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.|Documentation
| |COPY '--from' Without FROM Alias Defined Previously
68a51e22-ae5a-4d48-8e87-b01a323605c9|Build Process|COPY command with the flag '--from' should mention a previously defined FROM alias|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| |Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|Changing Default Shell Using SHELL Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Insecure Defaults|Using the command SHELL to override the default shell instead of the RUN command|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Build Process|Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain.|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| |Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| +|Changing Default Shell Using SHELL Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Insecure Defaults|Using the command SHELL to override the default shell instead of the RUN command|Documentation
| |Secrets Stored In Dockerfile
c3e1b6ae-d92c-44b3-8ed5-1f5442bab6a4|Secret Management|Scan Dockerfile to ensure that there are no secrets stored|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| |Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| |Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| |Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| |Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| |Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Supply-Chain|Always tag the version of an image explicitly|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| |Run Using Zypper Update
d4895357-dd49-4ba5-b726-1bb81cb50989|Supply-Chain|'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| |Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| ### **Low** @@ -70,8 +70,8 @@ This page contains all queries from Dockerfile, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| |Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| |Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| |Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index 35108904b9a..01a3741fe89 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -5,20 +5,20 @@ This page contains all queries from Kubernetes, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| -|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Insecure Configuration|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Insecure Configurations|Do not allow container to be privileged.|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Insecure Configurations|Containers should not have added capability|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Insecure Configurations|A Kubernetes Cluster must not allow Unsafe Sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an Unsafe Sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| |NET_RAW Capabilities Disabled Minimized
dbbc6705-d541-43b0-b166-dd4be8208b54|Insecure Configurations|Containers need to have NET_RAW or All as Security Context|Documentation
| |Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Insecure Configurations|Check if Tiller is deployed.|Documentation
| |Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| |Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Insecure Configurations|Container should not share the host network namespace|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Insecure Configurations|Container should not share the host IPC namespace|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Insecure Configurations|A Kubernetes Cluster must not allow Unsafe Sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an Unsafe Sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Insecure Configurations|Do not allow container to be privileged.|Documentation
| +|Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa|Insecure Configurations|A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null.|Documentation
| |Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Insecure Configurations|Check if any objects are using a deprecated version of API.|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Insecure Configurations|Containers should not have added capability|Documentation
| |Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| |Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| @@ -29,72 +29,72 @@ This page contains all queries from Kubernetes, classified by severity level. |-----------------------------|---|---|---| |Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| |RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Access Control|Minimize access to secrets (RBAC)|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Availability|Liveness Probe must be defined.|Documentation
| |Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Availability|Liveness Probe must be defined.|Documentation
| |Containers Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Best Practices|Check if containers are running as root unduly.|Documentation
| -|Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b|Best Practices|Minimize the admission of privileged resources|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| |Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| +|Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b|Best Practices|Minimize the admission of privileged resources|Documentation
| |Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Build Process|Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Insecure Configuration|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| +|Pod Security Policy Set to Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| |PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Default Service Account In Use
b93e973e-9066-4455-a63b-c1c0e1ec3a48|Insecure Configurations|Default service accounts should not be actively used|Documentation
| +|Containers With Capabilities Sys Admin
235236ee-ad78-4065-bd29-61b061f28ce0|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| |Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| |PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|Using Default Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Insecure Configurations|The default namespace should not be used|Documentation
| |NET_RAW Capabilities Disabled for PodSecurityPolicy
2270987f-bb51-479f-b8be-3ca73e5ad648|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Default Service Account In Use
b93e973e-9066-4455-a63b-c1c0e1ec3a48|Insecure Configurations|Default service accounts should not be actively used|Documentation
| |PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| +|Using Default Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Insecure Configurations|The default namespace should not be used|Documentation
