Queries List

This page contains all queries.

Query Platform Severity Category Description Help
S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252
CloudFormation High Access Control S3 Buckets must not allow Delete Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. Documentation
S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170
CloudFormation High Access Control S3 Buckets sould not be readable and writable to all users Documentation
S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced
CloudFormation High Access Control S3 Buckets sould not be readable and writable to all users Documentation
S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085
CloudFormation High Access Control The S3 Bucket should not have the (accessPublicBlock empty or accessPublicBlock.ignorePublicAcls = false or accessPublicBlock.restrictPublicBuckets = false ) and ( policy.Statement contain [Effect='Allow' and (Principal='' or Principal.AWS='')]) Documentation
S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9
CloudFormation High Access Control S3 Buckets must not allow List Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. Documentation
S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58
CloudFormation High Access Control S3 Buckets must not allow Put Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. Documentation
S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9
CloudFormation High Access Control S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f
CloudFormation High Access Control S3 Buckets sould not be readable and writable to all users Documentation
S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba
CloudFormation High Access Control S3 Buckets must not allow Get Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. Documentation
ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff
CloudFormation High Access Control ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role Documentation
Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69
CloudFormation High Access Control AWS Lambda Functions should not have roles with policies granting full administrative privileges. Documentation
S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0
CloudFormation High Access Control S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. Documentation
IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661
CloudFormation High Access Control IAM policies shouldn't allow full administrative privileges Documentation
User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be
CloudFormation High Encryption User Data Shell Script must be encoded Documentation
Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1
CloudFormation High Encryption Ensure that the Viewer Protocol is only HTTPS Compliant Documentation
ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68
CloudFormation High Encryption Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled Documentation
MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768
CloudFormation High Encryption Ensure MSK Cluster encryption in rest and transit is enabled. Documentation
ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8
CloudFormation High Encryption ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. Documentation
S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9
CloudFormation High Encryption S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) Documentation
DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac
CloudFormation High Encryption AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. Documentation
S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5
CloudFormation High Encryption S3 Buckets should have server-side encryption at rest enabled to protect sensitive data Documentation
S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61
CloudFormation High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required Documentation
SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe
CloudFormation High Encryption Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. Documentation
User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288
CloudFormation High Encryption User Data Base64 contains an encoded RSA Private Key Documentation
Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d
CloudFormation High Encryption Check if the Memcached is disabled on the ElastiCache Documentation
CloudTrail Log Files Not Encrypted
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85
CloudFormation High Encryption Logs delivered by CloudTrail should be encrypted using KMS Documentation
Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c
CloudFormation High Encryption Check if secure ciphers aren't used in CloudFront Documentation
ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821
CloudFormation High Encryption Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled Documentation
Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388
CloudFormation High Encryption Checks if the connection between the CloudFront and the origin server is encrypted Documentation
Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e
CloudFormation High Encryption AWS Redshift Cluster should be encrypted Documentation
EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622
CloudFormation High Encryption Amazon Elastic Filesystem should have filesystem encryption enabled Documentation
IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184
CloudFormation High Encryption IAM Database Auth Enabled must be configured to true Documentation
ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c
CloudFormation High Encryption Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. Documentation
CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db
CloudFormation High Encryption Specifying credentials in the template itself is probably not safe to do. Documentation
RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630
CloudFormation High Encryption AWS RDS DB Instance should be encrypted Documentation
CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84
CloudFormation High Encryption Ensure that storage is encrypted by KMS on instances that, based on their name, might host a database. Documentation
ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190
CloudFormation High Encryption ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. Documentation
EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6
CloudFormation High Encryption Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys Documentation
ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad
CloudFormation High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. Documentation
Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78
CloudFormation High Encryption AWS Redshift Cluster should have KMS CMK defined Documentation
ELB Without SSL
80908a75-586b-4c61-ab04-490f4f4525b8
CloudFormation High Encryption Check if the ELB is setup with SSL for secure communication Documentation
Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650
CloudFormation High Encryption AWS Kinesis Stream should have SSE (Server Side Encryption) defined Documentation
Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf
CloudFormation High Insecure Configurations Check if the root user has any access keys associated to it. Documentation
S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317
CloudFormation High Insecure Configurations It's dangerous disabling a block public access settings in bucket or writing a bucket policy that grants public read access Documentation
CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303
CloudFormation High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 Documentation
Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36
CloudFormation High Insecure Configurations Batch Job Definition should not have Privileged Container Properties Documentation
API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e
CloudFormation High Insecure Configurations API Gateway should have a Security Policy defined and use TLS 1.2. Documentation
KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba
CloudFormation High Insecure Configurations Checks if the policy is vulnerable and needs updating Documentation
Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3
CloudFormation High Insecure Configurations AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false Documentation
ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45
CloudFormation High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations Documentation
DB Security Group Has Public IP
de38e1d5-54cb-4111-a868-6f7722695007
CloudFormation High Insecure Configurations RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. Documentation
Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041
CloudFormation High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. Documentation
Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40
CloudFormation High Insecure Defaults WebAcl DefaultAction should not be ALLOW Documentation
EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a
CloudFormation High Networking and Firewall EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets Documentation
EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed
CloudFormation High Networking and Firewall The EC2 instance has a sensitive port connection exposed to the entire network Documentation
Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1
CloudFormation High Networking and Firewall Security Groups allows all traffic for SSH (port:22) Documentation
HTTP Port Open
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa
CloudFormation High Networking and Firewall The HTTP port is open in a Security Group Documentation
Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c
CloudFormation High Networking and Firewall No security group should allow unrestricted egress access Documentation
SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36
CloudFormation High Networking and Firewall SageMaker Notebook must be placed in a VPC Documentation
EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576
CloudFormation High Networking and Firewall NetworkACL Entries are reusing or overlapping ports which may create ineffective rules Documentation
DB Security Group with Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79
CloudFormation High Networking and Firewall The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). Documentation
Remote Desktop Port Open
c9846969-d066-431f-9b34-8c4abafe422a
CloudFormation High Networking and Firewall The Remote Desktop port is open in a Security Group Documentation
ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32
CloudFormation High Networking and Firewall All Application Load Balancers (ALB) should block connection requests over HTTP Documentation
Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002
CloudFormation High Networking and Firewall Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) Documentation
ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4
CloudFormation High Networking and Firewall The load balancer of the application with a sensitive port connection is exposed to the entire internet. Documentation
Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7
CloudFormation High Networking and Firewall Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) Documentation
Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2
CloudFormation High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet Documentation
Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205
CloudFormation High Networking and Firewall Security Groups set as default must be denied traffic. Documentation
Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151
CloudFormation High Networking and Firewall Route53 HostedZone must have the Record Set defined. Documentation
Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5
CloudFormation High Networking and Firewall ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses Documentation
Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48
CloudFormation High Networking and Firewall Security Groups allows 0.0.0.0/0 for all ports and protocols. Documentation
DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899
CloudFormation High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. Documentation
CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5
CloudFormation High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. Documentation
CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0
CloudFormation High Observability Checks if logging is enabled for CloudTrail. Documentation
S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c
CloudFormation High Observability Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail Documentation
Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d
CloudFormation High Observability AWS Config Configuration Aggregator All Regions must be set to True Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195
CloudFormation Medium Access Control SNS topic Publicity Should not have Allow and NotAction at the same time, if it has Allow it should have Action Documentation
IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade
CloudFormation Medium Access Control IAM policies should be applied to groups and not to users Documentation
SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034
CloudFormation Medium Access Control Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using NotPrincipal in the same policy statement as "Effect": "Allow". Documentation
ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134
CloudFormation Medium Access Control Amazon ECR image repositories shouldn't have public access Documentation
SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d
CloudFormation Medium Access Control Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue Documentation
Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb
CloudFormation Medium Access Control Check if any ECS cluster has not defined proper roles for services' task definitions. Documentation
KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba
CloudFormation Medium Access Control KMS Should not allow Principal parameter to be set as * Documentation
EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2
CloudFormation Medium Access Control Ineffective deny rules. A deny rule should be applied to all IP addresses. Documentation
EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6
CloudFormation Medium Access Control Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. Documentation
API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f
CloudFormation Medium Access Control An API Key should be required on a method request. Documentation
IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3
CloudFormation Medium Access Control IoT Policy should not allow Resource to be set as * Documentation
Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2
CloudFormation Medium Access Control Allowing to run lambda function using public API Gateway Documentation
SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de
CloudFormation Medium Access Control AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited Documentation
Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7
CloudFormation Medium Access Control Lambda Permission Principal should not be wildcard. Documentation
IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5
CloudFormation Medium Access Control IoT Policy should not allow Action to be set as * Documentation
ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150
CloudFormation Medium Availability Check if ElastiCache nodes are not being created across multi AZ Documentation
ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528
CloudFormation Medium Availability ECS Service should have at least 1 task running Documentation
EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b
CloudFormation Medium Availability EBS Volumes that are unattached to instances may contain sensitive data Documentation
Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c
CloudFormation Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. Documentation
CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602
CloudFormation Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. Documentation
RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69
CloudFormation Medium Backup AWS RDS Instance should have a multi-az deployment Documentation
RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9
CloudFormation Medium Backup Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup Documentation
Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f
CloudFormation Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction Documentation
Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d
CloudFormation Medium Backup AWS RDS backup retention policy should be at least 7 days Documentation
ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d
CloudFormation Medium Best Practices Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. Documentation
IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7
CloudFormation Medium Best Practices IAM user resource Login Profile Password should have at least one symbol Documentation
IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f
CloudFormation Medium Best Practices Make sure that any managed IAM policies are implemented in a group and not in a user. Documentation
Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281
CloudFormation Medium Best Practices AWS RDS should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. Documentation
IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1
CloudFormation Medium Best Practices IAM user resource Login Profile Password should have at least 14 characters Documentation
IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955
CloudFormation Medium Best Practices IAM user resource Login Profile Password should have at least one number Documentation
High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2
CloudFormation Medium Best Practices Check if there is a rule that enforces access keys to be rotated within 90 days. Documentation
IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902
CloudFormation Medium Best Practices IAM user resource Login Profile Password should have at least one uppercase letter Documentation
IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497
CloudFormation Medium Best Practices IAM user resource Login Profile Password should have lowercase letter Documentation
IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a
CloudFormation Medium Best Practices IAM User Login Profile should exist and have PasswordResetRequired property set to true Documentation
Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc
CloudFormation Medium Best Practices AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users Documentation
RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95
CloudFormation Medium Encryption RDS DBCluster should have storage encrypted set to true Documentation
Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9
CloudFormation Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. Documentation
AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f
CloudFormation Medium Encryption AmazonMQ Broker should have Encryption Options defined Documentation
IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540
CloudFormation Medium Encryption IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted Documentation
API Gateway Without Content Encoding
d6653eee-2d4d-4e6a-976f-6794a497999a
CloudFormation Medium Encryption Enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760. Documentation
KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb
CloudFormation Medium Encryption EnableKeyRotation should not be false or undefined Documentation
ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb
CloudFormation Medium Encryption Check if ElasticSearch encryption is disabled at Rest Documentation
Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111
CloudFormation Medium Encryption Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information Documentation
ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1
CloudFormation Medium Encryption Check if any ElasticSearch domain isn't encrypted with KMS. Documentation
Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93
CloudFormation Medium Encryption Neptune database cluster storage should have encryption enabled Documentation
EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9
CloudFormation Medium Encryption EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. Documentation
Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db
CloudFormation Medium Encryption Workspaces should have encryption enabled Documentation
Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35
CloudFormation Medium Encryption Checks if the ECR Image has been scanned Documentation
SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354
CloudFormation Medium Encryption KmsKeyId attribute should be defined Documentation
EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162
CloudFormation Medium Encryption EBS volumes should be encrypted Documentation
CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad
CloudFormation Medium Encryption CodeBuild Should have EncryptionKey defined Documentation
Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861
CloudFormation Medium Insecure Configurations EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. Documentation
Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46
CloudFormation Medium Insecure Configurations AWS Lambda Functions must have associated tags. Documentation
Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd
CloudFormation Medium Insecure Configurations Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. Documentation
EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23
CloudFormation Medium Insecure Configurations EMR Cluster should have security configuration defined. Documentation
ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac
