Terraform
Terraform Queries List¶
This page contains all queries from Terraform.
| Query | Severity | Category | Description | Help |
|---|---|---|---|---|
| VM With Full Cloud Access bc280331-27b9-4acb-a010-018e8098aa5d |
High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs | Documentation |
| BigQuery Dataset Is Public e576ce44-dd03-4022-a8c0-3906acca2ab4 |
High | Access Control | BigQuery dataset is anonymously or publicly accessible | Documentation |
| OSLogin Disabled 32ecd6eb-0711-421f-9627-1a28d9eff217 |
High | Access Control | Verifies that the OSLogin is enabled | Documentation |
| Cloud Storage Bucket Is Publicly Accessible c010082c-76e0-4b91-91d9-6e8439e455dd |
High | Access Control | Cloud Storage Bucket is anonymously or publicly accessible | Documentation |
| SQL DB Instance Is Publicly Accessible b187edca-b81e-4fdc-aff4-aab57db45edb |
High | Access Control | Check if any Cloud SQL instances are publicly accessible. | Documentation |
| S3 Bucket Allows Put Action From All Principals d24c0755-c028-44b1-b503-8e719c898832 |
High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. | Documentation |
| EFS With Vulnerable Policy fae52418-bb8b-4ac2-b287-0b9082d6a3fd |
High | Access Control | EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. | Documentation |
| S3 Bucket ACL Allows Read Or Write to All Users 38c5ee0d-7f22-4260-ab72-5073048df100 |
High | Access Control | S3 bucket with public READ/WRITE access | Documentation |
| S3 Bucket Access to Any Principal 7af43613-6bb9-4a0e-8c4d-1314b799425e |
High | Access Control | S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals | Documentation |
| S3 Bucket Allows WriteACP Action From All Principals 64a222aa-7793-4e40-915f-4b302c76e4d4 |
High | Access Control | S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals. | Documentation |
| S3 Bucket Allows Delete Action From All Principals ffdf4b37-7703-4dfe-a682-9d2e99bc6c09 |
High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. | Documentation |
| S3 Bucket Allows Get Action From All Principals 1df37f4b-7197-45ce-83f8-9994d2fcf885 |
High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. | Documentation |
| S3 Bucket Allows List Action From All Principals 66c6f96f-2d9e-417e-a998-9058aeeecd44 |
High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. | Documentation |
| IAM Role With Full Privileges b1ffa705-19a3-4b73-b9d0-0c97d0663842 |
High | Access Control | IAM role policy that allow full administrative privileges (for all resources) | Documentation |
| S3 Bucket With All Permissions a4966c4f-9141-48b8-a564-ffe9959945bc |
High | Access Control | S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
| S3 Bucket ACL Allows Read to Any Authenticated User 57b9893d-33b1-4419-bcea-a717ea87e139 |
High | Access Control | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
| S3 Bucket Allows Public Policy 1a4bc881-9f69-4d44-8c9a-d37d08f54c50 |
High | Access Control | S3 bucket allows public policy | Documentation |
| ECS Service Admin Role is Present 3206240f-2e87-4e58-8d24-3e19e7c83d7c |
High | Access Control | ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role | Documentation |
| SQS Queue Exposed abb06e5f-ef9a-4a99-98c6-376d396bfcdf |
High | Access Control | Checks if the SQS Queue is exposed | Documentation |
| IAM Policies With Full Privileges 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84 |
High | Access Control | IAM policies that allow full administrative privileges (for all resources) | Documentation |
| Public Storage Account 17f75827-0684-48f4-8747-61129c7e4198 |
High | Access Control | Check if 'network_rules' is open to public. | Documentation |
| Admin User Enabled For Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51 |
High | Access Control | Admin user is enabled for Container Registry | Documentation |
| Role Assignment Of Guest Users 2bc626a8-0751-446f-975d-8139214fc790 |
High | Access Control | There is a role assignment for guest user | Documentation |
| Storage Container Is Publicly Accessible dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299 |
High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage | Documentation |
| SQL DB Instance Backup Disabled cf3c7631-cd1e-42f3-8801-a561214a6e79 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
| Geo Redundancy Is Disabled 8b042c30-e441-453f-b162-7696982ebc58 |
High | Backup | Make sure that on PostgreSQL Geo Redundant Backups is enabled | Documentation |
| DNSSEC Using RSASHA1 ccc3100c-0fdd-4a5e-9908-c10107291860 |
High | Encryption | Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. | Documentation |
| SQL DB Instance With SSL Disabled 02474449-71aa-40a1-87ae-e14497747b00 |
High | Encryption | Cloud SQL Database Instance with SSL disabled for incoming connections | Documentation |
| High KMS Rotation Period 352271ca-842f-408a-8b24-f6f2b76eb027 |
High | Encryption | Check that keys aren't the same for a period greater than 365 days. | Documentation |
| EBS Default Encryption Disabled 3d3f6270-546b-443c-adb4-bb6fb2187ca6 |
High | Encryption | EBS Encryption should be enabled | Documentation |
| CA certificate Identifier is outdated 9f40c07e-699e-4410-8856-3ba0f2e3a2dd |
High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. | Documentation |
| User Data Shell Script Is Encoded 9cf718ce-46f9-430e-89ec-c456f8b469ee |
High | Encryption | Base64 Shell Script must be encoded | Documentation |
| Viewer Protocol Policy Allows HTTP 55af1353-2f62-4fa0-a8e1-a210ca2708f5 |
High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
| MSK Cluster Encryption Disabled 6db52fa6-d4da-4608-908a-89f0c59e743e |
High | Encryption | Ensure MSK Cluster encryption in rest and transit is enabled | Documentation |
| Redis Not Compliant 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4 |
High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements | Documentation |
| ELB Using Insecure Protocols 126c1788-23c2-4a10-906c-ef179f4f96ec |
High | Encryption | ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. | Documentation |
| S3 Bucket Object Not Encrypted 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e |
High | Encryption | S3 Bucket Object should have server-side encryption enabled | Documentation |
| S3 Bucket Without Server-side-encryption 6726dcc0-5ff5-459d-b473-a780bef7665c |
High | Encryption | S3 bucket should have encryption defined | Documentation |
| S3 Bucket SSE Disabled ad03cb46-f174-4674-bf8e-2880a7000edd |
High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
| DOCDB Cluster Not Encrypted bc1f9009-84a0-490f-ae09-3e0ea6d74ad6 |
High | Encryption | AWS DOCDB Cluster storage should be encrypted | Documentation |
| Automatic Minor Upgrades Disabled 3b6d777b-76e3-4133-80a3-0d6f667ade7f |
High | Encryption | RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true | Documentation |
| ECS Task Definition Volume Not Encrypted 4d46ff3b-7160-41d1-a310-71d6d370b08f |
High | Encryption | AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted | Documentation |
| User Data Contains Encoded Private Key 443488f5-c734-460b-a36d-5b3f330174dc |
High | Encryption | User Data Base64 contains an encoded RSA Private Key | Documentation |
| Memcached Disabled 4bd15dd9-8d5e-4008-8532-27eb0c3706d3 |
High | Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
| DOCDB Cluster Without KMS 4766d3ea-241c-4ee6-93ff-c380c996bd1a |
High | Encryption | AWS DOCDB Cluster should be encrypted with a KMS encryption key | Documentation |
| Secure Ciphers Disabled 5c0003fb-9aa0-42c1-9da3-eb0e332bef21 |
High | Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
| Athena Workgroup Not Encrypted d364984a-a222-4b5f-a8b0-e23ab19ebff3 |
High | Encryption | Athena Workgroup query results should be encrypted, for all queries that run in the workgroup | Documentation |
| Redshift Not Encrypted cfdcabb0-fc06-427c-865b-c59f13e898ce |
High | Encryption | Check if 'encrypted' field is false or undefined (default is false) | Documentation |
| Athena Database Not Encrypted b2315cae-b110-4426-81e0-80bb8640cdd3 |
High | Encryption | AWS Athena Database data in S3 should be encrypted | Documentation |
| CloudWatch Log Group Not Encrypted 0afbcfe9-d341-4b92-a64c-7e6de0543879 |