| |PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Containers With Capabilities Sys Admin
235236ee-ad78-4065-bd29-61b061f28ce0|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Pod Security Policy Set to Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Insecure Configurations|Check if any resource does not configure Seccomp default profile properly|Documentation
| |Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Pod Misconfigured NetworkPolicy
0401f71b-9c1e-4821-ab15-a955caa621be|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Insecure Defaults|A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| |Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| |Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| +|Pod Misconfigured NetworkPolicy
0401f71b-9c1e-4821-ab15-a955caa621be|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Resource Management|Memory requests should be specified|Documentation
| |Volume Mount with OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| |CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Resource Management|Memory requests should be specified|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Resource Management|Memory limits should be specified|Documentation
| |CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Resource Management|Memory limits should be specified|Documentation
| |Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Secret Management|A Service Account token is shared between workloads|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| ### **Low** | Query |Category|Description|Help| |-----------------------------|---|---|---| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| |Missing App Armor Config
8b36775e-183d-4d46-b0f7-96a6f34a723f|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| |Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Access Control|Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)|Documentation
| |StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| |StatefulSets Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Availability|Check if the StatefulSets have a headless 'serviceName'|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Availability|The Horizontal Pod Autoscale must target a valid object|Documentation
| |HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| |Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Best Practices|Check if any label in the metadata is invalid.|Documentation
| |No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| |Root Container Not Mounted As Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| |StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| |Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Insecure Configurations|Sees if Kubernetes image has digest on|Documentation
| |Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Insecure Configurations|Service should Target a Pod|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| |Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Networking and Firewall|Service type should not be NodePort|Documentation
| |Image Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Networking and Firewall|Sees if Kubernetes Image Host Port is Specified|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container CPU Requests Not Equal Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|Container Requests Not Equal Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Resource Management|A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined.|Documentation
| |Container Memory Requests Not Equal Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| +|Container CPU Requests Not Equal Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| |Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| +|Container Requests Not Equal Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Resource Management|A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined.|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| |Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Secret Management|Container should not use secrets as environment variables|Documentation
| |Invalid Image
583053b7-e632-46f0-b989-f81ff8045385|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index ac8ca7d3c49..ccfcd9eb60d 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -5,237 +5,237 @@ This page contains all queries from Terraform, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Access Control|There is a role assignment for guest user|Documentation
| -|Admin user is enabled for Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Storage Container with Public Access
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|All Auth Users Get Read Access
57b9893d-33b1-4419-bcea-a717ea87e139|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket With Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| |S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Access Control|S3 bucket allows public policy|Documentation
| +|S3 Bucket With Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| |ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Access Control|Checks if the SQS Queue is exposed|Documentation
| |S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| |S3 Bucket Allows Write_ACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4|Access Control|S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.|Documentation
| -|OSLogin Is Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Access Control|Verifies that the OSLogin is enabled|Documentation
| +|All Auth Users Get Read Access
57b9893d-33b1-4419-bcea-a717ea87e139|Access Control|Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| |BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| +|OSLogin Is Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Access Control|Verifies that the OSLogin is enabled|Documentation
| |Cloud Storage Bucket With Public Access
c010082c-76e0-4b91-91d9-6e8439e455dd|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| |VM with Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| |Master Authentication is Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21|Access Control|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Access Control|There is a role assignment for guest user|Documentation
| +|Storage Container with Public Access
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| +|Admin user is enabled for Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Access Control|Admin user is enabled for Container Registry|Documentation