CloudFormation Medium Insecure Configurations ECR should have an image tag be immutable Documentation
GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1
CloudFormation Medium Insecure Configurations Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') Documentation
API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25
CloudFormation Medium Insecure Configurations SSL Client Certificate should be enabled Documentation
SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11
CloudFormation Medium Insecure Configurations SageMaker must have disabled internet access and root access for Creating Notebook Instances. Documentation
IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1
CloudFormation Medium Insecure Configurations IAM User LoginProfile Password must not be a plaintext string Documentation
IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54
CloudFormation Medium Insecure Configurations Check if any user has more than one access key, which increases the risk of unauthorized access and compromise of credentials. Documentation
MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61
CloudFormation Medium Insecure Configurations Check if any MQ Broker is not publicly accessible Documentation
Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583
CloudFormation Medium Insecure Configurations AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks Documentation
EC2 Instance Has Public IP
b3de4e4c-14be-4159-b99d-9ad194365e4c
CloudFormation Medium Insecure Configurations EC2 Subnet should not have MapPublicIpOnLaunch set to true Documentation
API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0
CloudFormation Medium Insecure Configurations API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method. Documentation
S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738
CloudFormation Medium Insecure Defaults Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated Documentation
RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944
CloudFormation Medium Insecure Defaults NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. Documentation
TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163
CloudFormation Medium Networking and Firewall TCP/UDP protocol AWS Network ACL Entry should not allow all ports Documentation
ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b
CloudFormation Medium Networking and Firewall All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service Documentation
API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34
CloudFormation Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet Documentation
GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd
CloudFormation Medium Networking and Firewall AWS GameLift Fleet EC2InboundPermissions should have a single port Documentation
ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845
CloudFormation Medium Networking and Firewall An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules Documentation
Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16
CloudFormation Medium Networking and Firewall AWS Security Group Ingress should have a single port Documentation
Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610
CloudFormation Medium Networking and Firewall AWS Security Group Egress should have a single port Documentation
Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14
CloudFormation Medium Networking and Firewall AWS Security Group Ingress CIDR should not be open to the world Documentation
EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88
CloudFormation Medium Networking and Firewall To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). Documentation
Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c
CloudFormation Medium Networking and Firewall AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports Documentation
Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b
CloudFormation Medium Networking and Firewall AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports Documentation
Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558
CloudFormation Medium Networking and Firewall Security Groups must have a VPC. Documentation
ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c
CloudFormation Medium Networking and Firewall An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules Documentation
Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a
CloudFormation Medium Networking and Firewall AWS Security Group Egress CIDR should not be open to the world Documentation
CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3
CloudFormation Medium Observability Check if SNS topic name is set for CloudTrail Documentation
CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44
CloudFormation Medium Observability CloudTrail should be integrated with CloudWatch Documentation
API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941
CloudFormation Medium Observability API Gateway V2 Stage should have Access Logging Settings defined. Documentation
MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b
CloudFormation Medium Observability Ensure MSK Cluster Logging is enabled Documentation
API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de
CloudFormation Medium Observability X-Ray Tracing is not enabled Documentation
Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6
CloudFormation Medium Observability Make sure Logging is enabled for Redshift Cluster Documentation
Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7
CloudFormation Medium Observability Enable AWS CloudFormation Stack Notifications Documentation
ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028
CloudFormation Medium Observability ELB should have access log enabled Documentation
ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621
CloudFormation Medium Observability ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. Documentation
S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54
CloudFormation Medium Observability S3 bucket versioning should be enabled Documentation
CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642
CloudFormation Medium Observability Make sure AWS CloudFront distribution has access log enabled Documentation
CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0
CloudFormation Medium Observability Check if CloudWatch logging is disabled for Route53 hosted zones Documentation
ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8
CloudFormation Medium Observability Ensure that AWS Elasticsearch enables support for slow logs Documentation
GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac
CloudFormation Medium Observability Make sure that Amazon GuardDuty is Enabled. Documentation
CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7
CloudFormation Medium Observability AWS CloudTrail should have IsMultiRegionTrail set to true Documentation
MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050
CloudFormation Medium Observability Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). Documentation
CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf
CloudFormation Medium Observability Checks if CloudWatch Metrics is Enabled Documentation
API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5
CloudFormation Medium Observability API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. Documentation
Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7
CloudFormation Medium Secret Management Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. Documentation
EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42
CloudFormation Medium Secret Management EBS Volume should specify a KmsKeyId value Documentation
Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7
CloudFormation Medium Secret Management Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. Documentation
DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024
CloudFormation Medium Secret Management DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. Documentation
Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db
CloudFormation Medium Secret Management Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. Documentation
Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989
CloudFormation Medium Secret Management DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. Documentation
Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69
CloudFormation Medium Secret Management Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. Documentation
DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d
CloudFormation Medium Secret Management DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. Documentation
Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22
CloudFormation Medium Secret Management Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account Documentation
SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52
CloudFormation Medium Secret Management KmsMasterKeyId attribute should not be undefined Documentation
Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696
CloudFormation Medium Secret Management Lambda hardcoded AWS access/secret keys Documentation
SQS with SSE disabled
12726829-93ed-4d51-9cbe-13423f4299e1
CloudFormation Medium Secret Management AWS SQS Queue should have a KMS Master Key defined Documentation
DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d
CloudFormation Medium Secret Management DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. Documentation
RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189
CloudFormation Medium Secret Management Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string Documentation
Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be
CloudFormation Medium Secret Management Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. Documentation
IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e
CloudFormation Low Access Control A IAM user should belong to a group Documentation
Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744
CloudFormation Low Access Control Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6
CloudFormation Low Access Control Check if any IAM Policy grants 'AssumeRole' permission across all services. Documentation
IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6
CloudFormation Low Access Control IAM role allows all services or principals to assume it Documentation
IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368
CloudFormation Low Access Control Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary. Documentation
VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e
CloudFormation Low Availability The number of gateways approaches or goes beyond the limit in a particular VPC Documentation
RDS With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e
CloudFormation Low Backup RDS DBInstance should have deletion protection set to true Documentation
IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512
CloudFormation Low Best Practices IAM policy should not apply directly to users, should be with a group Documentation
Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd
CloudFormation Low Best Practices AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 Documentation
Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa
CloudFormation Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction' Documentation
Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195
CloudFormation Low Best Practices Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content Documentation
CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2
CloudFormation Low Best Practices Content Delivery Network (CDN) service is used within AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. Documentation
Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5
CloudFormation Low Best Practices AWS Security Group Rule should have description defined Documentation
IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5
CloudFormation Low Best Practices IAM User should embed managed policies instead of inline policies Documentation
DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6
CloudFormation Low Build Process Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED Documentation
EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162
CloudFormation Low Build Process Amazon Elastic Filesystem should have filesystem tags associated Documentation
Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131
CloudFormation Low Insecure Configurations ACM Certificate should not use wildcards (*) in the domain name Documentation
Open Access To Resources Through API
60112997-8bd0-4c4c-9140-e5111706ea6f
CloudFormation Low Insecure Configurations Open access to back-end resources through API Documentation
EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe
CloudFormation Low Networking and Firewall A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress Documentation
CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d
CloudFormation Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service Documentation
ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd
CloudFormation Low Observability Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca
CloudFormation Low Observability API Gateway Deployment should have API Gateway UsagePlan defined and associated. Documentation
SNS Topic is Publicly Accessible For Subscription
ae53ce91-42b5-46bf-a84f-9a13366a4f13
CloudFormation Low Observability Ensure appropriate subscribers to each SNS topic Documentation
S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c
CloudFormation Low Observability Server Access Logging must be enabled on S3 Buckets so that all changes are logged and trackable Documentation
Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c
CloudFormation Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' Documentation
VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b
CloudFormation Low Observability VPC hasn't got any FlowLog associated Documentation
CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8
CloudFormation Low Observability CloudTrail log file validation should be enabled Documentation
VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a
CloudFormation Low Resource Management VPCs without attached subnets may indicate that they are not being used Documentation
SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d
CloudFormation Low Resource Management SimpleDB Domain resource should not be declared Documentation
API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071
CloudFormation Low Resource Management API Gateway Stage should have API Gateway UsagePlan defined and associated. Documentation
ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51
CloudFormation Low Resource Management In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error Documentation
VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d
Terraform High Access Control A VM instance is configured to use the default service account with full access to all Cloud APIs Documentation
BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4
Terraform High Access Control BigQuery dataset is anonymously or publicly accessible Documentation
OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217
Terraform High Access Control Verifies that the OSLogin is enabled Documentation
Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd
Terraform High Access Control Cloud Storage Bucket is anonymously or publicly accessible Documentation
SQL DB Instance Is Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb
Terraform High Access Control Check if any Cloud SQL instances are publicly accessible. Documentation
S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832
Terraform High Access Control S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. Documentation
EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd
Terraform High Access Control EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. Documentation
S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100
Terraform High Access Control S3 bucket with public READ/WRITE access Documentation
S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e
Terraform High Access Control S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals Documentation
S3 Bucket Allows WriteACP Action From All Principals
64a222aa-7793-4e40-915f-4b302c76e4d4
Terraform High Access Control S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals. Documentation
S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09
Terraform High Access Control S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. Documentation
S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885
Terraform High Access Control S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. Documentation
S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44
Terraform High Access Control S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. Documentation
IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842
Terraform High Access Control IAM role policy that allow full administrative privileges (for all resources) Documentation
S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc
Terraform High Access Control S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139
Terraform High Access Control Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion Documentation
S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50
Terraform High Access Control S3 bucket allows public policy Documentation
ECS Service Admin Role is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c
Terraform High Access Control ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role Documentation
SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf
Terraform High Access Control Checks if the SQS Queue is exposed Documentation
IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84
Terraform High Access Control IAM policies that allow full administrative privileges (for all resources) Documentation
Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198
Terraform High Access Control Check if 'network_rules' is open to public. Documentation
Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51
Terraform High Access Control Admin user is enabled for Container Registry Documentation
Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790
Terraform High Access Control There is a role assignment for guest user Documentation
Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299
Terraform High Access Control Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage Documentation
SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79
Terraform High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances Documentation
Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58
Terraform High Backup Make sure that on PostgreSQL Geo Redundant Backups is enabled Documentation
DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860
Terraform High Encryption Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. Documentation
SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00
Terraform High Encryption Cloud SQL Database Instance with SSL disabled for incoming connections Documentation
High KMS Rotation Period
352271ca-842f-408a-8b24-f6f2b76eb027
Terraform High Encryption Check that keys aren't the same for a period greater than 365 days. Documentation
EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6
Terraform High Encryption EBS Encryption should be enabled Documentation
CA certificate Identifier is outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd
Terraform High Encryption The CA certificate Identifier must be 'rds-ca-2019'. Documentation
User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee
Terraform High Encryption Base64 Shell Script must be encoded Documentation
Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5
Terraform High Encryption Checks if the connection between the CloudFront and the origin server is encrypted Documentation
MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e
Terraform High Encryption Ensure MSK Cluster encryption in rest and transit is enabled Documentation
Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4
Terraform High Encryption Check if the redis version is compliant with the necessary AWS PCI DSS requirements Documentation
ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec
Terraform High Encryption ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. Documentation
S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e
Terraform High Encryption S3 Bucket Object should have server-side encryption enabled Documentation
S3 Bucket Without Server-side-encryption
6726dcc0-5ff5-459d-b473-a780bef7665c
Terraform High Encryption S3 bucket should have encryption defined Documentation
S3 Bucket SSE Disabled
ad03cb46-f174-4674-bf8e-2880a7000edd
Terraform High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required Documentation
DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6
Terraform High Encryption AWS DOCDB Cluster storage should be encrypted Documentation
Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f
Terraform High Encryption RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true Documentation
ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f
Terraform High Encryption AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted Documentation
User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc
Terraform High Encryption User Data Base64 contains an encoded RSA Private Key Documentation
Memcached Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3
Terraform High Encryption Check if the Memcached is disabled on the ElastiCache Documentation
DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a
Terraform High Encryption AWS DOCDB Cluster should be encrypted with a KMS encryption key Documentation
Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21
Terraform High Encryption Check if secure ciphers aren't used in CloudFront Documentation
Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3
Terraform High Encryption Athena Workgroup query results should be encrypted, for all queries that run in the workgroup Documentation
Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce
Terraform High Encryption Check if 'encrypted' field is false or undefined (default is false) Documentation
Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3
Terraform High Encryption AWS Athena Database data in S3 should be encrypted Documentation
CloudWatch Log Group Not Encrypted
0afbcfe9-d341-4b92-a64c-7e6de0543879
Terraform High Encryption AWS CloudWatch Log groups should be encrypted using KMS Documentation
DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4
Terraform High Encryption The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false'). Documentation
AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2
Terraform High Encryption AWS AMI Encryption is not enabled Documentation
EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f
Terraform High Encryption Elastic File System (EFS) must be encrypted Documentation
DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87
Terraform High Encryption AWS DAX Cluster should have server-side encryption at rest Documentation
CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340
Terraform High Encryption CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99
Terraform High Encryption AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS Documentation
RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f
Terraform High Encryption Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true' Documentation
Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838
Terraform High Encryption Data stored in the Launch configuration EBS is not securely encrypted Documentation
IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6
Terraform High Encryption IAM Database Auth Enabled must be configured to true Documentation
Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7
Terraform High Encryption AWS Workspaces Workspace data stored in volumes should be encrypted Documentation
ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c
Terraform High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. Documentation
Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88
Terraform High Encryption AWS Kinesis Streams and metadata should be protected with KMS Documentation
EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c
Terraform High Encryption Elastic File System (EFS) must have KMS Key ID Documentation
API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288
Terraform High Encryption API Gateway Method Settings Cache should be encrypted Documentation
ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c
Terraform High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. Documentation
EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca
Terraform High Encryption The value on AWS EBS Volume Snapshot Encryptation must be true Documentation
Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3
Terraform High Encryption AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled Documentation
SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e
Terraform High Encryption Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' Documentation
Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2
Terraform High Encryption See that Storage Accounts forces the use of HTTPS Documentation
MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f
Terraform High Encryption Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled Documentation
Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa
Terraform High Insecure Configurations Gmail accounts are being used instead of corporate credentials Documentation
COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58
Terraform High Insecure Configurations A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image Documentation
IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0
Terraform High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE Documentation
Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d
Terraform High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined Documentation
GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067
Terraform High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true Documentation
Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7
Terraform High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false Documentation
Client Certificate Disabled
73fb21a1-b19a-45b1-b648-b47b1678681e
Terraform High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true Documentation
Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b
Terraform High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true Documentation
Cluster Master Authentication Disabled
1baba08e-3c8a-4be7-95eb-dced5833de21
Terraform High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty Documentation
Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088
Terraform High Insecure Configurations Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true Documentation
GKE Basic Authentication Enabled
70cdf849-b7d9-4569-b87d-5d82ffd44719
Terraform High Insecure Configurations GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty Documentation
No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918
Terraform High Insecure Configurations IAM password policies should be set through the password minimum length and reset password attributes Documentation
Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc
Terraform High Insecure Configurations The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. Documentation
S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb
Terraform High Insecure Configurations Checks if any static websties are hosted on buckets Documentation
CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456
Terraform High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 Documentation
Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee
Terraform High Insecure Configurations Batch Job Definition should not have Privileged Container Properties Documentation
DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1
Terraform High Insecure Configurations The field 'publicly_accessible' should not be set to 'true' (default is 'false'). Documentation
API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b
Terraform High Insecure Configurations API Gateway should have a Security Policy defined and use TLS 1.2. Documentation
S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d
Terraform High Insecure Configurations S3 bucket without enabled MFA Delete Documentation
S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293
Terraform High Insecure Configurations S3 bucket without restriction of public bucket Documentation
IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec
Terraform High Insecure Configurations Check if the root user is authenticated with MFA Documentation
SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f
Terraform High Insecure Configurations Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE) Documentation
Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097
Terraform High Insecure Configurations Users should authenticate with MFA (Multi-factor Authentication) Documentation
KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899
Terraform High Insecure Configurations Checks if the policy is vulnerable and needs updating. Documentation
Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda
Terraform High Insecure Configurations Check if 'publicly_accessible' field is true or undefined (default is true) Documentation
ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1
Terraform High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations Documentation
DB Security Group Has Public IP
f0d8781f-99bf-4958-9917-d39283b168a0
Terraform High Insecure Configurations The CIDR IP must not be Public Documentation
Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb
Terraform High Insecure Configurations Azurerm Container Registry Must Contain Associated Locks Documentation
Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f
Terraform High Insecure Configurations Trusted MIcrosoft Services are not enabled for Storage Account access Documentation
AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b
Terraform High Insecure Configurations The Active Directory Administrator is not configured for a SQL server Documentation
VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033
Terraform High Insecure Configurations No Network Security Group is attached to the Virtual Machine Documentation
Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa
Terraform High Insecure Configurations Redis Cache is not configured to be updated regularly with security and operational updates Documentation
Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe
Terraform High Insecure Configurations Web app should only accept HTTPS traffic in Azure Web App Service. Documentation
Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c
Terraform High Insecure Configurations Check if enable field in the resource azurerm_network_watcher_flow_log is false. Documentation
Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0
Terraform High Insecure Configurations Container should not share the host network namespace Documentation
Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05
Terraform High Insecure Configurations Limit capabilities for a Pod Security Policy Documentation
Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4
Terraform High Insecure Configurations Do not allow container to be privileged. Documentation
PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b
Terraform High Insecure Configurations Check if Pod Security Policies allow containers to share the host network namespace. Documentation
Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03
Terraform High Insecure Configurations A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. Documentation
Host Aliases Undefined Or Empty
5d05ea11-ae3e-470e-9864-97e55fb2b2e0
Terraform High Insecure Configurations A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null. Documentation
Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e
Terraform High Insecure Configurations Check if Tiller is deployed. Documentation
Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3
Terraform High Insecure Configurations Container should not share the host IPC namespace Documentation
NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def
Terraform High Insecure Configurations Containers should drop 'NET_RAW' or 'ALL' capabilities Documentation
Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c
Terraform High Insecure Configurations Admission of privileged containers should be minimized Documentation
Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef
Terraform High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. Documentation
Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f
Terraform High Insecure Defaults No role nor cluster role should bind to a default service account Documentation
Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c
Terraform High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol Documentation
EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709
Terraform High Networking and Firewall Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" Documentation
HTTP Port Open
ffac8a12-322e-42c1-b9b9-81ff85c39ef7
Terraform High Networking and Firewall The HTTP port is open in a Security Group Documentation
EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce
Terraform High Networking and Firewall EC2 Instance should not have a public IP address. Documentation
Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696
Terraform High Networking and Firewall SSH' (TCP:22) should not be public in AWS Security Group Documentation
Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db
Terraform High Networking and Firewall Security groups allow ingress from 0.0.0.0:0 Documentation
DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885
Terraform High Networking and Firewall The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). Documentation
Remote Desktop Port Open
151187cb-0efc-481c-babd-ad24e3c9bc22
Terraform High Networking and Firewall The Remote Desktop port is open in a Security Group Documentation
ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43
Terraform High Networking and Firewall AWS Application Load Balancer (alb) should not listen on HTTP Documentation
Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998
Terraform High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet Documentation
Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73
Terraform High Networking and Firewall Check if default security group does not restrict all inbound and outbound traffic. Documentation
Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453
Terraform High Networking and Firewall Check if Record is set Documentation
DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce
Terraform High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. Documentation
Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619
Terraform High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol Documentation
CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7
Terraform High Networking and Firewall The Ip Range Must Contain Ips Documentation
RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c
Terraform High Networking and Firewall Port 3389 (Remote Desktop) is exposed to the internet Documentation
SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24
Terraform High Networking and Firewall Port 22 (SSH) is exposed to the internet Documentation
SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8
Terraform High Networking and Firewall Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. Documentation
Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e
Terraform High Networking and Firewall Firewall rule allowing unrestricted access to Redis from the Internet Documentation
Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629
Terraform High Networking and Firewall Firewall rule allowing unrestricted access to Redis from other Azure sources Documentation
IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4
Terraform High Observability Audit Logging Configuration is defective Documentation
Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120
Terraform High Observability Cloud storage bucket with logging not enabled Documentation
Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d
Terraform High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' Documentation
Object Versioning Not Enabled
e7e961ac-d17e-4413-84bc-8a1fbe242944
Terraform High Observability Object Versioning Not Enabled on Cloud Storage Bucket Documentation
Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694
Terraform High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' Documentation
CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b
Terraform High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. Documentation
CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774
Terraform High Observability Checks if logging is enabled for CloudTrail. Documentation
CloudTrail Log Files Not Encrypted
5d9e3164-9265-470c-9a10-57ae454ac0c7
Terraform High Observability Logs delivered by CloudTrail should be encrypted using KMS Documentation
Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132
Terraform High Observability AWS Config Configuration Aggregator All Regions must be set to True Documentation
KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d
Terraform High Observability AWS KMS Key should have a valid deletion window Documentation
Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190
Terraform High Observability Ensure that logging for Azure KeyVault is 'Enabled' Documentation
Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa
Terraform High Resource Management Node 'auto_upgrade' should be enabled for Kubernetes Clusters Documentation
SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a
Terraform High Resource Management Ensure that 'Threat Detection' is enabled for Azure SQL Database Documentation
Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f
Terraform High Secret Management Make sure that for all secrets the expiration date is set Documentation
Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc
Terraform High Secret Management Make sure that for all keys the expiration date is set Documentation
Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3
Terraform Medium Access Control Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' Documentation
Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c
Terraform Medium Access Control Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated Documentation
Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40
Terraform Medium Access Control Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated Documentation
Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2
Terraform Medium Access Control Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc
Terraform Medium Access Control SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. Documentation
CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8
Terraform Medium Access Control CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' Documentation
Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba
Terraform Medium Access Control Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. Documentation
REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27
Terraform Medium Access Control REST API policy should avoid wildcard in 'Action' and 'Principal' Documentation
ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a
Terraform Medium Access Control Amazon ECR image repositories shouldn't have public access Documentation
SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f
Terraform Medium Access Control SQS policy with public access Documentation
Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22
Terraform Medium Access Control Glue policy should avoid wildcard in 'principals' and 'actions' Documentation
SNS Topic is Publicly Accessible For Subscription
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3
Terraform Medium Access Control This query checks if SNS Topic is Accessible For Subscription Documentation
IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46
Terraform Medium Access Control Check if IAM Access Key is active for some user besides 'root' Documentation
SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3
Terraform Medium Access Control SQS policy allows ALL (*) actions Documentation
S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f
Terraform Medium Access Control S3 bucket allows public ACL Documentation
API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216
Terraform Medium Access Control An API Key should be required on a method request. Documentation
IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552
Terraform Medium Access Control AWS IAM Users should not have access to console Documentation
IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a
Terraform Medium Access Control Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources Documentation
Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39
Terraform Medium Access Control The attribute 'action' should not have wildcard Documentation
IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904
Terraform Medium Access Control IAM policies allow all ('*') in a statement action Documentation
AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698
Terraform Medium Access Control Limits access to AWS AMIs by checking if more than one account is using the same image Documentation
Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347
Terraform Medium Access Control Lambda Permission Principal should not contain a wildcard. Documentation
Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b
Terraform Medium Access Control Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' Documentation
Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54
Terraform Medium Access Control All policies, except IAM identity-based policies, should have the 'Principal' element defined Documentation
Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593
Terraform Medium Access Control Public and private EC2 istances should not share the same role. Documentation
AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f
Terraform Medium Access Control Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled Documentation
RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63
Terraform Medium Access Control Minimize access to secrets (RBAC) Documentation
Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521
Terraform Medium Access Control A non kube-system workload should not have hostPath mounted Documentation
ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d
Terraform Medium Availability Check if ElastiCache nodes are not being created across multi AZ Documentation
ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed
Terraform Medium Availability ECS Service should have at least 1 task running Documentation
Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505
Terraform Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. Documentation
CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50
Terraform Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true Documentation
Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3
Terraform Medium Availability Liveness Probe must be defined Documentation
Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1
Terraform Medium Availability Check if Readiness Probe is not configured. Documentation
RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02
Terraform Medium Backup RDS configured without backup Documentation
Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97
Terraform Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction Documentation
ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab
Terraform Medium Backup ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 Documentation
ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379
Terraform Medium Best Practices It's considered a best practice when using Application Load Balancers to drop invalid header fields Documentation
IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48
Terraform Medium Best Practices Check if IAM account password has the required symbols Documentation
IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d
Terraform Medium Best Practices Check if IAM account password has the required minimum length Documentation
RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02
Terraform Medium Best Practices RDS Cluster backup retention period should be specifically defined Documentation
Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a
Terraform Medium Best Practices Check if IAM account password has the reuse password configured with 24 Documentation
Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90
Terraform Medium Best Practices No password expiration policy Documentation
Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0
Terraform Medium Best Practices AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users Documentation
SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f
Terraform Medium Best Practices Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict Documentation
SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450
Terraform Medium Best Practices Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict Documentation
Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28
Terraform Medium Best Practices Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0' Documentation
Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38
Terraform Medium Best Practices Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden Documentation
Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4
Terraform Medium Build Process AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body Documentation
Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0
Terraform Medium Build Process Cosmos DB Account must have a mapping of tags. Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee
Terraform Medium Build Process Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' Documentation
VM CSEK Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38
Terraform Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'sha256' must also be defined and not empty Documentation
High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b
Terraform Medium Encryption Make sure Encryption keys change after 90 days Documentation
Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336
Terraform Medium Encryption This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers Documentation
AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702
Terraform Medium Encryption AmazonMQ Broker should have Encryption Options defined Documentation
Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd
Terraform Medium Encryption AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret Documentation
Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2
Terraform Medium Encryption Elasticsearch Domain encryption should be enabled node to node Documentation
API Gateway Without Content Encoding
ed35928e-195c-4405-a252-98ccb664ab7b
Terraform Medium Encryption Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760 Documentation
DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d
Terraform Medium Encryption DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a
Terraform Medium Encryption Check if ElasticSearch encryption is disabled at Rest Documentation
SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f
Terraform Medium Encryption SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
ECR Repository Not Encrypted
0e32d561-4b5a-4664-a6e3-a3fa85649157
Terraform Medium Encryption ECR (Elastic Container Registry) Repository encryption should be set Documentation
Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e
Terraform Medium Encryption Check if Neptune Cluster Storage is securely encrypted Documentation
DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294
Terraform Medium Encryption AWS DynamoDB Tables should have server-side encryption Documentation
Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c
Terraform Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. Documentation
Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f
Terraform Medium Encryption Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys Documentation
ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e
Terraform Medium Encryption ElastiCache Replication Group encryption should be enabled at Transit Documentation
Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7
Terraform Medium Encryption Checks if the ECR Image has been scanned Documentation
ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2
Terraform Medium Encryption ElastiCache Replication Group encryption should be enabled at Rest Documentation
ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2
Terraform Medium Encryption Check if any ElasticSearch domain isn't encrypted with KMS Documentation
EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12
Terraform Medium Encryption The value on AWS EBS Volume Cluster Encryption must be true Documentation
Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7
Terraform Medium Encryption Ensure Storage Account is using the latest version of TLS encryption Documentation
Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58
Terraform Medium Encryption Check if any Redis Cache resource allows non-SSL connections. Documentation
Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024
Terraform Medium Encryption Ensure that the encryption is active on the disk Documentation
Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9
Terraform Medium Encryption Check if insecure SSL is being used in the GitHub organization webhooks Documentation
Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01
Terraform Medium Insecure Configurations Check if SSH keys are enabled project-wide in VM instances Documentation
Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff
Terraform Medium Insecure Configurations Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. Documentation
Google Storage Bucket Level Access Enabled
bb0db090-5509-4853-a827-75ced0b3caa0
Terraform Medium Insecure Configurations Validates if the Google Storage Bucket Level Access is Enabled Documentation
Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751
Terraform Medium Insecure Configurations Check if VM instance enables serial ports Documentation
Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351
Terraform Medium Insecure Configurations Verifies if the Google Project Auto Create Network is Disabled Documentation
Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e
Terraform Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true Documentation
Cloud DNS without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb
Terraform Medium Insecure Configurations Cloud DNS without DNSSEC Documentation
OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f
Terraform Medium Insecure Configurations Check if any VM instance disables OSLogin Documentation
Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332
Terraform Medium Insecure Configurations Verifies if Google Container Node Pool Auto Repair is Enabled Documentation
Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e
Terraform Medium Insecure Configurations Instance should be configured in VPC (Virtual Private Cloud) Documentation
Lambda Function Without Tags
875b86b1-7fd4-4728-9a18-de63d87ad82f
Terraform Medium Insecure Configurations AWS Lambda Functions must have associated tags. Documentation
ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb
Terraform Medium Insecure Configurations ECR should have an image tag be immutable Documentation
API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440
Terraform Medium Insecure Configurations SSL Client Certificate should be enabled in aws_api_gateway_stage resource Documentation
Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3
Terraform Medium Insecure Configurations Redshift Cluster should be configured in VPC (Virtual Private Cloud) Documentation
Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9
Terraform Medium Insecure Configurations Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). Documentation
EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8
Terraform Medium Insecure Configurations Amazon EKS public endpoint shoud be set to false Documentation
AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76
Terraform Medium Insecure Configurations Unchangeable passwords in AWS password policy Documentation
Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77
Terraform Medium Insecure Configurations Allowing to run lambda function using public API Gateway Documentation
IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249
Terraform Medium Insecure Configurations Check if IAM account password has at least one uppercase letter Documentation
IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9
Terraform Medium Insecure Configurations Check if IAM account password has at least one lowercase letter Documentation
MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb
Terraform Medium Insecure Configurations Check if any MQ Broker is not publicly accessible Documentation
Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b
Terraform Medium Insecure Configurations The certificate should use a RSA key with a length equal to or higher than 256 bytes Documentation
API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8
Terraform Medium Insecure Configurations API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. Documentation
Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844
Terraform Medium Insecure Configurations Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty Documentation
AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef
Terraform Medium Insecure Configurations Check if the Azure Kubernetes Service doesn't have the proper network policy configuration. Documentation
Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e
Terraform Medium Insecure Configurations Make sure that the 'Standard' pricing tiers were selected. Documentation
Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4
Terraform Medium Insecure Configurations Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches Documentation
PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce
Terraform Medium Insecure Configurations Pod Security Policy allows containers to share the host IPC namespace Documentation
PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9
Terraform Medium Insecure Configurations Do not allow pod to request execution as privileged Documentation
Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015
Terraform Medium Insecure Configurations Workload is mounting a volume with sensitive OS Directory Documentation
Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a
Terraform Medium Insecure Configurations Default service accounts should not be actively used Documentation
Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa
Terraform Medium Insecure Configurations Kubernetes container should have resource limitations defined such as CPU and memory Documentation
Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c
Terraform Medium Insecure Configurations Check if any resource does not configure Seccomp default profile properly Documentation
Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c
Terraform Medium Insecure Configurations Minimize the admission of containers wishing to share the host process ID namespace Documentation
Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724
Terraform Medium Insecure Configurations Containers should not have CAP_SYS_ADMIN Linux capability Documentation
Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28
Terraform Medium Insecure Configurations Kubernetes Pod should not have extra capabilities allowed Documentation
PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef
Terraform Medium Insecure Configurations PodSecurityPolicy should not allow privilege escalation Documentation
NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556
Terraform Medium Insecure Configurations Containers need to have NET_RAW or All as drop capabilities Documentation
PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad
Terraform Medium Insecure Configurations PodSecurityPolicy should not have added capabilities Documentation
Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9
Terraform Medium Insecure Configurations Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks Documentation
Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451
Terraform Medium Insecure Configurations The default namespace should not be used Documentation
Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d
Terraform Medium Insecure Configurations Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. Documentation
GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b
Terraform Medium Insecure Configurations Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') Documentation
Default Network Access is Allowed
9be09caf-2ba4-4fa9-9787-a670dc32c639
Terraform Medium Insecure Defaults Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' Documentation
Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72
Terraform Medium Insecure Defaults A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. Documentation
Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a
Terraform Medium Insecure Defaults Service Account Tokens are automatically mounted even if not necessary Documentation
IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89
Terraform Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true Documentation
SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0
Terraform Medium Networking and Firewall Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block) Documentation
RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3
Terraform Medium Networking and Firewall Check if Google Firewall ingress allows RDP access (port 3389) Documentation
ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7
Terraform Medium Networking and Firewall All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service Documentation
API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1
Terraform Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0
Terraform Medium Networking and Firewall Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. Documentation
Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d
Terraform Medium Networking and Firewall Dynamodb VPC Endpoint should be associated with Route Table Association Documentation
Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0
Terraform Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol Documentation
SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d
Terraform Medium Networking and Firewall SQS VPC Endpoint should have DNS resolution enabled Documentation
Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1
Terraform Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol Documentation
Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082
Terraform Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb
Terraform Medium Networking and Firewall Check if any firewall rule allows too many hosts to access Redis Cache Documentation
WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72
Terraform Medium Networking and Firewall Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. Documentation
Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e
Terraform Medium Networking and Firewall A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol Documentation
Service With External Load Balance
2a52567c-abb8-4651-a038-52fa27c77aed
Terraform Medium Networking and Firewall Service has an external load balancer, which may cause accessibility from other networks and the Internet Documentation
Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf
Terraform Medium Networking and Firewall Check if any network policy is not targeting any pod. Documentation
Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609
Terraform Medium Observability This query checks if logs are enabled for a Google Compute Subnetwork resource. Documentation
CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd
Terraform Medium Observability Check if SNS topic name is set for CloudTrail Documentation
CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755
Terraform Medium Observability AWS CloudWatch Log groups should have retention days specified Documentation
CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e
Terraform Medium Observability CloudTrail should be integrated with CloudWatch Documentation
MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239
Terraform Medium Observability Ensure MSK Cluster Logging is enabled Documentation
API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b
Terraform Medium Observability X-ray Tracing is not enabled Documentation
Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa
Terraform Medium Observability Make sure Logging is enabled for Redshift Cluster Documentation
Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09
Terraform Medium Observability Enable AWS CloudFormation Stack Notifications Documentation
S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c
Terraform Medium Observability S3 bucket without versioning Documentation
Cloudfront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5
Terraform Medium Observability AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined Documentation
Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13
Terraform Medium Observability It isn't recommended to use resources in default VPC Documentation
CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967
Terraform Medium Observability Check if CloudWatch logging is disabled for Route53 hosted zones Documentation
API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36
Terraform Medium Observability AWS CloudWatch Logs for APIs is not enabled Documentation
GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473
Terraform Medium Observability Make sure that Amazon GuardDuty is Enabled Documentation
CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d
Terraform Medium Observability Check if MultiRegion is Enabled Documentation
MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a
Terraform Medium Observability Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). Documentation
Api Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326
Terraform Medium Observability RDS does not have any kind of logger Documentation
CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5
Terraform Medium Observability Checks if CloudWatch Metrics is Enabled Documentation
API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296
Terraform Medium Observability API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. Documentation
Elasticsearch Log is disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2
Terraform Medium Observability AWS Elasticsearch should have logs enabled Documentation
Elasticsearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45
Terraform Medium Observability Ensure that AWS Elasticsearch enables support for slow logs Documentation
VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047
Terraform Medium Observability VPC hasn't got any FlowLog associated Documentation
Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea
Terraform Medium Observability Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days Documentation
PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333
Terraform Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' Documentation
PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4
Terraform Medium Observability Ensure that Connection Throttling is set for the PostgreSQL server Documentation
Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409
Terraform Medium Observability Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact Documentation
Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918
Terraform Medium Observability Ensure that Activity Log Retention is set 365 days or greater Documentation
Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc
Terraform Medium Observability Make sure for SQL Servers that Auditing Retention is greater than 90 days Documentation
PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702
Terraform Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' Documentation
SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf
Terraform Medium Observability Make sure that for SQL Servers, 'Auditing' is set to 'On' Documentation
Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b
Terraform Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' Documentation
MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92
Terraform Medium Observability Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' Documentation
PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9
Terraform Medium Observability Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' Documentation
Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606
Terraform Medium Observability Check if PostgreSQL Database Server retains logs for less than 3 Days Documentation
PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f
Terraform Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' Documentation
No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052
Terraform Medium Resource Management AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions Documentation
CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f
Terraform Medium Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation
CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2
Terraform Medium Resource Management CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node Documentation
Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21
Terraform Medium Resource Management Memory limits should be specified Documentation
Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a
Terraform Medium Resource Management Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Documentation
Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61
Terraform Medium Resource Management Memory requests should be specified Documentation
Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce
Terraform Medium Secret Management Lambda hardcoded AWS access/secret keys Documentation
Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9
Terraform Medium Secret Management A Service Account token is shared between workloads Documentation
Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5
Terraform Medium Secret Management Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97
Terraform Low Access Control IAM role allows All services or principals to assume it Documentation
IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21
Terraform Low Access Control IAM role allows all services or principals to assume it Documentation
S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920
Terraform Low Access Control S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' Documentation
Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6
Terraform Low Access Control Containers should be configured with AppArmor for any application to reduce its potential attack Documentation
Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd
Terraform Low Access Control Ensure that the cluster-admin role is only used where required (RBAC) Documentation
Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba
Terraform Low Access Control The permission to create pods in a cluster should be restricted because it allows privilege escalation. Documentation
Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1
Terraform Low Access Control Sees if Docker Daemon Socket is not exposed to Containers Documentation
HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110
Terraform Low Availability The Horizontal Pod Autoscale must target a valid object Documentation
StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d
Terraform Low Availability Check if the StatefulSet have a headless 'serviceName' Documentation
Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0
Terraform Low Availability Deployments should be assigned with a PodDisruptionBudget to ensure high availability Documentation
StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf
Terraform Low Availability StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability Documentation
ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d
Terraform Low Best Practices ECR Repository should have Policies attached to it Documentation
Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0
Terraform Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' Documentation
CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52
Terraform Low Best Practices Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. Documentation
IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e
Terraform Low Best Practices IAM policies should be attached only to groups or roles Documentation
Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e
Terraform Low Best Practices Check if any label in the metadata is invalid. Documentation
No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164
Terraform Low Best Practices Sees if Kubernetes Drop Capabilities exists to ensure containers security context Documentation
Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2
Terraform Low Build Process Check if the root container filesystem is not being mounted as read-only. Documentation
StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040
Terraform Low Build Process A StatefulSet requests volume storage. Documentation
S3 Bucket With Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91
Terraform Low Insecure Configurations S3 bucket with ignore public ACL Documentation
Open Access To Resources Through API
108aa260-6dab-4a75-ae3f-de917d634840
Terraform Low Insecure Configurations Open access to back-end resources through API Documentation
Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db
Terraform Low Insecure Configurations Check if the Kubernetes Dashboard is enabled. Documentation
Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7
Terraform Low Insecure Configurations Sees if Kubernetes image has digest on Documentation
Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883
Terraform Low Insecure Configurations A security context defines privilege and access control settings for a Pod or Container Documentation
Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e
Terraform Low Insecure Configurations Image Pull Policy of the container must be defined and set to Always Documentation
Cloudfront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333
Terraform Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service Documentation
Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad
Terraform Low Networking and Firewall Service type should not be NodePort Documentation
Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce
Terraform Low Networking and Firewall Verifies if Kubernetes workload's host port is specified Documentation
Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df
Terraform Low Observability Amazon EKS control plane logging don't enabled for all log types Documentation
DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641
Terraform Low Observability DocDB logging should be enabled Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034
Terraform Low Observability API Gateway Deployment should have API Gateway UsagePlan defined and associated. Documentation
S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884
Terraform Low Observability S3 bucket without logging Documentation
ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc
Terraform Low Observability ECS Cluster should enable container insights Documentation
EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf
Terraform Low Observability Amazon EKS control plane logging is not enabled Documentation
Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1
Terraform Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' Documentation
Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369
Terraform Low Observability Global Accelerator should have flow logs enabled Documentation
CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669
Terraform Low Observability CloudTrail log file validation should be enabled Documentation
API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e
Terraform Low Resource Management API Gateway Stage should have API Gateway UsagePlan defined and associated. Documentation
Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3
Terraform Low Resource Management Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d
Terraform Low Resource Management Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined Documentation
Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b
Terraform Low Secret Management Hard-coded AWS access key / secret key exists in EC2 user data Documentation
Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8
Terraform Low Secret Management Container should not use secrets as environment variables Documentation
Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8
Terraform Low Supply-Chain Image must be defined and not be empty or equal to latest. Documentation
Security Group Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c
Terraform Info Best Practices It's considered a best practice for AWS Security Group to have a description Documentation
Security Group Rules Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e
Terraform Info Best Practices It's considered a best practice for all rules in AWS Security Group to have a description Documentation
Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10
Terraform Info Best Practices AWS services resource tags are an essential part of managing components Documentation
EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766
Terraform Info Best Practices It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance Documentation
DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e
Terraform Info Best Practices It's considered a best practice to have point in time recovery enabled for DynamoDB Table Documentation
ELB Access Logging Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79
Terraform Info Observability ELB should have logging enabled to help on error investigation Documentation
RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56
Terraform Info Observability RDS does not have any kind of logger Documentation
Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8
Terraform Info Observability Neptune logging should be enabled Documentation
EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6
Terraform Info Observability EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods Documentation
VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd
Ansible High Access Control A VM instance is configured to use the default service account with full access to all Cloud APIs Documentation
SQL DB Instance Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b
Ansible High Access Control Check if any Cloud SQL instances are publicly accessible. Documentation
S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab
Ansible High Access Control S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d
Ansible High Access Control It's not recommended to allow read access for all user groups. Documentation
DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209
Ansible High Access Control The field 'publicly_accessible' should not be set to 'true' (default is 'false'). Documentation
S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a
Ansible High Access Control Checks if the S3 bucket is accessible for all users Documentation
S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81
Ansible High Access Control S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals. Documentation
S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163
Ansible High Access Control S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf
Ansible High Access Control S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e
Ansible High Access Control S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec
Ansible High Access Control S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674
Ansible High Access Control Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion Documentation
ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e
Ansible High Access Control ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role Documentation
SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a
Ansible High Access Control Checks if the SQS Queue is exposed Documentation
IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba
Ansible High Access Control IAM policies that allow full administrative privileges (for all resources) Documentation
Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd
Ansible High Access Control Check if 'network_acls' is open to public. Documentation
Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de
Ansible High Access Control Ensure Trusted Microsoft Services have Storage Account access. Documentation
Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604
Ansible High Access Control Admin user is enabled for Container Registry Documentation
Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f
Ansible High Access Control Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage Documentation
SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8
Ansible High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances Documentation
DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a
Ansible High Encryption DNSSEC should not use the RSASHA1 algorithm Documentation
SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb
Ansible High Encryption Cloud SQL Database Instance with SSL disabled for incoming connections Documentation
High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4
Ansible High Encryption Check if any KMS rotation period surpasses 365 days. Documentation
CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce
Ansible High Encryption The CA certificate Identifier must be 'rds-ca-2019'. Documentation
User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89
Ansible High Encryption User Data Shell Script must be encoded Documentation
Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76
Ansible High Encryption Checks if the connection between the CloudFront and the origin server is encrypted Documentation
Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268
Ansible High Encryption Check if the redis version is compliant with the necessary AWS PCI DSS requirements Documentation
ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a
Ansible High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. Documentation
S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571
Ansible High Encryption AWS S3 Storage should be protected with SSE (Server-Side Encryption) Documentation
S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4
Ansible High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required Documentation
Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94
Ansible High Encryption RDS instance auto minor version upgrade feature must be true Documentation
User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e
Ansible High Encryption User Data contains an encoded RSA Private Key Documentation
Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89
Ansible High Encryption Check if the Memcached is disabled on the ElastiCache Documentation
CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b
Ansible High Encryption CloudTrail Log Files should be encrypted with Key Management Service (KMS) Documentation
Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709
Ansible High Encryption Check if secure ciphers aren't used in CloudFront Documentation
Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd
Ansible High Encryption Check if 'encrypted' field is false or undefined (default is false) Documentation
DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
Ansible High Encryption The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false'). Documentation
AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830
Ansible High Encryption AWS AMI Encryption is not enabled Documentation
EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20
Ansible High Encryption Elastic File System (EFS) must be encrypted Documentation
Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a
Ansible High Encryption AWS Autoscaling Launch Configurations should have encryption enabled Documentation
IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4
Ansible High Encryption IAM Database Auth Enabled must be configured to true Documentation
ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5
Ansible High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. Documentation
Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7
Ansible High Encryption AWS Kinesis Streams and metadata should be protected with KMS Documentation
EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e
Ansible High Encryption Elastic File System (EFS) must have KMS Key ID Documentation
ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892
Ansible High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. Documentation
SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555
Ansible High Encryption Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' Documentation
Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522
Ansible High Encryption See that Storage Accounts forces the use of HTTPS Documentation
MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6
Ansible High Encryption Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled Documentation
PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514
Ansible High Insecure Configurations PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' Documentation
Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8
Ansible High Insecure Configurations SQL Instance should not have Contained Database Authentication On Documentation
MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c
Ansible High Insecure Configurations MySQL Instance should not have Local Infile On Documentation
IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05
Ansible High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. Documentation
Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7
Ansible High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined Documentation
GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b
Ansible High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. Documentation
BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2
Ansible High Insecure Configurations BigQuery dataset is anonymously or publicly accessible Documentation
Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790
Ansible High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false Documentation
Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9
Ansible High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true Documentation
Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5
Ansible High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. Documentation
Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518
Ansible High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty Documentation
Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f
Ansible High Insecure Configurations GCP SQL Instance should not have Cross DB Ownership Chaining On Documentation
GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1
Ansible High Insecure Configurations GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty Documentation
Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40
Ansible High Insecure Configurations The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. Documentation
CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67
Ansible High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 Documentation
Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f
Ansible High Insecure Configurations Batch Job Definition should not have Privileged Container Properties Documentation
KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47
Ansible High Insecure Configurations Checks if the policy is vulnerable and needs updating. Documentation
Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610
Ansible High Insecure Configurations Check if 'publicly_accessible' field is true (default is false) Documentation
ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f
Ansible High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations Documentation
DB Security Group Has Public IP
5330b503-3319-44ff-9b1c-00ee873f728a
Ansible High Insecure Configurations The CIDR IP must not be Public Documentation
Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5
Ansible High Insecure Configurations Azurerm Container Registry Must Contain Associated Locks Documentation
AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f
Ansible High Insecure Configurations The Active Directory Administrator is not configured for a SQL server Documentation
VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce
Ansible High Insecure Configurations No Network Security Group is attached to the Virtual Machine Documentation
Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91
Ansible High Insecure Configurations Web app should only accept HTTPS traffic in Azure Web App Service. Documentation
Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4
Ansible High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. Documentation
Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82
Ansible High Networking and Firewall Compute instances shouldn't be accessible from the Internet. Documentation
GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83
Ansible High Networking and Firewall Master authorized networks must be enabled in GKE clusters Documentation
Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33
Ansible High Networking and Firewall AWS Security Group should not have public port wide Documentation
HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e
Ansible High Networking and Firewall The HTTP port is open in a Security Group Documentation
EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1
Ansible High Networking and Firewall EC2 Instance should not have a public IP address. Documentation
Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77
Ansible High Networking and Firewall SSH' (TCP:22) should not be public in AWS Security Group Documentation
Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81
Ansible High Networking and Firewall AWS Security Group should restrict ingress access Documentation
Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2
Ansible High Networking and Firewall Security groups allow ingress from 0.0.0.0/0 Documentation
DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad
Ansible High Networking and Firewall The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). Documentation
Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341
Ansible High Networking and Firewall The Remote Desktop port is open in a Security Group Documentation
ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895
Ansible High Networking and Firewall AWS Application Load Balancer (alb) should not listen on HTTP Documentation
Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b
Ansible High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet Documentation
Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd
Ansible High Networking and Firewall Check if default security group does not restrict all inbound and outbound traffic. Documentation
Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4
Ansible High Networking and Firewall Route53 Record should have a list of records Documentation
DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640