High | Encryption | AWS CloudWatch Log groups should be encrypted using KMS | Documentation |
| DB Instance Storage Not Encrypted 08bd0760-8752-44e1-9779-7bb369b2b4e4 |
High | Encryption | The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false'). | Documentation |
| AMI Not Encrypted 8bbb242f-6e38-4127-86d4-d8f0b2687ae2 |
High | Encryption | AWS AMI Encryption is not enabled | Documentation |
| EFS Not Encrypted 48207659-729f-4b5c-9402-f884257d794f |
High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
| DAX Cluster Not Encrypted f11aec39-858f-4b6f-b946-0a1bf46c0c87 |
High | Encryption | AWS DAX Cluster should have server-side encryption at rest | Documentation |
| CodeBuild Project Encrypted With AWS Managed Key 3deec14b-03d2-4d27-9670-7d79322e3340 |
High | Encryption | CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| Sagemaker Notebook Instance Without KMS f3674e0c-f6be-43fa-b71c-bf346d1aed99 |
High | Encryption | AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS | Documentation |
| RDS Storage Not Encrypted 3199c26c-7871-4cb3-99c2-10a59244ce7f |
High | Encryption | Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true' | Documentation |
| Launch Configuration Is Not Encrypted 4de9de27-254e-424f-bd70-4c1e95790838 |
High | Encryption | Data stored in the Launch configuration EBS is not securely encrypted | Documentation |
| IAM Database Auth Not Enabled 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6 |
High | Encryption | IAM Database Auth Enabled must be configured to true | Documentation |
| Workspaces Workspace Volume Not Encrypted b9033580-6886-401a-8631-5f19f5bb24c7 |
High | Encryption | AWS Workspaces Workspace data stored in volumes should be encrypted | Documentation |
| ELB Using Weak Ciphers 4a800e14-c94a-442d-9067-5a2e9f6c0a4c |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. | Documentation |
| Kinesis Not Encrypted With KMS 862fe4bf-3eec-4767-a517-40f378886b88 |
High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS | Documentation |
| EFS Without KMS 25d251f3-f348-4f95-845c-1090e41a615c |
High | Encryption | Elastic File System (EFS) must have KMS Key ID | Documentation |
| API Gateway Method Settings Cache Not Encrypted b7c9a40c-23e4-4a2d-8d39-a3352f10f288 |
High | Encryption | API Gateway Method Settings Cache should be encrypted | Documentation |
| ECS Task Definition Container With Plaintext Password d40210ea-64b9-4cce-a4fb-e8604f3c062c |
High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
| EBS Volume Snapshot Not Encrypted e6b4b943-6883-47a9-9739-7ada9568f8ca |
High | Encryption | The value on AWS EBS Volume Snapshot Encryptation must be true | Documentation |
| Kinesis SSE Not Configured 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3 |
High | Encryption | AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled | Documentation |
| SSL Enforce Disabled 0437633b-daa6-4bbc-8526-c0d2443b946e |
High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' | Documentation |
| Storage Account Not Forcing HTTPS 12944ec4-1fa0-47be-8b17-42a034f937c2 |
High | Encryption | See that Storage Accounts forces the use of HTTPS | Documentation |
| MySQL SSL Connection Disabled 73e42469-3a86-4f39-ad78-098f325b4e9f |
High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled | Documentation |
| Not Proper Email Account In Use 9356962e-4a4f-4d06-ac59-dc8008775eaa |
High | Insecure Configurations | Gmail accounts are being used instead of corporate credentials | Documentation |
| COS Node Image Not Used 8a893e46-e267-485a-8690-51f39951de58 |
High | Insecure Configurations | A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image | Documentation |
| IP Aliasing Disabled c606ba1d-d736-43eb-ac24-e16108f3a9e0 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE | Documentation |
| Cluster Labels Disabled 65c1bc7a-4835-4ac4-a2b6-13d310b0648d |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined | Documentation |
| GKE Legacy Authorization Enabled 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true | Documentation |
| Network Policy Disabled 11e7550e-c4b6-472e-adff-c698f157cdd7 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false | Documentation |
| Client Certificate Disabled 73fb21a1-b19a-45b1-b648-b47b1678681e |
High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true | Documentation |
| Private Cluster Disabled 6ccb85d7-0420-4907-9380-50313f80946b |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true | Documentation |
| Cluster Master Authentication Disabled 1baba08e-3c8a-4be7-95eb-dced5833de21 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
| Pod Security Policy Disabled 9192e0f9-eca5-4056-9282-ae2a736a4088 |
High | Insecure Configurations | Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true | Documentation |
| GKE Basic Authentication Enabled 70cdf849-b7d9-4569-b87d-5d82ffd44719 |
High | Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty | Documentation |
| No Password Policy Enabled b592ffd4-0577-44b6-bd35-8c5ee81b5918 |
High | Insecure Configurations | IAM password policies should be set through the password minimum length and reset password attributes | Documentation |
| Root Account Has Active Access Keys 970d224d-b42a-416b-81f9-8f4dfe70c4bc |
High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
| S3 Static Website Host Enabled 42bb6b7f-6d54-4428-b707-666f669d94fb |
High | Insecure Configurations | Checks if any static websties are hosted on buckets | Documentation |
| CloudFront Without Minimum Protocol TLS 1.2 00e5e55e-c2ff-46b3-a757-a7a1cd802456 |
High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
| Batch Job Definition With Privileged Container Properties 66cd88ac-9ddf-424a-b77e-e55e17630bee |
High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties | Documentation |
| DB Instance Publicly Accessible 35113e6f-2c6b-414d-beec-7a9482d3b2d1 |
High | Insecure Configurations | The field 'publicly_accessible' should not be set to 'true' (default is 'false'). | Documentation |
| API Gateway Without Security Policy 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b |
High | Insecure Configurations | API Gateway should have a Security Policy defined and use TLS 1.2. | Documentation |
| S3 Bucket Without Enabled MFA Delete c5b31ab9-0f26-4a49-b8aa-4cc064392f4d |
High | Insecure Configurations | S3 bucket without enabled MFA Delete | Documentation |
| S3 Bucket Without Restriction Of Public Bucket 1ec253ab-c220-4d63-b2de-5b40e0af9293 |
High | Insecure Configurations | S3 bucket without restriction of public bucket | Documentation |
| IAM User Policy Without MFA b5681959-6c09-4f55-b42b-c40fa12d03ec |
High | Insecure Configurations | Check if the root user is authenticated with MFA | Documentation |
| SQS With SSE Disabled 6e8849c1-3aa7-40e3-9063-b85ee300f29f |
High | Insecure Configurations | Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE) | Documentation |
| Authentication Without MFA 3ddfa124-6407-4845-a501-179f90c65097 |
High | Insecure Configurations | Users should authenticate with MFA (Multi-factor Authentication) | Documentation |
| KMS Key With Vulnerable Policy 7ebc9038-0bde-479a-acc4-6ed7b6758899 |
High | Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
| Redshift Publicly Accessible af173fde-95ea-4584-b904-bb3923ac4bda |
High | Insecure Configurations | Check if 'publicly_accessible' field is true or undefined (default is true) | Documentation |
| ECS Task Definition Network Mode Not Recommended 9f4a9409-9c60-4671-be96-9716dbf63db1 |
High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
| DB Security Group Has Public IP f0d8781f-99bf-4958-9917-d39283b168a0 |
High | Insecure Configurations | The CIDR IP must not be Public | Documentation |
| Azure Container Registry With No Locks a187ac47-8163-42ce-8a63-c115236be6fb |
High | Insecure Configurations | Azurerm Container Registry Must Contain Associated Locks | Documentation |
| Trusted Microsoft Services Not Enabled 5400f379-a347-4bdd-a032-446465fdcc6f |
High | Insecure Configurations | Trusted MIcrosoft Services are not enabled for Storage Account access | Documentation |
| AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b |
High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server | Documentation |