| |SQL Database Backup Configuration Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SSL Enforce Is Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| -|RDS Cluster Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'kms_key_id' field is false or undefined and 'engine_mode' field null or "".|Documentation
| -|HTTPS Traffic Disabled
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|EBS Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Encryption|EBS Encryption should be enabled|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| +|EBS Volume Clusters Not Encrypted
cc997676-481b-4e93-aa81-d19f8c5e9b12|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| +|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Encryption|The parameter storage_encrypted in aws_db_instance must be true (the default is false)|Documentation
| |Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| +|Secure Ciphers Not Used
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| |Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| +|User Data Base64 Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| +|Base64 Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Encryption|Base64 Shell Script must be encoded|Documentation
| +|EBS Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Encryption|EBS Encryption should be enabled|Documentation
| +|ECS Task Definition Container Has Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Encryption|It's not recommend to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| |EFS Is Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Ami Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| |ECR Repository Has Public Access
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Encryption|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|Secure Ciphers Not Used
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| |CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Encryption|The CA certificate Identifier must be rds-ca-2019|Documentation
| -|Base64 Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Encryption|Base64 Shell Script must be encoded|Documentation
| |Auto Minor Version Upgrade Is Set To False
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Encryption|RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Encryption|Data stored in the Launch configuration EBS is not securely encrypted|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Encryption|The parameter storage_encrypted in aws_db_instance must be true (the default is false)|Documentation
| -|ECS Task Definition Container Has Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Encryption|It's not recommend to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| |MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|EBS Volume Clusters Not Encrypted
cc997676-481b-4e93-aa81-d19f8c5e9b12|Encryption|The value on AWS EBS Volume Cluster Encryption must be true|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Encryption|Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|User Data Base64 Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Encryption|User Data Base64 contains an encoded RSA Private Key|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| +|HTTPS Traffic Disabled
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| +|Ami Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Encryption|AWS AMI Encryption is not enabled|Documentation
| +|RDS Cluster Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Encryption|Check if RDS Cluster Storage isn't encrypted. Happens when 'kms_key_id' field is false or undefined and 'engine_mode' field null or "".|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Encryption|IAM Database Auth Enabled must be configured to true|Documentation
| +|KMS Rotation Period Is Higher Than 365 Days
352271ca-842f-408a-8b24-f6f2b76eb027|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| |Cloud SQL Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Encryption|Cloud SQL Database Instance with SSL disabled for incoming connections|Documentation
| |DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Encryption|Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|KMS Rotation Period Is Higher Than 365 Days
352271ca-842f-408a-8b24-f6f2b76eb027|Encryption|Check that keys aren't the same for a period greater than 365 days.|Documentation
| -|CosmosDB Account Ip Range Filter Not Setted
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Insecure Configurations|The Ip Range Must Contain Ips|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|SSL Connection Is Enabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Insecure Configurations|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|Azurerm Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|SSL Enforce Is Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Encryption|See that Storage Accounts forces the use of HTTPS|Documentation
| |ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Insecure Configurations|The feature Publicly Accessible must be false|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|Static Websites Found
42bb6b7f-6d54-4428-b707-666f669d94fb|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Insecure Configurations|S3 bucket without enabled MFA Delete|Documentation
| +|S3 Bucket Without Encryption
6726dcc0-5ff5-459d-b473-a780bef7665c|Insecure Configurations|S3 bucket should have encryption defined|Documentation
| +|Root Account Has Associated Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| |IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| |Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Insecure Configurations|Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Insecure Configurations|S3 bucket without enabled MFA Delete|Documentation
| |S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Insecure Configurations|S3 bucket without versioning|Documentation
| -|S3 Bucket Without Encryption
6726dcc0-5ff5-459d-b473-a780bef7665c|Insecure Configurations|S3 bucket should have encryption defined|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Insecure Configurations|The feature Publicly Accessible must be false|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Insecure Configurations|Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| +|Static Websites Found
42bb6b7f-6d54-4428-b707-666f669d94fb|Insecure Configurations|Checks if any static websties are hosted on buckets|Documentation