Ansible High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. Documentation
Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc
Ansible High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol Documentation
CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717
Ansible High Networking and Firewall The IP range filter should be defined Documentation
SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039
Ansible High Networking and Firewall Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. Documentation
Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c
Ansible High Networking and Firewall Firewall rule allowing unrestricted access to Redis from the Internet Documentation
Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445
Ansible High Networking and Firewall Firewall rule allowing unrestricted access to Redis from other Azure sources Documentation
PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317
Ansible High Observability PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' Documentation
PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b
Ansible High Observability PostgreSQL database 'log_temp_files' flag isn't set to '0' Documentation
Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd
Ansible High Observability Cloud storage bucket with logging not enabled Documentation
Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525
Ansible High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' Documentation
Object Versioning Not Enabled
7814ddda-e758-4a56-8be3-289a81ded929
Ansible High Observability Object Versioning not fully enabled on Cloud Storage Bucket Documentation
Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7
Ansible High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' Documentation
CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1
Ansible High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. Documentation
CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5
Ansible High Observability Checks if logging is enabled for CloudTrail. Documentation
Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96
Ansible High Observability AWS Config Configuration Aggregator All Regions must be set to True Documentation
COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778
Ansible High Resource Management A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image Documentation
Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf
Ansible High Resource Management Node 'auto_upgrade' should be enabled for Kubernetes Clusters Documentation
ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd
Ansible Medium Access Control Amazon ECR image repositories shouldn't have public access Documentation
SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10
Ansible Medium Access Control SQS policy with public access Documentation
SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73
Ansible Medium Access Control This query checks if SNS Topic is Accessible For Subscription Documentation
IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f
Ansible Medium Access Control Check if IAM Access Key is active for some user besides 'root' Documentation
SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4
Ansible Medium Access Control SQS policy allows ALL (*) actions Documentation
S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9
Ansible Medium Access Control S3 Bucket allows public access Documentation
Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9
Ansible Medium Access Control Allowing to run lambda function using public API Gateway Documentation
IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8
Ansible Medium Access Control IAM policies allow all ('*') in a statement action Documentation
AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f
Ansible Medium Access Control Limits access to AWS AMIs by checking if more than one account is using the same image Documentation
Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a
Ansible Medium Access Control Lambda Permission Principal should not contain a wildcard. Documentation
API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc
Ansible Medium Access Control API Gateway REST API should have an API Gateway Authorizer Documentation
AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39
Ansible Medium Access Control Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled Documentation
ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84
Ansible Medium Availability ECS Service should have at least 1 task running Documentation
Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f
Ansible Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. Documentation
CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4
Ansible Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. Documentation
RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96
Ansible Medium Backup RDS configured without backup Documentation
Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7
Ansible Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction Documentation
Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854
Ansible Medium Backup Make sure Soft Delete is enabled for Key Vault Documentation
IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d
Ansible Medium Best Practices Check if IAM account password has the required minimum length Documentation
IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8
Ansible Medium Best Practices Check if IAM account password has at least one number Documentation
Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c
Ansible Medium Best Practices Password policy password_reuse_prevention doesn't exist or is equal to 0 Documentation
Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1
Ansible Medium Best Practices Users should authenticate with MFA (Multi-factor Authentication) Documentation
Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9
Ansible Medium Best Practices No password expiration policy Documentation
IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951
Ansible Medium Best Practices Check if IAM account password has at least one lowercase letter Documentation
SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40
Ansible Medium Best Practices Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict Documentation
SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308
Ansible Medium Best Practices Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict Documentation
Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f
Ansible Medium Best Practices Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0' Documentation
Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145
Ansible Medium Build Process AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body Documentation
Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e
Ansible Medium Build Process Cosmos DB Account must have a mapping of tags. Documentation
VM CSEK Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3
Ansible Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'raw_key' must also be defined and not empty Documentation
High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de
Ansible Medium Encryption Make sure Encryption keys changes after 90 days Documentation
Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26
Ansible Medium Encryption This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers Documentation
Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84
Ansible Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. Documentation
EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57
Ansible Medium Encryption EBS Encryption should be enabled Documentation
CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9
Ansible Medium Encryption CodeBuild Project should be encrypted Documentation
Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee
Ansible Medium Encryption Ensure Storage Account is using the latest version of TLS encryption Documentation
Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2
Ansible Medium Insecure Configurations Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' Documentation
Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03
Ansible Medium Insecure Configurations DNSSEC must be enabled for Cloud DNS Documentation
Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc
Ansible Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true Documentation
OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33
Ansible Medium Insecure Configurations Check if any instance disables OSLogin. Documentation
Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b
Ansible Medium Insecure Configurations Verifies if Google Container Node Pool Auto Repair is Enabled Documentation
Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f
Ansible Medium Insecure Configurations Instance should be configured in VPC (Virtual Private Cloud) Documentation
Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5
Ansible Medium Insecure Configurations AWS Lambda Functions must have associated tags. Documentation
ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789
Ansible Medium Insecure Configurations ECR should have an image tag immutable Documentation
API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33
Ansible Medium Insecure Configurations SSL Client Certificate should be enabled in aws_api_gateway Documentation
AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472
Ansible Medium Insecure Configurations Unchangeable passwords in AWS password policy Documentation
IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354
Ansible Medium Insecure Configurations Check if IAM account password has at least one uppercase letter Documentation
Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31
Ansible Medium Insecure Configurations The certificate should use a RSA key with a length equal to or higher than 256 bytes Documentation
Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f
Ansible Medium Insecure Configurations Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty Documentation
Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f
Ansible Medium Insecure Configurations Check if any Redis Cache resource allows non-SSL connections. Documentation
AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c
Ansible Medium Insecure Configurations Azure Kubernetes Service should have the proper network policy configuration Documentation
Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd
Ansible Medium Insecure Defaults Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. Documentation
Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d
Ansible Medium Insecure Defaults Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' Documentation
IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f
Ansible Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true Documentation
SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016
Ansible Medium Networking and Firewall Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block). Documentation
Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350
Ansible Medium Networking and Firewall Check if serial ports are enabled in Google Compute Engine VM instances Documentation
RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77
Ansible Medium Networking and Firewall Check if the Google compute firewall allows unrestricted RDP access. Documentation
API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215
Ansible Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet Documentation
SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac
Ansible Medium Networking and Firewall Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049
Ansible Medium Networking and Firewall Check if any firewall rule allows too many hosts to access Redis Cache. Documentation
WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255
Ansible Medium Networking and Firewall Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. Documentation
PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c
Ansible Medium Observability PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' Documentation
PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711
Ansible Medium Observability PostgreSQL database 'log_min_messages' flag isn't set to a valid value Documentation
CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92
Ansible Medium Observability Check if SNS topic name is set for CloudTrail Documentation
CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24
Ansible Medium Observability AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events Documentation
CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3
Ansible Medium Observability CloudTrail should be integrated with CloudWatch Documentation
API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f
Ansible Medium Observability API Gateway should have X-Ray Tracing enabled Documentation
Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58
Ansible Medium Observability AWS CloudFormation should have stack notifications enabled Documentation
S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5
Ansible Medium Observability S3 bucket without versioning Documentation
Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd
Ansible Medium Observability AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true Documentation
API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a
Ansible Medium Observability AWS CloudWatch Logs for APIs is not enabled Documentation
CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98
Ansible Medium Observability Check if MultiRegion is Enabled Documentation
Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168
Ansible Medium Observability Monitoring log profile captures all the activities (Action, Write, Delete) Documentation
PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17
Ansible Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' Documentation
PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a
Ansible Medium Observability Ensure that Connection Throttling is set for the PostgreSQL server Documentation
Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326
Ansible Medium Observability Ensure that Activity Log Retention is set 365 days or greater Documentation
PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323
Ansible Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' Documentation
Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785
Ansible Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' Documentation
PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21
Ansible Medium Observability Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' Documentation
PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487
Ansible Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' Documentation
AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e
Ansible Medium Observability Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring Documentation
No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9
Ansible Medium Resource Management AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions Documentation
Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79
Ansible Medium Secret Management Check if the VM Instance doesn't block project-wide SSH keys. Documentation
Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645
Ansible Medium Secret Management Lambda access key should not be in plaintext. Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c
Ansible Low Access Control IAM role allows All services or principals to assume it Documentation
IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd
Ansible Low Access Control IAM role allows all services or principals to assume it Documentation
Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520
Ansible Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' Documentation
CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6
Ansible Low Best Practices Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. Documentation
IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060
Ansible Low Best Practices IAM policies should be attached only to groups or roles Documentation
EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851
Ansible Low Build Process Amazon Elastic Filesystem should have filesystem tags associated Documentation
SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb
Ansible Low Encryption SQS Queue should be protected with CMK encryption Documentation
Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607
Ansible Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service Documentation
S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d
Ansible Low Observability S3 bucket without debug_botocore_endpoint_logs Documentation
Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74
Ansible Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' Documentation
CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e
Ansible Low Observability CloudTrail Log Files should have validation enabled Documentation
Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c
Ansible Low Secret Management Check if the user data in the EC2 instance has the access key hardcoded Documentation
UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e
Dockerfile High Availability Exposing UNIX ports out of range from 0 to 65535 Documentation
COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b
Dockerfile High Build Process COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself Documentation
Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed
Dockerfile High Build Process Different FROMS cant have the same alias defined Documentation
Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db
Dockerfile High Build Process When a COPY command has more than two arguments, the last one should end with a slash Documentation
Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97
Dockerfile High Build Process There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect Documentation
WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4
Dockerfile High Build Process For clarity and reliability, you should always use absolute paths for your WORKDIR Documentation
Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f
Dockerfile High Build Process A user should be specified in the dockerfile, otherwise the image will run as root Documentation
Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a
Dockerfile High Insecure Configurations Avoid RUN with sudo command as it leads to unpredictable behavior Documentation
Run Using Upgrade Commands
682fe378-c180-4bd5-8a14-95fc285fb269
Dockerfile High Supply-Chain Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used Documentation
Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2
Dockerfile High Supply-Chain Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container Documentation
Run Using dnf Update
09fda05e-da85-4ee7-ab8d-2800a5e6e756
Dockerfile High Supply-Chain Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages Documentation
Yum Update Enabled
8f6456be-0018-46db-9ce6-b3b6dc8d34d2
Dockerfile High Supply-Chain Yum update is being used Documentation
Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae
Dockerfile Medium Best Practices Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges Documentation
COPY '--from' Without FROM Alias Defined Previously
68a51e22-ae5a-4d48-8e87-b01a323605c9
Dockerfile Medium Build Process COPY command with the flag '--from' should mention a previously defined FROM alias Documentation
Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd
Dockerfile Medium Build Process Instruction 'RUN update' should always be followed by ' install' in the same RUN statement Documentation
RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e
Dockerfile Medium Build Process Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain. Documentation
Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f
Dockerfile Medium Build Process There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect Documentation
Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79
Dockerfile Medium Build Process Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments Documentation
Changing Default Shell Using SHELL Command
8a301064-c291-4b20-adcb-403fe7fd95fd
Dockerfile Medium Insecure Defaults Using the command SHELL to override the default shell instead of the RUN command Documentation
Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22
Dockerfile Medium Insecure Defaults Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). Documentation
Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313
Dockerfile Medium Supply-Chain Reduce layer and image size by deleting unneeded caches after running zypper Documentation
Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e
Dockerfile Medium Supply-Chain When installing a package, its pin version should be defined Documentation
Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03
Dockerfile Medium Supply-Chain Need to use -y to avoid manual input 'yum install -y ' Documentation
Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341
Dockerfile Medium Supply-Chain Instead of 'gem install ' we should use 'gem install :' Documentation
APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547
Dockerfile Medium Supply-Chain Check if apt-get calls use the flag -y to avoid user manual input. Documentation
Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9
Dockerfile Medium Supply-Chain Don't use '--platform' flag with FROM Documentation
Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8
Dockerfile Medium Supply-Chain The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. Documentation
Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118
Dockerfile Medium Supply-Chain When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller Documentation
Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4
Dockerfile Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d
Dockerfile Medium Supply-Chain apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache Documentation
Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359