| VM Not Attached To Network bbf6b3df-4b65-4f87-82cc-da9f30f8c033 |
High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine | Documentation |
| Redis Not Updated Regularly b947809d-dd2f-4de9-b724-04d101c515aa |
High | Insecure Configurations | Redis Cache is not configured to be updated regularly with security and operational updates | Documentation |
| Web App Accepting Traffic Other Than HTTPS 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe |
High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. | Documentation |
| Network Watcher Flow Disabled b90842e5-6779-44d4-9760-972f4c03ba1c |
High | Insecure Configurations | Check if enable field in the resource azurerm_network_watcher_flow_log is false. | Documentation |
| Shared Host Network Namespace ac1564a3-c324-4747-9fa1-9dfc234dace0 |
High | Insecure Configurations | Container should not share the host network namespace | Documentation |
| Not Limited Capabilities For Pod Security Policy 2acb555f-f4ad-4b1b-b984-84e6588f4b05 |
High | Insecure Configurations | Limit capabilities for a Pod Security Policy | Documentation |
| Container Is Privileged 87065ef8-de9b-40d8-9753-f4a4303e27a4 |
High | Insecure Configurations | Do not allow container to be privileged. | Documentation |
| PSP Allows Containers To Share The Host Network Namespace 4950837c-0ce5-4e42-9bee-a25eae73740b |
High | Insecure Configurations | Check if Pod Security Policies allow containers to share the host network namespace. | Documentation |
| Cluster Allows Unsafe Sysctls a9174d31-d526-4ad9-ace4-ce7ddbf52e03 |
High | Insecure Configurations | A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. | Documentation |
| Host Aliases Undefined Or Empty 5d05ea11-ae3e-470e-9864-97e55fb2b2e0 |
High | Insecure Configurations | A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null. | Documentation |
| Tiller (Helm v2) Is Deployed ca2fba76-c1a7-4afd-be67-5249f861cb0e |
High | Insecure Configurations | Check if Tiller is deployed. | Documentation |
| Shared Host IPC Namespace e94d3121-c2d1-4e34-a295-139bfeb73ea3 |
High | Insecure Configurations | Container should not share the host IPC namespace | Documentation |
| NET_RAW Capabilities Not Being Dropped e5587d53-a673-4a6b-b3f2-ba07ec274def |
High | Insecure Configurations | Containers should drop 'NET_RAW' or 'ALL' capabilities | Documentation |
| Privilege Escalation Allowed c878abb4-cca5-4724-92b9-289be68bd47c |
High | Insecure Configurations | Admission of privileged containers should be minimized | Documentation |
| Vulnerable Default SSL Certificate 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef |
High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. | Documentation |
| Role Binding To Default Service Account 3360c01e-c8c0-4812-96a2-a6329b9b7f9f |
High | Insecure Defaults | No role nor cluster role should bind to a default service account | Documentation |
| Sensitive Port Is Exposed To Entire Network 381c3f2a-ef6f-4eff-99f7-b169cda3422c |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| EKS Cluster Has Public Access CIDRs 61cf9883-1752-4768-b18c-0d57f2737709 |
High | Networking and Firewall | Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" | Documentation |
| HTTP Port Open ffac8a12-322e-42c1-b9b9-81ff85c39ef7 |
High | Networking and Firewall | The HTTP port is open in a Security Group | Documentation |
| EC2 Instance Has Public IP 5a2486aa-facf-477d-a5c1-b010789459ce |
High | Networking and Firewall | EC2 Instance should not have a public IP address. | Documentation |
| Security Group With Unrestricted Access To SSH 65905cec-d691-4320-b320-2000436cb696 |
High | Networking and Firewall | SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
| Unrestricted Security Group Ingress 4728cd65-a20c-49da-8b31-9c08b423e4db |
High | Networking and Firewall | Security groups allow ingress from 0.0.0.0:0 | Documentation |
| DB Security Group With Public Scope 1e0ef61b-ad85-4518-a3d3-85eaad164885 |
High | Networking and Firewall | The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). | Documentation |
| Remote Desktop Port Open 151187cb-0efc-481c-babd-ad24e3c9bc22 |
High | Networking and Firewall | The Remote Desktop port is open in a Security Group | Documentation |
| ALB Listening on HTTP de7f5e83-da88-4046-871f-ea18504b1d43 |
High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
| Unknown Port Exposed To Internet 590d878b-abdc-428f-895a-e2b68a0e1998 |
High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
| Default Security Groups With Unrestricted Traffic 46883ce1-dc3e-4b17-9195-c6a601624c73 |
High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
| Route53 Record Undefined 25db74bf-fa3b-44da-934e-8c3e005c0453 |
High | Networking and Firewall | Check if Record is set | Documentation |
| DB Security Group Open To Large Scope 4f615f3e-fb9c-4fad-8b70-2e9f781806ce |
High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. | Documentation |
| Sensitive Port Is Exposed To Entire Network 594c198b-4d79-41b8-9b36-fde13348b619 |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
| CosmosDB Account IP Range Filter Not Set c2a3efb6-8a58-481c-82f2-bfddf34bb4b7 |
High | Networking and Firewall | The Ip Range Must Contain Ips | Documentation |
| RDP Is Exposed To The Internet efbf6449-5ec5-4cfe-8f15-acc51e0d787c |
High | Networking and Firewall | Port 3389 (Remote Desktop) is exposed to the internet | Documentation |
| SSH Is Exposed To The Internet 3e3c175e-aadf-4e2b-a464-3fdac5748d24 |
High | Networking and Firewall | Port 22 (SSH) is exposed to the internet | Documentation |
| SQLServer Ingress From Any IP 25c0ea09-f1c5-4380-b055-3b83863f2bb8 |
High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. | Documentation |
| Redis Entirely Accessible fd8da341-6760-4450-b26c-9f6d8850575e |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet | Documentation |
| Redis Publicly Accessible 5089d055-53ff-421b-9482-a5267bdce629 |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources | Documentation |
| IAM Audit Not Properly Configured 89fe890f-b480-460c-8b6b-7d8b1468adb4 |
High | Observability | Audit Logging Configuration is defective | Documentation |
| Cloud Storage Bucket Logging Not Enabled d6cabc3a-d57e-48c2-b341-bf3dd4f4a120 |
High | Observability | Cloud storage bucket with logging not enabled | Documentation |
| Stackdriver Monitoring Disabled 30e8dfd2-3591-4d19-8d11-79e93106c93d |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' | Documentation |
| Object Versioning Not Enabled e7e961ac-d17e-4413-84bc-8a1fbe242944 |
High | Observability | Object Versioning Not Enabled on Cloud Storage Bucket | Documentation |
| Stackdriver Logging Disabled 4c7ebcb2-eae2-461e-bc83-456ee2d4f694 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' | Documentation |
| CMK Rotation Disabled 22fbfeac-7b5a-421a-8a27-7a2178bb910b |
High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. | Documentation |
| CloudTrail Logging Disabled 4bb76f17-3d63-4529-bdca-2b454529d774 |
High | Observability | Checks if logging is enabled for CloudTrail. | Documentation |
| CloudTrail Log Files Not Encrypted 5d9e3164-9265-470c-9a10-57ae454ac0c7 |
High | Observability | Logs delivered by CloudTrail should be encrypted using KMS | Documentation |
| Configuration Aggregator to All Regions Disabled ac5a0bc0-a54c-45aa-90c3-15f7703b9132 |
High | Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
| KMS Key With No Deletion Window 0b530315-0ea4-497f-b34c-4ff86268f59d |
High | Observability | AWS KMS Key should have a valid deletion window | Documentation |
| Vault Auditing Disabled 38c71c00-c177-4cd7-8d36-cd1007cdb190 |
High | Observability | Ensure that logging for Azure KeyVault is 'Enabled' | Documentation |
| Node Auto Upgrade Disabled b139213e-7d24-49c2-8025-c18faa21ecaa |
High | Resource Management | Node 'auto_upgrade' should be enabled for Kubernetes Clusters | Documentation |
| SQL Database Audit Disabled 83a229ba-483e-47c6-8db7-dc96969bce5a |
High | Resource Management | Ensure that 'Threat Detection' is enabled for Azure SQL Database | Documentation |
| Secret Expiration Not Set dfa20ffa-f476-428f-a490-424b41e91c7f |
High | Secret Management | Make sure that for all secrets the expiration date is set | Documentation |