| |KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|Root Account Has Associated Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| |Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Insecure Configurations|Users should authenticate with MFA (Multi-factor Authentication)|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Insecure Configurations|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| -|Legacy Authorization is Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Pod Security Policy is Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| +|IAM Binding Check No Gmail Accounts
9356962e-4a4f-4d06-ac59-dc8008775eaa|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| +|GKE Basic Authentication is Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| |Network Policy is Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| |Cluster Labels are Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|Client Certificate is Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| |Node Auto Upgrade Not Enabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Insecure Configurations|Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Pod Security Policy is Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|IP Aliasing is Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|IAM Binding Check No Gmail Accounts
9356962e-4a4f-4d06-ac59-dc8008775eaa|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| |Private Cluster Is Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|GKE Basic Authentication is Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|SQLServer Ingress from Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Networking and Firewall|Check if 'network_rules' is open to public.|Documentation
| -|'SSH' (TCP:22) in Public Scope
65905cec-d691-4320-b320-2000436cb696|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Legacy Authorization is Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| +|Client Certificate is Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Insecure Configurations|A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image|Documentation
| +|IP Aliasing is Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| +|Azurerm Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Insecure Configurations|Azurerm Container Registry Must Contain Associated Locks |Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| +|SSL Connection Is Enabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Insecure Configurations|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| +|CosmosDB Account Ip Range Filter Not Setted
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Insecure Configurations|The Ip Range Must Contain Ips|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Insecure Configurations|Trusted MIcrosoft Services are not enabled for Storage Account access|Documentation
| +|DB Security Group Has Public IP
f0d8781f-99bf-4958-9917-d39283b168a0|Networking and Firewall|The CIDR IP must not be Public|Documentation
| |Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22|Networking and Firewall|The remote desktop port is open|Documentation
| +|'SSH' (TCP:22) in Public Scope
65905cec-d691-4320-b320-2000436cb696|Networking and Firewall|SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| +|ALB protocol is HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| |HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Networking and Firewall|HTTP port is open to the internet|Documentation
| -|DB Security Group Higher than 256
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Networking and Firewall|DB Security CIDR must be lower than 256 (/24)|Documentation
| -|DB Security Group Has Public IP
f0d8781f-99bf-4958-9917-d39283b168a0|Networking and Firewall|The CIDR IP must not be Public|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| |Fully Open Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0|Documentation
Documentation
| -|Default Security Group Does Not Restrict All Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| +|DB Security Group Higher than 256
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Networking and Firewall|DB Security CIDR must be lower than 256 (/24)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| |DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Networking and Firewall|The CIDR must be diferent than 0.0.0.0/0|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| |Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Networking and Firewall|Check if Record is set|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|ALB protocol is HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| +|Default Security Group Does Not Restrict All Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| |Cloud SQL DB Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Networking and Firewall|Check if any Cloud SQL instances are publicly accessible.|Documentation
| -|Vault with disabled Audit
38c71c00-c177-4cd7-8d36-cd1007cdb190|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| +|SQLServer Ingress from Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Networking and Firewall|Check if 'network_rules' is open to public.|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| |KMS Key No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Observability|AWS KMS Key should have a valid deletion window|Documentation
| |Config Configuration Aggregator All Regions Not Enabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| |CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Observability|Checks if we have enabled logging in the CloudTrail|Documentation
| |Stackdriver Monitoring is Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Observability|Cloud storage bucket with logging not enabled|Documentation
| |Stackdriver Logging is Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|IAM Audit Logging Has Not Proper Config
89fe890f-b480-460c-8b6b-7d8b1468adb4|Observability|Audit Logging Configuration is defective|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Observability|Cloud storage bucket with logging not enabled|Documentation
| |Object Versioning Not Enabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Observability|Object Versioning Not Enabled on Cloud Storage Bucket|Documentation
| +|IAM Audit Logging Has Not Proper Config
89fe890f-b480-460c-8b6b-7d8b1468adb4|Observability|Audit Logging Configuration is defective|Documentation
| +|Vault with disabled Audit
38c71c00-c177-4cd7-8d36-cd1007cdb190|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| |SQL Database disabled Audit
83a229ba-483e-47c6-8db7-dc96969bce5a|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| +|S3 Bucket Rules With Master Key Id Null
ad03cb46-f174-4674-bf8e-2880a7000edd|Secret Management|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| +|EFS Without KMS Key ID
25d251f3-f348-4f95-845c-1090e41a615c|Secret Management|Elastic File System (EFS) must have KMS Key ID|Documentation