Dockerfile Medium Supply-Chain Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect Documentation
Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc
Dockerfile Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067
Dockerfile Medium Supply-Chain When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag Documentation
Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd
Dockerfile Medium Supply-Chain Always tag the version of an image explicitly Documentation
Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37
Dockerfile Medium Supply-Chain Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size Documentation
Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944
Dockerfile Medium Supply-Chain Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input Documentation
Run Using Zypper Update
d4895357-dd49-4ba5-b726-1bb81cb50989
Dockerfile Medium Supply-Chain 'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers Documentation
Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0
Dockerfile Medium Supply-Chain Cached package data should be cleaned after installation to reduce image size Documentation
NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5
Dockerfile Medium Supply-Chain Check if packages installed by npm are pinning a specific version. Documentation
Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1
Dockerfile Medium Supply-Chain Specifying a package version allows to reduce failures due to unanticipated changes in required packages. Documentation
Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b
Dockerfile Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b
Dockerfile Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8
Dockerfile Low Best Practices Expose only the ports that your application needs and avoid exposing ports like SSH (22) Documentation
MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c
Dockerfile Low Best Practices The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily Documentation
Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c
Dockerfile Low Best Practices Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged Documentation
Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28
Dockerfile Low Best Practices If the user only needs execution permissions on the file and not ownership, don't use --chown option Documentation
Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6
Dockerfile Low Best Practices Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers. Documentation
Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b
Dockerfile Low Build Process Should use COPY instead of ADD unless, running a tar file Documentation
Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5
Dockerfile Low Insecure Configurations Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working Documentation
Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b
Dockerfile Info Supply-Chain Some POSIX commands and interactive utilities shouldn't run inside a Docker Container Documentation
Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d
Dockerfile Info Supply-Chain When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' Documentation
Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c
Dockerfile Info Supply-Chain After using apt-get install, it is needed to delete apt-get lists Documentation
APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c
Dockerfile Info Supply-Chain Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. Documentation
Passwords And Secrets In URL
c09239d5-29d3-4dca-b829-f5553e6c0578
Common High Secret Management Query to find passwords and secrets in URL Documentation
Passwords And Secrets In Infrastructure Code
f996f3cb-00fc-480c-8973-8ab04d44a8cc
Common High Secret Management Query to find passwords and secrets in infrastructure code. Documentation
Cleartext API Key In Operation Security
d90d4e40-44c1-4125-87a0-e072c3e195b5
OpenAPI High Access Control API Keys should not be sent as cleartext over an unencrypted channel Documentation
Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e
OpenAPI High Access Control Components' securityScheme field must have a valid scheme Documentation
Global Security Field Is Undefined
8af270ce-298b-4405-9922-82a10aee7a4f
OpenAPI High Access Control Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes Documentation
Global Security Field Has An Empty Array
d674aea4-ba8b-454b-bb97-88a772ea33f0
OpenAPI High Access Control Security object need to have defined rules in its array and rules should be defined on securityScheme Documentation
Security Field On Operations Has An Empty Object Definition
baade968-7467-41e4-bf22-83ca222f5800
OpenAPI High Access Control Security object for operations should not be empty object or has any empty object definition Documentation
No Global And Operation Security Defined
96729c6b-7400-4d9e-9807-17f00cdde4d2
OpenAPI High Access Control All paths should have security scheme, if it is omitted, global security field should be defined Documentation
Global security field has an empty object
543e38f4-1eee-479e-8eb0-15257013aa0a
OpenAPI High Access Control Global security definition must not have empty objects Documentation
Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1
OpenAPI High Access Control Cleartext credentials over unencrypted channel should not be accepted for the operation Documentation
Security Field On Operations Has An Empty Array
663c442d-f918-4f62-b096-0bf5dcbeb655
OpenAPI High Access Control Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error Documentation
Schema Array Items Has No Type
be0e0df7-f3d9-42a1-9b6f-d425f94872c4
OpenAPI High Insecure Configurations Schema array items type should be defined Documentation
Array Schema Without Maximum Number of Items
6998389e-66b2-473d-8d05-c8d71ac4d04d
OpenAPI High Insecure Configurations Array schema should have the field 'maxItems' set Documentation
Cleartext API Key In Global Security
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c
OpenAPI Medium Access Control API Keys should not be sent as cleartext over an unencrypted channel Documentation
Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449
OpenAPI Medium Access Control Security Scheme HTTP should not be using negotiate authentication Documentation
Implicit Flow in OAuth2
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a
OpenAPI Medium Access Control There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated Documentation
Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149
OpenAPI Medium Access Control Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry Documentation
Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be
OpenAPI Medium Access Control Security Scheme HTTP should not be using digest authentication Documentation
Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71
OpenAPI Medium Access Control Security Scheme HTTP should not be using basic authentication Documentation
API Key Exposed In Global Security
aecee30b-8ea1-4776-a99c-d6d600f0862f
OpenAPI Medium Access Control API Keys should not be transported over network Documentation
Invalid OAuth2 Authorization URL
52c0d841-60d6-4a81-88dd-c35fef36d315
OpenAPI Medium Access Control The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL Documentation
OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2
OpenAPI Medium Access Control OAuth2 password flow insecurely exposes the credentials of the resource owner to the client Documentation
Invalid OAuth2 Token URL
3ba0cca1-b815-47bf-ac62-1e584eb64a05
OpenAPI Medium Access Control OAuth2 security scheme flow requires a valid URL in the tokenUrl field Documentation
OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c
OpenAPI Medium Access Control OAuth2 implicit flow is vulnerable to access token leakage and access token replay Documentation
Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe
OpenAPI Medium Encryption Global server object URL should use 'https' protocol instead of 'http' Documentation
Path Server Object Uses HTTP
9670f240-7b4d-4955-bd93-edaa9fa38b58
OpenAPI Medium Encryption The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection Documentation
JSON Object Schema Without Properties
9d967a2b-9d64-41a6-abea-dfc4960299bd
OpenAPI Medium Insecure Configurations Schema of the JSON object should have properties defined and 'additionalProperties' set to false. Documentation
Schema Object is Empty
500ce696-d501-41dd-86eb-eceb011a386f
OpenAPI Medium Insecure Configurations The Schema Object should not be empty to avoid accepting any JSON values Documentation
Numeric Schema Without Maximum
2ea04bef-c769-409e-9179-ee3a50b5c0ac
OpenAPI Medium Insecure Configurations Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. Documentation
Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672
OpenAPI Medium Insecure Configurations The Parameter Object should have the attribute 'schema' defined Documentation
Numeric Schema Without Format
fbf699b5-ef74-4542-9cf1-f6eeac379373
OpenAPI Medium Insecure Configurations Numeric schema (type set to 'integer' or 'number') should have 'format' defined. Documentation
String Schema Without Pattern
00b78adf-b83f-419c-8ed8-c6018441dd3a
OpenAPI Medium Insecure Configurations String schema should have 'pattern' defined. Documentation
String Schema Without Maximum Length
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85
OpenAPI Medium Insecure Configurations String schema should have 'maxLength' defined. Documentation
JSON Object Schema Without Type
e2ffa504-d22a-4c94-b6c5-f661849d2db7
OpenAPI Medium Insecure Configurations Schema of the JSON object should have 'type' defined. Documentation
Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0
OpenAPI Medium Insecure Configurations The Media Type Object should have the attribute 'schema' defined Documentation
String Schema with Broad Pattern
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c
OpenAPI Medium Insecure Configurations String schema should restrict the pattern Documentation
Numeric Schema Without Minimum
181bd815-767e-4e95-a24d-bb3c87328e19
OpenAPI Medium Insecure Configurations Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. Documentation
Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af
OpenAPI Medium Networking and Firewall Trace should define the '200' successful code Documentation
Response on operations that should have a body has undefined schema
a92be1d5-d762-484a-86d6-8cd0907ba100
OpenAPI Medium Networking and Firewall If a response is not head or its code is not 204 or 304, it should have a schema defined Documentation
Success Response Code Undefined for Post Operation
f368dd2d-9344-4146-a05b-7c6faa1269ad
OpenAPI Medium Networking and Firewall Post should define at least one success response (200, 201, 202 or 204) Documentation
Default Response Undefined On Operations
86e3702f-c868-44b2-b61d-ea5316c18110
OpenAPI Medium Networking and Firewall Operations responses should have a default response defined Documentation
Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b
OpenAPI Medium Networking and Firewall The header object should have schema defined Documentation
Response on operations that should not have a body has declared content
12a7210b-f4b4-47d0-acac-0a819e2a0ca3
OpenAPI Medium Networking and Firewall If a response is head or its code is 204 or 304, it shouldn't have a content defined Documentation
Response Code Missing
6c35d2c6-09f2-4e5c-a094-e0e91327071d
OpenAPI Medium Networking and Firewall 500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. Documentation
Success Response Code Undefined for Delete Operation
3b497874-ae59-46dd-8d72-1868a3b8f150
OpenAPI Medium Networking and Firewall Delete should define at least one success response (200, 201, 202 or 204) Documentation
Success Response Code Undefined for Put Operation
60b5f56b-66ff-4e1c-9b62-5753e16825bc
OpenAPI Medium Networking and Firewall Put should define at least one success response (200, 201, 202 or 204) Documentation
Success Response Code Undefined for Head Operation
3b066059-f411-4554-ac8d-96f32bff90da
OpenAPI Medium Networking and Firewall Head should define at least one success response (200 or 202) Documentation
Success Response Code Undefined for Patch Operation
1908a8ee-927d-4166-8f18-241152170cc1
OpenAPI Medium Networking and Firewall Patch should define at least one success response (200, 201, 202 or 204) Documentation
Success Response Code Undefined for Get Operation
b2f275be-7d64-4064-b418-be6b431363a7
OpenAPI Medium Networking and Firewall Get should define at least one success response (200 or 202) Documentation
API Key Exposed In Operation Security
281b8071-6226-4a43-911d-fec246d422c2
OpenAPI Low Access Control API Keys should not be transported over network Documentation
Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022
OpenAPI Low Access Control Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker Documentation
Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3
OpenAPI Low Access Control Oauth 1.0 is deprecated, OAuth2 should be used instead Documentation
API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839
OpenAPI Low Access Control API Keys should not be transported over network Documentation
Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228
OpenAPI Low Access Control A security scheme is allowing basic authentication credentials to be transported over network Documentation
Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e
OpenAPI Low Access Control Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker Documentation
Schema Invalid Number Format
d929c031-078f-4241-b802-e224656ad890
OpenAPI Low Insecure Configurations Schema numeric types should be valid, for integer must be int32 or int64 and number must be float or double Documentation
Unknown Schema String Format
a767f960-0489-4532-a6a0-3f0b43da7dab
OpenAPI Low Insecure Configurations String schema should have the format field set as 'date', 'date-time', 'password', 'byte', 'binary', 'email', 'uuid', 'uri', 'hostname', 'ipv4' or 'ipv6' Documentation
Unknown Prefix
a5375be3-521c-43bb-9eab-e2432e368ee4
OpenAPI Info Best Practices The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' Documentation
Invalid Operation External Documentation URL
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb
OpenAPI Info Best Practices Operation External Documentation URL should be a valid URL Documentation
Header Parameter Named as 'Authorization'
8c84f75e-5048-4926-a4cb-33e7b3431300
OpenAPI Info Best Practices The header Parameter should not be named as 'Authorization'. If so, it will be ignored. Documentation
Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0
OpenAPI Info Best Practices Components parameters definitions should be referenced or removed from Open API definition Documentation
Header Parameter Named as 'Content-Type'
72d259ca-9741-48dd-9f62-eb11f2936b37
OpenAPI Info Best Practices The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. Documentation
Invalid Media Type Value
cf4a5f45-a27b-49df-843a-9911dbfe71d4
OpenAPI Info Best Practices The Media Type value should match the following format: /[+suffix][;parameters] Documentation
Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625
OpenAPI Info Best Practices Components examples definitions should be referenced or removed from Open API definition Documentation
Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05
OpenAPI Info Best Practices Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. Documentation
Header Response Named as 'Content-Type'
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd
OpenAPI Info Best Practices The Header Response should not be named as 'Content-Type'. If so, it will be ignored. Documentation
Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375
OpenAPI Info Best Practices Components links definitions should be referenced or removed from Open API definition Documentation
Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab
OpenAPI Info Best Practices Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. Documentation
JSON '$ref' alongside other properties
96beb800-566f-49a9-a0ea-dbdf4bc80429
OpenAPI Info Best Practices Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key Documentation
Invalid License URL
9239c289-9e4c-4d92-8be1-9d506057c971
OpenAPI Info Best Practices License Object URL should be a valid URL Documentation
Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09
OpenAPI Info Best Practices Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. Documentation
Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab
OpenAPI Info Best Practices Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} Documentation
Example Not Compliant With Schema Type
881a6e71-c2a7-4fe2-b9c3-dfcf08895331
OpenAPI Info Best Practices Examples values and fields should be compliant with the schema type Documentation
Invalid Contact Email
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7
OpenAPI Info Best Practices Contact Object Email should be a valid email Documentation
Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e
OpenAPI Info Best Practices Components schemas definitions should be referenced or removed from Open API definition Documentation
Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470
OpenAPI Info Best Practices Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. Documentation
Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae
OpenAPI Info Best Practices Components responses definitions should be referenced or removed from Open API definition Documentation
Invalid Contact URL
332cf2ad-380d-4b90-b436-46f8e635cf38
OpenAPI Info Best Practices Contact Object URL should be a valid URL Documentation
Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d
OpenAPI Info Best Practices Components callbacks definitions should be referenced or removed from Open API definition Documentation
Invalid Tag External Documentation URL
5aea1d7e-b834-4749-b143-2c7ec3bd5922
OpenAPI Info Best Practices Tag External Documentation URL should be a valid URL Documentation
Path Without Operation
84c826c9-1893-4b34-8cdd-db97645b4bf3
OpenAPI Info Best Practices Path object should have at least one operation object defined Documentation
Required Property With Default Value
013bdb4b-9246-4248-b0c3-7fb0fee42a29
OpenAPI Info Best Practices Required properties receive value from requests, which makes unnecessary declare a default value Documentation
Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285
OpenAPI Info Best Practices Components request bodies definitions should be referenced or removed from Open API definition Documentation
Schema Object Using Enum With Keyword
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a
OpenAPI Info Best Practices Schema Object properties should not contain 'enum' and schema keywords Documentation
Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446
OpenAPI Info Best Practices Components headers definitions should be referenced or removed from Open API definition Documentation
Invalid Schema External Documentation URL
6952a7e0-6e48-4285-bbc1-27c64e60f888
OpenAPI Info Best Practices Schema External Documentation URL should be a valid URL Documentation
Header Parameter Named as 'Accept'
f2702af5-6016-46cb-bbc8-84c766032095
OpenAPI Info Best Practices The header Parameter should not be named as 'Accept'. If so, it will be ignored. Documentation
Invalid Global External Documentation URL
b2d9dbf6-539c-4374-a1fd-210ddf5563a8
OpenAPI Info Best Practices Global External Documentation URL should be a valid URL Documentation
Operation Without Successful HTTP Status Code
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd
OpenAPI Info Best Practices Operation Object should have at least one successful HTTP status code defined Documentation
Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4
OpenAPI Info Structure and Semantics Security operation field should be defined in '#/components/securitySchemes' Documentation
Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0
OpenAPI Info Structure and Semantics A Parameter Object must contain either a 'schema' property, or a 'content' property Documentation
Path Template is Empty
ae13a37d-943b-47a7-a970-83c8598bcca3
OpenAPI Info Structure and Semantics All path templates should not be empty Documentation
Schema JSON Reference Does Not Exists
015eac96-6313-43c0-84e5-81b1374fa637
OpenAPI Info Structure and Semantics Schema reference should exists on components field Documentation
Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a
OpenAPI Info Structure and Semantics All array fields should not be empty Documentation
Property Defining Minimum Greater Than Maximum
ab2af219-cd08-4233-b5a1-a788aac88b51
OpenAPI Info Structure and Semantics Property defining minimum has greater value than maximum defined Documentation
Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def
OpenAPI Info Structure and Semantics The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. Documentation
Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328
OpenAPI Info Structure and Semantics Link object reference must always point to '#/components/links' Documentation
Path Is Ambiguous
237402e2-c2f0-46c9-9cf5-286160cf7bfc
OpenAPI Info Structure and Semantics All path should be unique, if has more than one operation, all operations should be part of same Path Object Documentation
Schema Has A Required Property Undefined
2bd608ae-8a1f-457f-b710-c237883cb313
OpenAPI Info Structure and Semantics Schema Object should not be have a required property that is not defined on properties Documentation
Schema Discriminator Not Required
b481d46c-9c61-480f-86d9-af07146dc4a4
OpenAPI Info Structure and Semantics The discriminator property in the Schema Object should be a required property Documentation
Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356
OpenAPI Info Structure and Semantics Example reference should exists on components field Documentation
Response JSON Reference Does Not Exists
7a01dfbd-da62-4165-aed7-71349ad42ab4
OpenAPI Info Structure and Semantics Response reference should exists on components field Documentation
Schema Discriminator Mismatch Defined Properties
40d3df21-c170-4dbe-9c02-4289b51f994f