| Key Expiration Not Set 4d080822-5ee2-49a4-8984-68f3d4c890fc |
High | Secret Management | Make sure that for all keys the expiration date is set | Documentation |
| Cloud Storage Anonymous or Publicly Accessible a6cd52a1-3056-4910-96a5-894de9f3f3b3 |
Medium | Access Control | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' | Documentation |
| Google Project IAM Member Service Account has Token Creator or Account User Role c68b4e6d-4e01-4ca1-b256-1e18e875785c |
Medium | Access Control | Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated | Documentation |
| Google Project IAM Binding Service Account has Token Creator or Account User Role 617ef6ff-711e-4bd7-94ae-e965911b1b40 |
Medium | Access Control | Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated | Documentation |
| Google Project IAM Member Service Account Has Admin Role 84d36481-fd63-48cb-838e-635c44806ec2 |
Medium | Access Control | Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated | Documentation |
| SNS Topic Publicity Has Allow and NotAction Simultaneously 5ea624e4-c8b1-4bb3-87a4-4235a776adcc |
Medium | Access Control | SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. | Documentation |
| CloudWatch Logs Destination With Vulnerable Policy db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8 |
Medium | Access Control | CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' | Documentation |
| Elasticsearch Domain With Vulnerable Policy 16c4216a-50d3-4785-bfb2-4adb5144a8ba |
Medium | Access Control | Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. | Documentation |
| REST API With Vulnerable Policy b161c11b-a59b-4431-9a29-4e19f63e6b27 |
Medium | Access Control | REST API policy should avoid wildcard in 'Action' and 'Principal' | Documentation |
| ECR Repository Is Publicly Accessible e86e26fc-489e-44f0-9bcd-97305e4ba69a |
Medium | Access Control | Amazon ECR image repositories shouldn't have public access | Documentation |
| SQS Policy With Public Access 730675f9-52ed-49b6-8ead-0acb5dd7df7f |
Medium | Access Control | SQS policy with public access | Documentation |
| Glue With Vulnerable Policy d25edb51-07fb-4a73-97d4-41cecdc53a22 |
Medium | Access Control | Glue policy should avoid wildcard in 'principals' and 'actions' | Documentation |
| SNS Topic is Publicly Accessible For Subscription b26d2b7e-60f6-413d-a3a1-a57db24aa2b3 |
Medium | Access Control | This query checks if SNS Topic is Accessible For Subscription | Documentation |
| IAM Access Key Is Exposed 7081f85c-b94d-40fd-8b45-a4f1cac75e46 |
Medium | Access Control | Check if IAM Access Key is active for some user besides 'root' | Documentation |
| SQS Policy Allows All Actions 816ea8cf-d589-442d-a917-2dd0ce0e45e3 |
Medium | Access Control | SQS policy allows ALL (*) actions | Documentation |
| S3 Bucket Allows Public ACL d0cc8694-fcad-43ff-ac86-32331d7e867f |
Medium | Access Control | S3 bucket allows public ACL | Documentation |
| API Gateway Method Does Not Contains An API Key 671211c5-5d2a-4e97-8867-30fc28b02216 |
Medium | Access Control | An API Key should be required on a method request. | Documentation |
| IAM User With Access To Console 9ec311bf-dfd9-421f-8498-0b063c8bc552 |
Medium | Access Control | AWS IAM Users should not have access to console | Documentation |
| IAM Role Policy passRole Allows All e39bee8c-fe54-4a3f-824d-e5e2d1cca40a |
Medium | Access Control | Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources | Documentation |
| Lambda With Vulnerable Policy ad9dabc7-7839-4bae-a957-aa9120013f39 |
Medium | Access Control | The attribute 'action' should not have wildcard | Documentation |
| IAM Policy Grants Full Permissions 575a2155-6af1-4026-b1af-d5bc8fe2a904 |
Medium | Access Control | IAM policies allow all ('*') in a statement action | Documentation |
| AMI Shared With Multiple Accounts ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698 |
Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image | Documentation |
| Lambda Permission Principal Is Wildcard e08ed7eb-f3ef-494d-9d22-2e3db756a347 |
Medium | Access Control | Lambda Permission Principal should not contain a wildcard. | Documentation |
| Secrets Manager With Vulnerable Policy fa00ce45-386d-4718-8392-fb485e1f3c5b |
Medium | Access Control | Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' | Documentation |
| Policy Without Principal bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54 |
Medium | Access Control | All policies, except IAM identity-based policies, should have the 'Principal' element defined | Documentation |
| Public and Private EC2 Share Role c53c7a89-f9d7-4c7b-8b66-8a555be99593 |
Medium | Access Control | Public and private EC2 istances should not share the same role. | Documentation |
| AKS RBAC Disabled 86f92117-eed8-4614-9c6c-b26da20ff37f |
Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled | Documentation |
| RBAC Roles with Read Secrets Permissions 826abb30-3cd5-4e0b-a93b-67729b4f7e63 |
Medium | Access Control | Minimize access to secrets (RBAC) | Documentation |
| Non Kube System Pod With Host Mount 86a947ea-f577-4efb-a8b0-5fc00257d521 |
Medium | Access Control | A non kube-system workload should not have hostPath mounted | Documentation |
| ElastiCache Nodes Not Created Across Multi AZ 6db03a91-f933-4f13-ab38-a8b87a7de54d |
Medium | Availability | Check if ElastiCache nodes are not being created across multi AZ | Documentation |
| ECS Service Without Running Tasks 91f16d09-689e-4926-aca7-155157f634ed |
Medium | Availability | ECS Service should have at least 1 task running | Documentation |
| Auto Scaling Group With No Associated ELB 8e94dced-9bcc-4203-8eb7-7e41202b2505 |
Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. | Documentation |
| CMK Is Unusable 7350fa23-dcf7-4938-916d-6a60b0c73b50 |
Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true | Documentation |
| Liveness Probe Is Not Defined 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3 |
Medium | Availability | Liveness Probe must be defined | Documentation |
| Readiness Probe Is Not Configured 8657197e-3f87-4694-892b-8144701d83c1 |
Medium | Availability | Check if Readiness Probe is not configured. | Documentation |
| RDS With Backup Disabled 1dc73fb4-5b51-430c-8c5f-25dcf9090b02 |
Medium | Backup | RDS configured without backup | Documentation |
| Stack Retention Disabled 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97 |
Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
| ElastiCache Redis Cluster Without Backup 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab |
Medium | Backup | ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 | Documentation |
| ALB Not Dropping Invalid Headers 6e3fd2ed-5c83-4c68-9679-7700d224d379 |
Medium | Best Practices | It's considered a best practice when using Application Load Balancers to drop invalid header fields | Documentation |
| IAM Password Without Symbol 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48 |
Medium | Best Practices | Check if IAM account password has the required symbols | Documentation |
| IAM Password Without Minimum Length 1bc1c685-e593-450e-88fb-19db4c82aa1d |
Medium | Best Practices | Check if IAM account password has the required minimum length | Documentation |
| RDS Cluster With Backup Disabled e542bd46-58c4-4e0f-a52a-1fb4f9548e02 |
Medium | Best Practices | RDS Cluster backup retention period should be specifically defined | Documentation |
| Password Without Reuse Prevention 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a |
Medium | Best Practices | Check if IAM account password has the reuse password configured with 24 | Documentation |
| Misconfigured Password Policy Expiration ce60d060-efb8-4bfd-9cf7-ff8945d00d90 |
Medium | Best Practices | No password expiration policy | Documentation |
| Cognito UserPool Without MFA ec28bf61-a474-4dbe-b414-6dd3a067d6f0 |
Medium | Best Practices | AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users | Documentation |
| SQL Server Predictable Admin Account Name 2ab6de9a-0136-415c-be92-79d2e4fd750f |
Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict | Documentation |
| SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450 |
Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict | Documentation |