| |Check Secret Expiration Is Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| |Check Key Expiration Is Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| |Logging Disabled For Key Vault
bb2d6cbc-b3af-4da7-9b1c-d91652dd9ead|Secret Management|Logging for Azure Key Vault is disabled|Documentation
| -|EFS Without KMS Key ID
25d251f3-f348-4f95-845c-1090e41a615c|Secret Management|Elastic File System (EFS) must have KMS Key ID|Documentation
| -|S3 Bucket Rules With Master Key Id Null
ad03cb46-f174-4674-bf8e-2880a7000edd|Secret Management|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| ### **Medium** | Query |Category|Description|Help| |-----------------------------|---|---|---| -|Container Has Allowed Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Access Control|Kubernetes Pod should not have extra capabilities allowed|Documentation
| -|Container Allow Privilege Escalation Is True
c878abb4-cca5-4724-92b9-289be68bd47c|Access Control|Admission of privileged containers should be minimized|Documentation
| -|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Access Control|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| -|SQS Policy Allows ALL (*) Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Access Control|SQS policy with public access|Documentation
| |Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|SQS Policy Allows ALL (*) Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Access Control|SQS policy allows ALL (*) actions|Documentation
| |Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Access Control|IAM policies that allow full administrative privileges (for all resources)|Documentation
| +|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Access Control|SQS policy with public access|Documentation
| |Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Access Control|S3 bucket allows public ACL|Documentation
| |IAM Policy Allows All ('*') In Policy Statement
575a2155-6af1-4026-b1af-d5bc8fe2a904|Access Control|IAM policies allow all ('*') in a statement action|Documentation
| -|SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Access Control|This query checks if SNS Topic is Accessible For Subscription|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Access Control|S3 bucket allows public ACL|Documentation
| +|Container Allow Privilege Escalation Is True
c878abb4-cca5-4724-92b9-289be68bd47c|Access Control|Admission of privileged containers should be minimized|Documentation
| +|Container Has Allowed Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Access Control|Kubernetes Pod should not have extra capabilities allowed|Documentation
| |Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| +|Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639|Access Control|Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'|Documentation
| |ElastiCache Nodes Are Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Availability|Check if ElastiCache nodes are not being created across multi AZ|Documentation
| -|RDS Without Backup
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Backup|RDS configured without backup|Documentation
| |Stack Retention Is Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| +|RDS Without Backup
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Backup|RDS configured without backup|Documentation
| |Insecure SSL Is Enabled For GitHub Organization Webhook
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| -|Ensure Encryption on Disk
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|Google KMS Crypto Key Rotation Period Not Recommended
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Encryption|Make sure Encryption keys change after 90 days|Documentation
| -|Image is not scanned
9630336b-3fed-4096-8173-b9afdfe346a7|Encryption|Checks if the Image has been scanned|Documentation
| +|Config Rule For Encrypted Volumes Is Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |Google Compute SSL Policy Weak Cipher Suits is Enabled
14a457f0-473d-4d1d-9e37-6d99b355b336|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|API Gateway Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| |Neptune Cluster Not Encrypted
98d59056-f745-4ef5-8613-32bca8d40b7e|Encryption|Check if Neptune Cluster Storage is securely encrypted|Documentation
| +|API Gateway Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b|Encryption|Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760|Documentation
| +|Google KMS Crypto Key Rotation Period Not Recommended
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Encryption|Make sure Encryption keys change after 90 days|Documentation
| |ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| +|Image is not scanned
9630336b-3fed-4096-8173-b9afdfe346a7|Encryption|Checks if the Image has been scanned|Documentation
| |ElasticSearch Encryption With KMS Is Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS|Documentation
| -|Config Rule For Encrypted Volumes Is Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| |VM CSEK Encryption Is Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'sha256' must also be defined and not empty|Documentation
| -|IAM Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Insecure Configuarations|Check if IAM account password has the reuse password configured with 24|Documentation
| +|Ensure Encryption on Disk
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Encryption|Ensure that the encryption is active on the disk|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Encryption|Check if any Redis Cache resource allows non-SSL connections.|Documentation
| |Public Repository Is Enabled
15d8a7fd-465a-4d15-a868-add86552f17b|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Container Resources Not Defined
60af03ff-a421-45c8-b214-6741035476fa|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Container Read-Only Root Filesystem Is False
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Insecure Configurations|Container's root filesystem should be read-only|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| -|Log Retention Is Greater Than 90 Days
7750fcca-dd03-4d38-b663-4b70289bcfd4|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Cosmos DB Account No Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Insecure Configurations|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Insecure Configurations|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|Kube Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Insecure Configurations|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Insecure Configurations|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Google Storage Bucket Level Access is Enabled