OpenAPI Info Structure and Semantics Schema discriminator values should match defined properties. Documentation
Response Object With Incorrect Ref
b3871dd8-9333-4d6c-bd52-67eb898b71ab
OpenAPI Info Structure and Semantics Response Object reference must always point to '#/components/responses' Documentation
Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3
OpenAPI Info Structure and Semantics Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. Documentation
Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a
OpenAPI Info Structure and Semantics Every defined Server Variable Object should be used in a Service URL. Documentation
Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b
OpenAPI Info Structure and Semantics Encoding Map Key should be set in schema defined properties Documentation
Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d
OpenAPI Info Structure and Semantics Request Body reference must always point to '#/components/RequestBodies' Documentation
Schema Discriminator Property Not String
dadc2f36-1f5a-46c0-8289-75e626583123
OpenAPI Info Structure and Semantics Schema discriminator property should be a string Documentation
Parameter Object With Incorrect Ref
d40f27e6-15fb-4b56-90f8-fc0ff0291c51
OpenAPI Info Structure and Semantics Parameter Object reference must always point to '#/components/parameters' Documentation
Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777
OpenAPI Info Structure and Semantics Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) Documentation
Parameters Name In Combination Should Be Unique
f5b2e6af-76f5-496d-8482-8f898c5fdb4a
OpenAPI Info Structure and Semantics Parameters properties 'name' and 'in' should have unique combinations Documentation
Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29
OpenAPI Info Structure and Semantics Schema should not have both 'writeOnly' and 'readOnly' set to true Documentation
Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd
OpenAPI Info Structure and Semantics Header reference should exists on components field Documentation
Paths Object is Empty
815021c8-a50c-46d9-b192-24f71072c400
OpenAPI Info Structure and Semantics Paths object may be empty due to ACL constraints, meaning they are not exposed Documentation
Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087
OpenAPI Info Structure and Semantics Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: ^[a-zA-Z0-9\.\-_]+$ Documentation
Path Parameter With No Corresponding Template Path
69d7aefd-149d-47b8-8d89-1c2181a8067b
OpenAPI Info Structure and Semantics The path parameter must have a corresponding template path for a given operation Documentation
Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079
OpenAPI Info Structure and Semantics Callback reference should exists on components field Documentation
Schema Object Properties With Duplicated Keys
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa
OpenAPI Info Structure and Semantics Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' Documentation
Schema Enum Invalid
03856cb2-e46c-4daf-bfbf-214ec93c882b
OpenAPI Info Structure and Semantics The field 'enum' of Schema Object should be consistent with the schema's type Documentation
Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669
OpenAPI Info Structure and Semantics Link object 'OperationId' should target an existing operation object in the OpenAPI definition Documentation
Unknown Property
fb7d81e7-4150-48c4-b914-92fc05da6a2f
OpenAPI Info Structure and Semantics All properties defined in OpenAPI objects should be known Documentation
Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a
OpenAPI Info Structure and Semantics Link reference should exists on components field Documentation
Object Without Required Property
d172a060-8569-4412-8045-3560ebd477e8
OpenAPI Info Structure and Semantics OpenAPI Object should contain all of its required fields Documentation
Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc
OpenAPI Info Structure and Semantics A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive Documentation
Schema Items Undefined
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90
OpenAPI Info Structure and Semantics Schema items should be defined when the schema is set to an array. Documentation
Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2
OpenAPI Info Structure and Semantics Property 'allowReserved' should be only defined for query parameters Documentation
Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e
OpenAPI Info Structure and Semantics The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. Documentation
Template Path With No Corresponding Path Parameter
561710b1-b845-4562-95ce-2397a05ccef4
OpenAPI Info Structure and Semantics The template path must have a corresponding path parameter for a given operation Documentation
Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df
OpenAPI Info Structure and Semantics The map content property of the parameter object should only contain one entry Documentation
Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419
OpenAPI Info Structure and Semantics Security field should be defined in '#/components/securitySchemes' Documentation
Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb
OpenAPI Info Structure and Semantics Reference to examples should point to #/components/examples Documentation
OperationId Not Unique
c254adc4-ef25-46e1-8270-b7944adb4198
OpenAPI Info Structure and Semantics OperationId should be unique when defined Documentation
Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533
OpenAPI Info Structure and Semantics Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' Documentation
Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45
OpenAPI Info Structure and Semantics Callback Object reference must always point to '#/components/callbacks' Documentation
Responses With Wrong HTTP Status Code
d86655c0-92f6-4ffc-b4d5-5b5775804c27
OpenAPI Info Structure and Semantics HTTP Responses status code should be in range of [200-599] Documentation
Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7
OpenAPI Info Structure and Semantics Request Body reference should exists on components field Documentation
Non-Array Schema With Items
20cb3159-b219-496b-8dac-54ae3ab2021a
OpenAPI Info Structure and Semantics Non-Array Schema should not have 'items' defined Documentation
Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9
OpenAPI Info Structure and Semantics The Server URL should be an absolute URL Documentation
Schema Type Has Invalid Keyword
a9228976-10cf-4b5f-b902-9e962aad037a
OpenAPI Info Structure and Semantics Schema defined type is using a keyword of another type Documentation
Property 'allowEmptyValue' Improperly Defined
4bcbcd52-3028-469f-bc14-02c7dbba2df2
OpenAPI Info Structure and Semantics Property 'allowEmptyValue' should be only defined for query parameters Documentation
Responses Object Is Empty
990eaf09-d6f1-4c3c-b174-a517b1de8917
OpenAPI Info Structure and Semantics Responses Object should not be empty Documentation
Parameter JSON Reference Does Not Exists
2e275f16-b627-4d3f-ae73-a6153a23ae8f
OpenAPI Info Structure and Semantics Parameter reference should exists on components field Documentation
Schema Default Invalid
a96bbc06-8cde-4295-ad3c-ee343a7f658e
OpenAPI Info Structure and Semantics The field 'default' of Schema Object should be consistent with the schema's type Documentation
Schema Object Incorrect Ref
4cac7ace-b0fb-477d-830d-65395d9109d9
OpenAPI Info Structure and Semantics Schema Object reference must always point to '#/components/schemas' Documentation
Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb
OpenAPI Info Structure and Semantics Header Object reference must always point to '#/components/headers' Documentation
Properties Missing Required Property
3fb03214-25d4-4bd4-867c-c2d8d708a483
OpenAPI Info Structure and Semantics Schema Object should have all required properties defined Documentation
Parameter Objects Headers With Duplicated Name
05505192-ba2c-4a81-9b25-dcdbcc973746
OpenAPI Info Structure and Semantics Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. Documentation
Schema Object With Circular Ref
1a1aea94-745b-40a7-b860-0702ea6ee636
OpenAPI Info Structure and Semantics Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties Documentation
Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e
OpenAPI Info Structure and Semantics Any variable used in the Service URL should be defined in the Service Object through 'variables'. Documentation
Path Parameter Not Required
0de50145-e845-47f4-9a15-23bcf2125710
OpenAPI Info Structure and Semantics The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. Documentation
Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a
Kubernetes High Insecure Configurations Container should not share the host network namespace Documentation
Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032
Kubernetes High Insecure Configurations Limit capabilities for a Pod Security Policy Documentation
Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609
Kubernetes High Insecure Configurations Do not allow container to be privileged. Documentation
Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad
Kubernetes High Insecure Configurations A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.securityContext.sysctls' must not have an unsafe sysctls and that the atrribute 'allowedUnsafeSysctls' must be undefined. Documentation
Host Aliases Undefined Or Empty
72b03514-20ae-4409-8842-2dd70c2e25aa
Kubernetes High Insecure Configurations A Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.hostAliases' must be defined and not empty or null. Documentation
Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d
Kubernetes High Insecure Configurations Container should not share the host process ID namespace Documentation
Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d
Kubernetes High Insecure Configurations Check if there is any Tiller Service present Documentation
Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d
Kubernetes High Insecure Configurations Check if Tiller is deployed. Documentation
Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645
Kubernetes High Insecure Configurations Check if any objects are using a deprecated version of API. Documentation
NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54
Kubernetes High Insecure Configurations Containers should drop 'NET_RAW' or 'ALL' capabilities Documentation
PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b
Kubernetes High Insecure Configurations Check if Pod Security Policies allow containers to share the host network namespace. Documentation
Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d
Kubernetes High Insecure Configurations Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process Documentation
Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536
Kubernetes High Insecure Configurations Container should not share the host IPC namespace Documentation
Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5
Kubernetes High Insecure Defaults No role nor cluster role should bind to a default service account Documentation
Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06
Kubernetes High Networking and Firewall Check if any Tiller Deployment container allows access from within the cluster. Documentation
RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14
Kubernetes Medium Access Control Minimize access to secrets (RBAC) Documentation
Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91
Kubernetes Medium Access Control A non kube-system workload should not have hostPath mounted Documentation
Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441
Kubernetes Medium Availability Liveness Probe must be defined. Documentation
Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3
Kubernetes Medium Availability Check if Readiness Probe is not configured. Documentation
Resource With Allow Privilege Escalation
0a7c420c-4568-4cec-ba36-4d42a6f9613b
Kubernetes Medium Best Practices Minimize the admission of privileged resources Documentation
Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203
Kubernetes Medium Best Practices Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden Documentation
Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb
Kubernetes Medium Best Practices Check if containers are running as root unduly. Documentation
Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660
Kubernetes Medium Best Practices Check if containers are running with low UID, which might cause conflicts with the host's user table. Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9
Kubernetes Medium Build Process Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' Documentation
PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea
Kubernetes Medium Insecure Configurations Pod Security Policy allows containers to share the host IPC namespace Documentation
PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91
Kubernetes Medium Insecure Configurations Do not allow pod to request execution as privileged. Documentation
Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e
Kubernetes Medium Insecure Configurations Workload is mounting a volume with sensitive OS Directory Documentation
Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40
Kubernetes Medium Insecure Configurations Containers should not have added capability Documentation
Default Service Account In Use
b93e973e-9066-4455-a63b-c1c0e1ec3a48
Kubernetes Medium Insecure Configurations Default service accounts should not be actively used Documentation
Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0
Kubernetes Medium Insecure Configurations Containers should not have CAP_SYS_ADMIN Linux capability Documentation
Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58
Kubernetes Medium Insecure Configurations Limit the capabilities for a Container. Documentation
Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b
Kubernetes Medium Insecure Configurations Check if any resource does not configure Seccomp default profile properly Documentation
PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851
Kubernetes Medium Insecure Configurations PodSecurityPolicy should not allow privilege escalation Documentation
NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648
Kubernetes Medium Insecure Configurations Containers need to have NET_RAW or All as drop capabilities Documentation
PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8
Kubernetes Medium Insecure Configurations PodSecurityPolicy should not have added capabilities Documentation
Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b
Kubernetes Medium Insecure Configurations Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks Documentation
Using Default Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6
Kubernetes Medium Insecure Configurations The default namespace should not be used Documentation
Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3
Kubernetes Medium Insecure Configurations Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. Documentation
PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9
Kubernetes Medium Insecure Configurations Pod Security Policy allows containers to share the host process ID namespace Documentation
Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9
Kubernetes Medium Insecure Defaults A Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. Documentation
Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef
Kubernetes Medium Insecure Defaults Service Account Tokens are automatically mounted even if not necessary Documentation
Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be
Kubernetes Medium Networking and Firewall Check if any pod is not being targeted by a proper network policy. Documentation
Service With External Load Balance
26763a1c-5dda-4772-b507-5fca7fb5f165
Kubernetes Medium Networking and Firewall Service has an external load balancer, which may cause accessibility from other networks and the Internet Documentation
Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3
Kubernetes Medium Networking and Firewall Check if any network policy is not targeting any pod. Documentation
CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda
Kubernetes Medium Resource Management CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests Documentation
CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a
Kubernetes Medium Resource Management CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node Documentation
Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9
Kubernetes Medium Resource Management Memory limits should be specified Documentation
Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063
Kubernetes Medium Resource Management Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Documentation
Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded
Kubernetes Medium Resource Management Memory requests should be specified Documentation
Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b
Kubernetes Medium Secret Management A Service Account token is shared between workloads Documentation
ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9
Kubernetes Medium Secret Management Roles and ClusterRoles when binded, should not use get, list or watch as verbs Documentation
Missing App Armor Config
8b36775e-183d-4d46-b0f7-96a6f34a723f
Kubernetes Low Access Control Containers should be configured with AppArmor for any application to reduce its potential attack Documentation
Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11
Kubernetes Low Access Control Ensure that the cluster-admin role is only used where required (RBAC) Documentation
Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942
Kubernetes Low Access Control The permission to create pods in a cluster should be restricted because it allows privilege escalation. Documentation
Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828
Kubernetes Low Access Control Sees if Docker Daemon Socket is not exposed to Containers Documentation
RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e
Kubernetes Low Access Control Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions) Documentation
HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca
Kubernetes Low Availability The Horizontal Pod Autoscale must target a valid object Documentation
HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b
Kubernetes Low Availability Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set Documentation
StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0
Kubernetes Low Availability Check if the StatefulSets have a headless 'serviceName' Documentation
Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678
Kubernetes Low Availability Deployments should be assigned with a PodDisruptionBudget to ensure high availability Documentation
StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5
Kubernetes Low Availability StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability Documentation
Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a
Kubernetes Low Best Practices Check if any label in the metadata is invalid. Documentation
No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e
Kubernetes Low Best Practices Sees if Kubernetes Drop Capabilities exists to ensure containers security context Documentation
Root Container Not Mounted As Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0
Kubernetes Low Build Process Check if the root container filesystem is not being mounted as read-only. Documentation
StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2
Kubernetes Low Build Process A StatefulSet requests volume storage. Documentation
Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729
Kubernetes Low Insecure Configurations Service should Target a Pod Documentation
Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b
Kubernetes Low Insecure Configurations If not needed, disabling the dashboard can prevent from being used as an attack vector Documentation
Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678
Kubernetes Low Insecure Configurations Sees if Kubernetes image has digest on Documentation
Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995
Kubernetes Low Insecure Configurations A security context defines privilege and access control settings for a Pod or Container Documentation
Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2
Kubernetes Low Insecure Configurations Image Pull Policy of the container must be defined and set to Always Documentation
Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2
Kubernetes Low Networking and Firewall Service type should not be NodePort Documentation
Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633
Kubernetes Low Networking and Firewall Verifies if Kubernetes workload's host port is specified Documentation
Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46
Kubernetes Low Resource Management A Pod's Containers must have the same requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively, and all four must be defined. Documentation
Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6
Kubernetes Low Resource Management A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. Documentation
StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e
Kubernetes Low Resource Management Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6
Kubernetes Low Resource Management A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. Documentation
Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a
Kubernetes Low Resource Management Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. Documentation
CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3
Kubernetes Low Resource Management Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined Documentation
Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e
Kubernetes Low Secret Management Container should not use secrets as environment variables Documentation
Invalid Image
583053b7-e632-46f0-b989-f81ff8045385
Kubernetes Low Supply-Chain Image must be defined and not be empty or equal to latest. Documentation