| Unrestricted SQL Server Access d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28 |
Medium | Best Practices | Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0' | Documentation |
| Root Containers Admitted 4c415497-7410-4559-90e8-f2c8ac64ee38 |
Medium | Best Practices | Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden | Documentation |
| Stack Without Template 91bea7b8-0c31-4863-adc9-93f6177266c4 |
Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body | Documentation |
| Cosmos DB Account Without Tags 56dad03e-e94f-4dd6-93a4-c253a03ff7a0 |
Medium | Build Process | Cosmos DB Account must have a mapping of tags. | Documentation |
| Incorrect Volume Claim Access Mode ReadWriteOnce 26b047a9-0329-48fd-8fb7-05bbe5ba80ee |
Medium | Build Process | Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' | Documentation |
| VM CSEK Encryption Disabled b1d51728-7270-4991-ac2f-fc26e2695b38 |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK), which means the attribute 'disk_encryption_key' must be defined and its sub attribute 'sha256' must also be defined and not empty | Documentation |
| High Google KMS Crypto Key Rotation Period d8c57c4e-bf6f-4e32-a2bf-8643532de77b |
Medium | Encryption | Make sure Encryption keys change after 90 days | Documentation |
| Google Compute SSL Policy Weak Cipher In Use 14a457f0-473d-4d1d-9e37-6d99b355b336 |
Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
| AmazonMQ Broker Encryption Disabled 3db3f534-e3a3-487f-88c7-0a9fbf64b702 |
Medium | Encryption | AmazonMQ Broker should have Encryption Options defined | Documentation |
| Secretsmanager Secret Without KMS a2f548f2-188c-4fff-b172-e9a6acb216bd |
Medium | Encryption | AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret | Documentation |
| Elasticsearch Domain Not Encrypted Node To Node 967eb3e6-26fc-497d-8895-6428beb6e8e2 |
Medium | Encryption | Elasticsearch Domain encryption should be enabled node to node | Documentation |
| API Gateway Without Content Encoding ed35928e-195c-4405-a252-98ccb664ab7b |
Medium | Encryption | Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760 | Documentation |
| DOCDB Cluster Encrypted With AWS Managed Key 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d |
Medium | Encryption | DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| ElasticSearch Not Encrypted At Rest 24e16922-4330-4e9d-be8a-caa90299466a |
Medium | Encryption | Check if ElasticSearch encryption is disabled at Rest | Documentation |
| SNS Topic Encrypted With AWS Managed Key b1a72f66-2236-4f3b-87ba-0da1b366956f |
Medium | Encryption | SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| ECR Repository Not Encrypted 0e32d561-4b5a-4664-a6e3-a3fa85649157 |
Medium | Encryption | ECR (Elastic Container Registry) Repository encryption should be set | Documentation |
| Neptune Database Cluster Encryption Disabled 98d59056-f745-4ef5-8613-32bca8d40b7e |
Medium | Encryption | Check if Neptune Cluster Storage is securely encrypted | Documentation |
| DynamoDB Table Not Encrypted ce089fd4-1406-47bd-8aad-c259772bb294 |
Medium | Encryption | AWS DynamoDB Tables should have server-side encryption | Documentation |
| Config Rule For Encrypted Volumes Disabled abdb29d4-5ca1-4e91-800b-b3569bbd788c |
Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
| Secretsmanager Secret Encrypted With AWS Managed Key b0d3ef3f-845d-4b1b-83d6-63a5a380375f |
Medium | Encryption | Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys | Documentation |
| ElastiCache Replication Group Not Encrypted At Transit 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e |
Medium | Encryption | ElastiCache Replication Group encryption should be enabled at Transit | Documentation |
| Unscanned ECR Image 9630336b-3fed-4096-8173-b9afdfe346a7 |
Medium | Encryption | Checks if the ECR Image has been scanned | Documentation |
| ElastiCache Replication Group Not Encrypted At Rest 76976de7-c7b1-4f64-a94f-90c1345914c2 |
Medium | Encryption | ElastiCache Replication Group encryption should be enabled at Rest | Documentation |
| ElasticSearch Encryption With KMS Disabled 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2 |
Medium | Encryption | Check if any ElasticSearch domain isn't encrypted with KMS | Documentation |
| EBS Volume Encryption Disabled cc997676-481b-4e93-aa81-d19f8c5e9b12 |
Medium | Encryption | The value on AWS EBS Volume Cluster Encryption must be true | Documentation |
| Storage Account Not Using Latest TLS Encryption Version 8263f146-5e03-43e0-9cfe-db960d56d1e7 |
Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption | Documentation |
| Redis Cache Allows Non SSL Connections e29a75e6-aba3-4896-b42d-b87818c16b58 |
Medium | Encryption | Check if any Redis Cache resource allows non-SSL connections. | Documentation |
| Encryption On Managed Disk Disabled a99130ab-4c0e-43aa-97f8-78d4fcb30024 |
Medium | Encryption | Ensure that the encryption is active on the disk | Documentation |
| Github Organization Webhook With SSL Disabled ce7c874e-1b88-450b-a5e4-cb76ada3c8a9 |
Medium | Encryption | Check if insecure SSL is being used in the GitHub organization webhooks | Documentation |
| Project-wide SSH Keys Are Enabled In VM Instances 3e4d5ce6-3280-4027-8010-c26eeea1ec01 |
Medium | Insecure Configurations | Check if SSH keys are enabled project-wide in VM instances | Documentation |
| Using Default Service Account 3cb4af0b-056d-4fb1-8b95-fdc4593625ff |
Medium | Insecure Configurations | Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. | Documentation |
| Google Storage Bucket Level Access Enabled bb0db090-5509-4853-a827-75ced0b3caa0 |
Medium | Insecure Configurations | Validates if the Google Storage Bucket Level Access is Enabled | Documentation |
| Serial Ports Are Enabled For VM Instances 97fa667a-d05b-4f16-9071-58b939f34751 |
Medium | Insecure Configurations | Check if VM instance enables serial ports | Documentation |
| Google Project Auto Create Network Disabled 59571246-3f62-4965-a96f-c7d97e269351 |
Medium | Insecure Configurations | Verifies if the Google Project Auto Create Network is Disabled | Documentation |
| Shielded VM Disabled 1b44e234-3d73-41a8-9954-0b154135280e |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true | Documentation |
| Cloud DNS without DNSSEC 5ef61c88-bbb4-4725-b1df-55d23c9676bb |
Medium | Insecure Configurations | Cloud DNS without DNSSEC | Documentation |
| OSLogin Is Disabled For VM Instance d0b4d550-c001-46c3-bbdb-d5d75d33f05f |
Medium | Insecure Configurations | Check if any VM instance disables OSLogin | Documentation |
| Google Container Node Pool Auto Repair Disabled acfdbec6-4a17-471f-b412-169d77553332 |
Medium | Insecure Configurations | Verifies if Google Container Node Pool Auto Repair is Enabled | Documentation |
| Instance With No VPC a31a5a29-718a-4ff4-8001-a69e5e4d029e |
Medium | Insecure Configurations | Instance should be configured in VPC (Virtual Private Cloud) | Documentation |
| Lambda Function Without Tags 875b86b1-7fd4-4728-9a18-de63d87ad82f |
Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. | Documentation |
| ECR Image Tag Not Immutable d1846b12-20c5-4d45-8798-fc35b79268eb |
Medium | Insecure Configurations | ECR should have an image tag be immutable | Documentation |
| API Gateway Without SSL Certificate 0b4869fc-a842-4597-aa00-1294df425440 |
Medium | Insecure Configurations | SSL Client Certificate should be enabled in aws_api_gateway_stage resource | Documentation |
| Redshift Cluster Without VPC 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3 |
Medium | Insecure Configurations | Redshift Cluster should be configured in VPC (Virtual Private Cloud) | Documentation |
| Service Control Policies Disabled 5ba6229c-8057-433e-91d0-21cf13569ca9 |
Medium | Insecure Configurations | Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). | Documentation |
| EKS Cluster Has Public Access 42f4b905-3736-4213-bfe9-c0660518cda8 |
Medium | Insecure Configurations | Amazon EKS public endpoint shoud be set to false | Documentation |
| AWS Password Policy With Unchangeable Passwords 9ef7d25d-9764-4224-9968-fa321c56ef76 |
Medium | Insecure Configurations | Unchangeable passwords in AWS password policy | Documentation |