bb0db090-5509-4853-a827-75ced0b3caa0|Insecure Configurations|Validates if the Google Storage Bucket Level Access is Enabled|Documentation
| +|CloudFormation Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Insecure Configurations|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| |Organizations SCPs All Features Not Enabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Insecure Configurations|Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| +|Google Storage Bucket Level Access is Enabled
bb0db090-5509-4853-a827-75ced0b3caa0|Insecure Configurations|Validates if the Google Storage Bucket Level Access is Enabled|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| |AMI Shared To Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Insecure Configurations|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|IAM Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Insecure Configurations|Check if IAM account password has the reuse password configured with 24|Documentation
| +|IAM Password Without Valid Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Insecure Configurations|Check if IAM account password has the required minimum length|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Insecure Configurations|Check if IAM account password has at least one uppercase letter|Documentation
| |Google Container Node Pool Auto Repair is Disabled
acfdbec6-4a17-471f-b412-169d77553332|Insecure Configurations|Verifies if Google Conatiner Node Pool Auto Repair is Enabled|Documentation
| -|CloudFormation Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Insecure Configurations|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Insecure Configurations|Check if IAM account password has at least one lowercase letter|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Insecure Configurations|Instance should be configured in VPC (Virtual Private Cloud)|Documentation
| +|IAM Password Without Symbols
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Insecure Configurations|Check if IAM account password has the required symbols|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Insecure Configurations|Check if IAM Access Key is active for some user besides 'root'|Documentation
| |Unchangeable password
9ef7d25d-9764-4224-9968-fa321c56ef76|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Insecure Configurations|Allowing to run lambda function using public API Gateway|Documentation
| |EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|IAM Password Without Valid Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Insecure Configurations|Check if IAM account password has the required minimum length|Documentation
| -|IAM Password Without Symbols
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Insecure Configurations|Check if IAM account password has the required symbols|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| -|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Insecure Configurations|Check if SSH keys are enabled project-wide in VM instances|Documentation
| -|Shielded VM is Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Container Read-Only Root Filesystem Is False
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Insecure Configurations|Container's root filesystem should be read-only|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| +|Container Resources Not Defined
60af03ff-a421-45c8-b214-6741035476fa|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| |OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| |Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| |Google Project Auto Create Network Is Disabled
59571246-3f62-4965-a96f-c7d97e269351|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|SQL Server Accessibility Is Not Minimal
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Networking and Firewall|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| +|Shielded VM is Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Insecure Configurations|Check if SSH keys are enabled project-wide in VM instances|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Insecure Configurations|Check if VM instance enables serial ports|Documentation
| +|Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Insecure Configurations|Cloud DNS without DNSSEC|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| +|Log Retention Is Greater Than 90 Days
7750fcca-dd03-4d38-b663-4b70289bcfd4|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Insecure Configurations|Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.|Documentation
| +|Cosmos DB Account No Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Insecure Configurations|Cosmos DB Account must have a mapping of tags.|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Insecure Configurations|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Insecure Configurations|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| +|Kube Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| +|API Gateway Endpoint Config is Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Networking and Firewall|Type of Endpoint Configuration is Private|Documentation
| |API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Networking and Firewall|SSL Client Certificate should be enabled in aws_api_gateway_stage resource|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| |SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway Endpoint Config is Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Networking and Firewall|Type of Endpoint Configuration is Private|Documentation
| |Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|IP Forwarding is Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| |SSH Access Is Not Restricted From The Internet
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Networking and Firewall|Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)|Documentation
| -|Log Duration Is Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|SQL Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|SQL Server Auditing Is Enabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Logs Checkpoints Is On
3790d386-be81-4dcf-9850-eaa7df6c10d9|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|Email Alerts Are Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL DB Server Log Retention Is Low
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|Log Connections Is Not Set
c640d783-10c5-4071-b6c1-23507300d333|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|MSSQL Audit Retention
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|MSSQL Server Auditing Is Enabled
609839ae-bd81-4375-9910-5bce72ae7b92|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|Log Disconnections Is Not Set