| Public Lambda via API Gateway 3ef8696c-e4ae-4872-92c7-520bb44dfe77 |
Medium | Insecure Configurations | Allowing to run lambda function using public API Gateway | Documentation |
| IAM Password Without Uppercase Letter c5ff7bc9-d8ea-46dd-81cb-8286f3222249 |
Medium | Insecure Configurations | Check if IAM account password has at least one uppercase letter | Documentation |
| IAM Password Without Lowercase Letter bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9 |
Medium | Insecure Configurations | Check if IAM account password has at least one lowercase letter | Documentation |
| MQ Broker Is Publicly Accessible 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb |
Medium | Insecure Configurations | Check if any MQ Broker is not publicly accessible | Documentation |
| Certificate RSA Key Bytes Lower Than 256 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b |
Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes | Documentation |
| API Gateway With Open Access 15ccec05-5476-4890-ad19-53991eba1db8 |
Medium | Insecure Configurations | API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. | Documentation |
| Security Group is Not Configured 5c822443-e1ea-46b8-84eb-758ec602e844 |
Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty | Documentation |
| AKS Network Policy Misconfigured f5342045-b935-402d-adf1-8dbbd09c0eef |
Medium | Insecure Configurations | Check if the Azure Kubernetes Service doesn't have the proper network policy configuration. | Documentation |
| Security Center Pricing Tier Is Not Standard 819d50fd-1cdf-45c3-9936-be408aaad93e |
Medium | Insecure Configurations | Make sure that the 'Standard' pricing tiers were selected. | Documentation |
| Small Flow Logs Retention Period 7750fcca-dd03-4d38-b663-4b70289bcfd4 |
Medium | Insecure Configurations | Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches | Documentation |
| PSP Allows Sharing Host IPC 51bed0ac-a8ae-407a-895e-90c6cb0610ce |
Medium | Insecure Configurations | Pod Security Policy allows containers to share the host IPC namespace | Documentation |
| PSP Set To Privileged a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9 |
Medium | Insecure Configurations | Do not allow pod to request execution as privileged | Documentation |
| Workload Mounting With Sensitive OS Directory a737be28-37d8-4bff-aa6d-1be8aa0a0015 |
Medium | Insecure Configurations | Workload is mounting a volume with sensitive OS Directory | Documentation |
| Default Service Account In Use 737a0dd9-0aaa-4145-8118-f01778262b8a |
Medium | Insecure Configurations | Default service accounts should not be actively used | Documentation |
| Container Resources Limits Undefined 60af03ff-a421-45c8-b214-6741035476fa |
Medium | Insecure Configurations | Kubernetes container should have resource limitations defined such as CPU and memory | Documentation |
| Seccomp Profile Is Not Configured 455f2e0c-686d-4fcb-8b5f-3f953f12c43c |
Medium | Insecure Configurations | Check if any resource does not configure Seccomp default profile properly | Documentation |
| Container Host Pid Is True 587d5d82-70cf-449b-9817-f60f9bccb88c |
Medium | Insecure Configurations | Minimize the admission of containers wishing to share the host process ID namespace | Documentation |
| Containers With Sys Admin Capabilities 3f55386d-75cd-4e9a-ac47-167b26c04724 |
Medium | Insecure Configurations | Containers should not have CAP_SYS_ADMIN Linux capability | Documentation |
| Containers With Added Capabilities fe771ff7-ba15-4f8f-ad7a-8aa232b49a28 |
Medium | Insecure Configurations | Kubernetes Pod should not have extra capabilities allowed | Documentation |
| PSP Allows Privilege Escalation 2bff9906-4e9b-4f71-9346-8ebedfdf43ef |
Medium | Insecure Configurations | PodSecurityPolicy should not allow privilege escalation | Documentation |
| NET_RAW Capabilities Disabled for PSP 9aa32890-ac1a-45ee-81ca-5164e2098556 |
Medium | Insecure Configurations | Containers need to have NET_RAW or All as drop capabilities | Documentation |
| PSP With Added Capabilities 48388bd2-7201-4dcc-b56d-e8a9efa58fad |
Medium | Insecure Configurations | PodSecurityPolicy should not have added capabilities | Documentation |
| Ingress Controller Exposes Workload e2c83c1f-84d7-4467-966c-ed41fd015bb9 |
Medium | Insecure Configurations | Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks | Documentation |
| Using Default Namespace abcb818b-5af7-4d72-aba9-6dd84956b451 |
Medium | Insecure Configurations | The default namespace should not be used | Documentation |
| Container Runs Unmasked 0ad60203-c050-4115-83b6-b94bde92541d |
Medium | Insecure Configurations | Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. | Documentation |
| GitHub Repository Set To Public 15d8a7fd-465a-4d15-a868-add86552f17b |
Medium | Insecure Configurations | Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') | Documentation |
| Default Network Access is Allowed 9be09caf-2ba4-4fa9-9787-a670dc32c639 |
Medium | Insecure Defaults | Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' | Documentation |
| Service Account Name Undefined Or Empty 24b132df-5cc7-4823-8029-f898e1c50b72 |
Medium | Insecure Defaults | A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. | Documentation |
| Service Account Token Automount Not Disabled a9a13d4f-f17a-491b-b074-f54bffffcb4a |
Medium | Insecure Defaults | Service Account Tokens are automatically mounted even if not necessary | Documentation |
| IP Forwarding Enabled f34c0c25-47b4-41eb-9c79-249b4dd47b89 |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true | Documentation |
| SSH Access Is Not Restricted c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0 |
Medium | Networking and Firewall | Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block) | Documentation |
| RDP Access Is Not Restricted 678fd659-96f2-454a-a2a0-c2571f83a4a3 |
Medium | Networking and Firewall | Check if Google Firewall ingress allows RDP access (port 3389) | Documentation |
| ALB Is Not Integrated With WAF 0afa6ab8-a047-48cf-be07-93a2f8c34cf7 |
Medium | Networking and Firewall | All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service | Documentation |
| API Gateway Endpoint Config is Not Private 6b2739db-9c49-4db7-b980-7816e0c248c1 |
Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet | Documentation |
| SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 54c417bf-c762-48b9-9d31-b3d87047e3f0 |
Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. | Documentation |
| Dynamodb VPC Endpoint Without Route Table Association 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d |
Medium | Networking and Firewall | Dynamodb VPC Endpoint should be associated with Route Table Association | Documentation |
| Sensitive Port Is Exposed To Small Public Network e35c16a2-d54e-419d-8546-a804d8e024d0 |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol | Documentation |
| SQS VPC Endpoint Without DNS Resolution e9b7acf9-9ba0-4837-a744-31e7df1e434d |
Medium | Networking and Firewall | SQS VPC Endpoint should have DNS resolution enabled | Documentation |
| Sensitive Port Is Exposed To Wide Private Network 92fe237e-074c-4262-81a4-2077acb928c1 |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol | Documentation |
| Sensitive Port Is Exposed To Small Public Network e9dee01f-2505-4df2-b9bf-7804d1fd9082 |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol | Documentation |
| Firewall Rule Allows Too Many Hosts To Access Redis Cache a829b715-cf75-4e92-b645-54c9b739edfb |
Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache | Documentation |
| WAF Is Disabled For Azure Application Gateway 2e48d91c-50e4-45c8-9312-27b625868a72 |
Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. | Documentation |
| Sensitive Port Is Exposed To Wide Private Network c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e |
Medium | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol | Documentation |
| Service With External Load Balance 2a52567c-abb8-4651-a038-52fa27c77aed |
Medium | Networking and Firewall | Service has an external load balancer, which may cause accessibility from other networks and the Internet | Documentation |
| Network Policy Is Not Targeting Any Pod b80b14c6-aaa2-4876-b651-8a48b6c32fbf |
Medium | Networking and Firewall | Check if any network policy is not targeting any pod. | Documentation |
| Google Compute Subnetwork Logging Disabled 40430747-442d-450a-a34f-dc57149f4609 |
Medium | Observability | This query checks if logs are enabled for a Google Compute Subnetwork resource. | Documentation |
| CloudTrail SNS Topic Name Undefined 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd |
Medium | Observability | Check if SNS topic name is set for CloudTrail | Documentation |
| CloudWatch Without Retention Period Specified ef0b316a-211e-42f1-888e-64efe172b755 |
Medium | Observability | AWS CloudWatch Log groups should have retention days specified | Documentation |
| CloudTrail Not Integrated With CloudWatch 17b30f8f-8dfb-4597-adf6-57600b6cf25e |
Medium | Observability | CloudTrail should be integrated with CloudWatch | Documentation |
| MSK Cluster Logging Disabled 2f56b7ab-7fba-4e93-82f0-247e5ddeb239 |
Medium | Observability | Ensure MSK Cluster Logging is enabled | Documentation |
| API Gateway X-Ray Disabled 5813ef56-fa94-406a-b35d-977d4a56ff2b |
Medium | Observability | X-ray Tracing is not enabled | Documentation |
| Redshift Cluster Logging Disabled 15ffbacc-fa42-4f6f-a57d-2feac7365caa |
Medium | Observability | Make sure Logging is enabled for Redshift Cluster | Documentation |
| Stack Notifications Disabled b72d0026-f649-4c91-a9ea-15d8f681ac09 |
Medium | Observability | Enable AWS CloudFormation Stack Notifications | Documentation |
| S3 Bucket Without Versioning 568a4d22-3517-44a6-a7ad-6a7eed88722c |
Medium | Observability | S3 bucket without versioning | Documentation |
| Cloudfront Logging Disabled 94690d79-b3b0-43de-b656-84ebef5753e5 |
Medium | Observability | AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined | Documentation |
| Default VPC Exists 96ed3526-0179-4c73-b1b2-372fde2e0d13 |
Medium | Observability | It isn't recommended to use resources in default VPC | Documentation |
| CloudWatch Logging Disabled 7dbba512-e244-42dc-98bb-422339827967 |
Medium | Observability | Check if CloudWatch logging is disabled for Route53 hosted zones | Documentation |
| API Gateway With CloudWatch Logging Disabled 982aa526-6970-4c59-8b9b-2ce7e019fe36 |
Medium | Observability | AWS CloudWatch Logs for APIs is not enabled | Documentation |
| GuardDuty Detector Disabled 704dadd3-54fc-48ac-b6a0-02f170011473 |
Medium | Observability | Make sure that Amazon GuardDuty is Enabled | Documentation |
| CloudTrail Multi Region Disabled 8173d5eb-96b5-4aa6-a71b-ecfa153c123d |
Medium | Observability | Check if MultiRegion is Enabled | Documentation |
| MQ Broker Logging Disabled 31245f98-a6a9-4182-9fc1-45482b9d030a |
Medium | Observability | Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). | Documentation |
| Api Gateway Access Logging Disabled 1b6799eb-4a7a-4b04-9001-8cceb9999326 |
Medium | Observability | RDS does not have any kind of logger | Documentation |
| CloudWatch Metrics Disabled 081069cb-588b-4ce1-884c-2a1ce3029fe5 |
Medium | Observability | Checks if CloudWatch Metrics is Enabled | Documentation |
| API Gateway Deployment Without Access Log Setting 625abc0e-f980-4ac9-a775-f7519ee34296 |
Medium | Observability | API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. | Documentation |
| Elasticsearch Log is disabled acb6b4e2-a086-4f35-aefd-4db6ea51ada2 |
Medium | Observability | AWS Elasticsearch should have logs enabled | Documentation |
| Elasticsearch Without Slow Logs e979fcbc-df6c-422d-9458-c33d65e71c45 |
Medium | Observability | Ensure that AWS Elasticsearch enables support for slow logs | Documentation |
| VPC FlowLogs Disabled f83121ea-03da-434f-9277-9cd247ab3047 |
Medium | Observability | VPC hasn't got any FlowLog associated | Documentation |
| Small MSSQL Audit Retention Period 9c301481-e6ec-44f7-8a49-8ec63e2969ea |
Medium | Observability | Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days | Documentation |
| PostgreSQL Log Connections Not Set c640d783-10c5-4071-b6c1-23507300d333 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' | Documentation |
| PostgreSQL Server Without Connection Throttling 2b3c671f-1b76-4741-8789-ed1fe0785dc4 |
Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server | Documentation |
| Email Alerts Disabled 9db38e87-f6aa-4b5e-a1ec-7266df259409 |
Medium | Observability | Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact | Documentation |
| Small Activity Log Retention Period 2b856bf9-8e8c-4005-875f-303a8cba3918 |
Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater | Documentation |
| Small MSSQL Server Audit Retention 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc |
Medium | Observability | Make sure for SQL Servers that Auditing Retention is greater than 90 days | Documentation |
| PostgreSQL Log Disconnections Not Set 07f7134f-9f37-476e-8664-670c218e4702 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' | Documentation |
| SQL Server Auditing Disabled f7e296b0-6660-4bc5-8f87-22ac4a815edf |
Medium | Observability | Make sure that for SQL Servers, 'Auditing' is set to 'On' | Documentation |
| Log Retention Is Not Set ffb02aca-0d12-475e-b77c-a726f7aeff4b |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' | Documentation |
| MSSQL Server Auditing Disabled 609839ae-bd81-4375-9910-5bce72ae7b92 |
Medium | Observability | Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' | Documentation |
| PostgreSQL Log Checkpoints Disabled 3790d386-be81-4dcf-9850-eaa7df6c10d9 |
Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' | Documentation |
| Small PostgreSQL DB Server Log Retention Period 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606 |
Medium | Observability | Check if PostgreSQL Database Server retains logs for less than 3 Days | Documentation |
| PostgreSQL Log Duration Not Set 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' | Documentation |
| No Stack Policy 2f01fb2d-828a-499d-b98e-b83747305052 |
Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions | Documentation |
| CPU Limits Not Set 5f4735ce-b9ba-4d95-a089-a37a767b716f |
Medium | Resource Management | CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests | Documentation |
| CPU Requests Not Set 577ac19c-6a77-46d7-9f14-e049cdd15ec2 |
Medium | Resource Management | CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node | Documentation |
| Memory Limits Not Defined fd097ed0-7fe6-4f58-8b71-fef9f0820a21 |
Medium | Resource Management | Memory limits should be specified | Documentation |
| Volume Mount With OS Directory Write Permissions a62a99d1-8196-432f-8f80-3c100b05d62a |
Medium | Resource Management | Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. | Documentation |
| Memory Requests Not Defined 21719347-d02b-497d-bda4-04a03c8e5b61 |
Medium | Resource Management | Memory requests should be specified | Documentation |
| Hardcoded AWS Access Key In Lambda 1402afd8-a95c-4e84-8b0b-6fb43758e6ce |
Medium | Secret Management | Lambda hardcoded AWS access/secret keys | Documentation |
| Shared Service Account f74b9c43-161a-4799-bc95-0b0ec81801b9 |
Medium | Secret Management | A Service Account token is shared between workloads | Documentation |
| Service Account Allows Access Secrets 07fc3413-e572-42f7-9877-5c8fc6fccfb5 |
Medium | Secret Management | Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs | Documentation |
| IAM Policy Grants 'AssumeRole' Permission Across All Services bcdcbdc6-a350-4855-ae7c-d1e6436f7c97 |
Low | Access Control | IAM role allows All services or principals to assume it | Documentation |
| IAM Role Allows All Principals To Assume 12b7e704-37f0-4d1e-911a-44bf60c48c21 |
Low | Access Control | IAM role allows all services or principals to assume it | Documentation |
| S3 Bucket Public ACL Overridden By Public Access Block bf878b1a-7418-4de3-b13c-3a86cf894920 |
Low | Access Control | S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' | Documentation |
| Missing App Armor Config bd6bd46c-57db-4887-956d-d372f21291b6 |
Low | Access Control | Containers should be configured with AppArmor for any application to reduce its potential attack | Documentation |
| Cluster Admin Rolebinding With Superuser Permissions 17172bc2-56fb-4f17-916f-a014147706cd |
Low | Access Control | Ensure that the cluster-admin role is only used where required (RBAC) | Documentation |