07f7134f-9f37-476e-8664-670c218e4702|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|CloudFormation Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| -|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Networking and Firewall|Check if Google Firewall ingress allows RDP access (port 3389)|Documentation
| +|IP Forwarding is Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| +|SQL Server Accessibility Is Not Minimal
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Networking and Firewall|Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| +|MQ Broker Has Disabled General Or Audit Logging
31245f98-a6a9-4182-9fc1-45482b9d030a|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| |Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|API Gateway Without Cloudwatch Log
982aa526-6970-4c59-8b9b-2ce7e019fe36|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| |CloudWatch Logging Is Disabled
7dbba512-e244-42dc-98bb-422339827967|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|Cloud Trail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Observability|Check if MultiRegion is Enabled|Documentation
| -|Cloudfront Logging is Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| +|CloudFormation Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Observability|Enable AWS CloudFormation Stack Notifications|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Observability|It isn't recommended to use resources in default VPC|Documentation
| |VPC Flow Logs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Observability|Sees if the id of the flow logs is the same as the vpc, if they are VPC flow logs are Enabled|Documentation
| +|API Gateway Without Cloudwatch Log
982aa526-6970-4c59-8b9b-2ce7e019fe36|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| |API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Observability|Xray Tracing is not enabled|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| +|Cloudfront Logging is Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Observability|AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined|Documentation
| |CloudWatch Metrics Not Enabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Observability|Enable the CloudWatch Metrics|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| +|Cloud Trail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Observability|Check if MultiRegion is Enabled|Documentation
| |CloudTrail SNS Topic Name Is Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| |Google Compute Subnetwork Logs are Disabled
40430747-442d-450a-a34f-dc57149f4609|Observability|This query checks if logs are enabled for google compute subnetwork|Documentation
| -|MQ Broker Has Disabled General Or Audit Logging
31245f98-a6a9-4182-9fc1-45482b9d030a|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Observability|It isn't recommended to use resources in default VPC|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| +|SQL Server Auditing Is Enabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL Logs Checkpoints Is On
3790d386-be81-4dcf-9850-eaa7df6c10d9|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| +|MSSQL Audit Retention
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| +|Log Disconnections Is Not Set
07f7134f-9f37-476e-8664-670c218e4702|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| +|MSSQL Server Auditing Is Enabled
609839ae-bd81-4375-9910-5bce72ae7b92|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| +|PostgreSQL DB Server Log Retention Is Low
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| +|SQL Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| +|Log Duration Is Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| +|Log Connections Is Not Set
c640d783-10c5-4071-b6c1-23507300d333|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| +|Email Alerts Are Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| |CloudFormation Without Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| |Incorrect Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Secret Management|No password exeration policy|Documentation
| @@ -244,17 +244,17 @@ This page contains all queries from Terraform, classified by severity level. | Query |Category|Description|Help| |-----------------------------|---|---|---| -|IAM Role Allows Public Assume
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Access Control|IAM role allows All services or principals to assume it|Documentation
| |IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Access Control|IAM role allows all services or principals to assume it|Documentation
| +|IAM Role Allows Public Assume
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Access Control|IAM role allows All services or principals to assume it|Documentation
| |S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Encryption|S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Insecure Configurations|IAM policies should be attached only to groups or roles|Documentation
| |S3 Bucket With Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Insecure Configurations|S3 bucket with ignore public ACL|Documentation
| |Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840|Insecure Configurations|Open access to back-end resources through API|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Insecure Configurations|IAM policies should be attached only to groups or roles|Documentation
| |Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Networking and Firewall|CloudFront Distribution without WAF enabled|Documentation
| |S3 Bucket Without Logging
f861041c-8c9f-4156-acfc-5e6e524f5884|Observability|S3 bucket without logging|Documentation
| |Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|Hardcoded AWS access key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| |Lambda Hardcoded AWS Access Key
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Secret Management|Lambda hardcoded AWS access/secret keys|Documentation
| +|Hardcoded AWS access key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Secret Management|Hard-coded AWS access key / secret key exists in EC2 user data|Documentation
| ### **Info** From 25b8695b1a4dd234d88b56b09acd1c8dbf82d350 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rog=C3=A9rio=20Peixoto?= Date: Wed, 10 Mar 2021 11:33:37 +0000 Subject: [PATCH 2/2] trigger workflows --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6bc727e888e..2469ef23f69 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ Or contact KICS core team at [kics@checkmarx.com](mailto:kics@checkmarx.com) **Keeping Infrastructure as Code Secure!** + --- © 2021 Checkmarx Ltd. All Rights Reserved.