| Permissive Access to Create Pods 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba |
Low | Access Control | The permission to create pods in a cluster should be restricted because it allows privilege escalation. | Documentation |
| Docker Daemon Socket is Exposed to Containers 4e203a65-c8d8-49a2-b749-b124d43c9dc1 |
Low | Access Control | Sees if Docker Daemon Socket is not exposed to Containers | Documentation |
| HPA Targets Invalid Object 17e52ca3-ddd0-4610-9d56-ce107442e110 |
Low | Availability | The Horizontal Pod Autoscale must target a valid object | Documentation |
| StatefulSet Without Service Name 420e6360-47bb-46f6-9072-b20ed22c842d |
Low | Availability | Check if the StatefulSet have a headless 'serviceName' | Documentation |
| Deployment Without PodDisruptionBudget a05331ee-1653-45cb-91e6-13637a76e4f0 |
Low | Availability | Deployments should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| StatefulSet Without PodDisruptionBudget 7249e3b0-9231-4af3-bc5f-5daf4988ecbf |
Low | Availability | StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability | Documentation |
| ECR Repository Without Policy 69e7c320-b65d-41bb-be02-d63ecc0bcc9d |
Low | Best Practices | ECR Repository should have Policies attached to it | Documentation |
| Lambda Permission Misconfigured 75ec6890-83af-4bf1-9f16-e83726df0bd0 |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
| CDN Configuration Is Missing 1bc367f6-901d-4870-ad0c-71d79762ef52 |
Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. | Documentation |
| IAM Policies Attached To User b4378389-a9aa-44ee-91e7-ef183f11079e |
Low | Best Practices | IAM policies should be attached only to groups or roles | Documentation |
| Metadata Label Is Invalid bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e |
Low | Best Practices | Check if any label in the metadata is invalid. | Documentation |
| No Drop Capabilities for Containers 21cef75f-289f-470e-8038-c7cee0664164 |
Low | Best Practices | Sees if Kubernetes Drop Capabilities exists to ensure containers security context | Documentation |
| Root Container Not Mounted As Read-only d532566b-8d9d-4f3b-80bd-361fe802f9c2 |
Low | Build Process | Check if the root container filesystem is not being mounted as read-only. | Documentation |
| StatefulSet Requests Storage fcc2612a-1dfe-46e4-8ce6-0320959f0040 |
Low | Build Process | A StatefulSet requests volume storage. | Documentation |
| S3 Bucket With Ignore Public ACL 4fa66806-0dd9-4f8d-9480-3174d39c7c91 |
Low | Insecure Configurations | S3 bucket with ignore public ACL | Documentation |
| Open Access To Resources Through API 108aa260-6dab-4a75-ae3f-de917d634840 |
Low | Insecure Configurations | Open access to back-end resources through API | Documentation |
| Dashboard Is Enabled 61c3cb8b-0715-47e4-b788-86dde40dd2db |
Low | Insecure Configurations | Check if the Kubernetes Dashboard is enabled. | Documentation |
| Image Without Digest 228c4c19-feeb-4c18-848c-800ac70fdfb7 |
Low | Insecure Configurations | Sees if Kubernetes image has digest on | Documentation |
| Pod or Container Without Security Context ad69e38a-d92e-4357-a8da-f2f29d545883 |
Low | Insecure Configurations | A security context defines privilege and access control settings for a Pod or Container | Documentation |
| Image Pull Policy Of The Container Is Not Set To Always aa737abf-6b1d-4aba-95aa-5c160bd7f96e |
Low | Insecure Configurations | Image Pull Policy of the container must be defined and set to Always | Documentation |
| Cloudfront Without WAF 1419b4c6-6d5c-4534-9cf6-6a5266085333 |
Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
| Service Type is NodePort 5c281bf8-d9bb-47f2-b909-3f6bb11874ad |
Low | Networking and Firewall | Service type should not be NodePort | Documentation |
| Workload Host Port Not Specified 4e74cf4f-ff65-4c1a-885c-67ab608206ce |
Low | Networking and Firewall | Verifies if Kubernetes workload's host port is specified | Documentation |
| Missing Cluster Log Types 66f130d9-b81d-4e8e-9b08-da74b9c891df |
Low | Observability | Amazon EKS control plane logging don't enabled for all log types | Documentation |
| DocDB Logging Is Disabled 56f6a008-1b14-4af4-b9b2-ab7cf7e27641 |
Low | Observability | DocDB logging should be enabled | Documentation |
| API Gateway Deployment Without API Gateway UsagePlan Associated b3a59b8e-94a3-403e-b6e2-527abaf12034 |
Low | Observability | API Gateway Deployment should have API Gateway UsagePlan defined and associated. | Documentation |
| S3 Bucket Logging Disabled f861041c-8c9f-4156-acfc-5e6e524f5884 |
Low | Observability | S3 bucket without logging | Documentation |
| ECS Cluster with Container Insights Disabled 97cb0688-369a-4d26-b1f7-86c4c91231bc |
Low | Observability | ECS Cluster should enable container insights | Documentation |
| EKS cluster logging is not enabled 37304d3f-f852-40b8-ae3f-725e87a7cedf |
Low | Observability | Amazon EKS control plane logging is not enabled | Documentation |
| Lambda Functions Without X-Ray Tracing 8152e0cf-d2f0-47ad-96d5-d003a76eabd1 |
Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' | Documentation |
| Global Accelerator Flow Logs Disabled 96e8183b-e985-457b-90cd-61c0503a3369 |
Low | Observability | Global Accelerator should have flow logs enabled | Documentation |
| CloudTrail Log File Validation Disabled 52ffcfa6-6c70-4ea6-8376-d828d3961669 |
Low | Observability | CloudTrail log file validation should be enabled | Documentation |
| API Gateway Stage Without API Gateway UsagePlan Associated c999cf62-0920-40f8-8dda-0caccd66ed7e |
Low | Resource Management | API Gateway Stage should have API Gateway UsagePlan defined and associated. | Documentation |
| Deployment Has No PodAntiAffinity 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3 |
Low | Resource Management | Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. | Documentation |
| CronJob Deadline Not Configured 58876b44-a690-4e9f-9214-7735fa0dd15d |
Low | Resource Management | Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined | Documentation |
| Hardcoded AWS Access Key d7b9d850-3e06-4a75-852f-c46c2e92240b |
Low | Secret Management | Hard-coded AWS access key / secret key exists in EC2 user data | Documentation |
| Secrets As Environment Variables 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8 |
Low | Secret Management | Container should not use secrets as environment variables | Documentation |
| Invalid Image e76cca7c-c3f9-4fc9-884c-b2831168ebd8 |
Low | Supply-Chain | Image must be defined and not be empty or equal to latest. | Documentation |
| Security Group Without Description cb3f5ed6-0d18-40de-a93d-b3538db31e8c |
Info | Best Practices | It's considered a best practice for AWS Security Group to have a description | Documentation |
| Security Group Rules Without Description 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e |
Info | Best Practices | It's considered a best practice for all rules in AWS Security Group to have a description | Documentation |
| Resource Not Using Tags e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10 |
Info | Best Practices | AWS services resource tags are an essential part of managing components | Documentation |
| EC2 Not EBS Optimized 60224630-175a-472a-9e23-133827040766 |
Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance | Documentation |
| DynamoDB Table Point In Time Recovery Disabled 741f1291-47ac-4a85-a07b-3d32a9d6bd3e |
Info | Best Practices | It's considered a best practice to have point in time recovery enabled for DynamoDB Table | Documentation |
| ELB Access Logging Disabled 20018359-6fd7-4d05-ab26-d4dffccbdf79 |
Info | Observability | ELB should have logging enabled to help on error investigation | Documentation |
| RDS Without Logging 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56 |
Info | Observability | RDS does not have any kind of logger | Documentation |
| Neptune Logging Is Disabled 45cff7b6-3b80-40c1-ba7b-2cf480678bb8 |
Info | Observability | Neptune logging should be enabled | Documentation |
| EC2 Instance Monitoring Disabled 23b70e32-032e-4fa6-ba5c-82f56b9980e6 |
Info | Observability | EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods | Documentation |