Skip to content

Ansible

Ansible Queries List

This page contains all queries from Ansible.

GCP

Bellow are listed queries related with Ansible GCP:

Query Severity Category Description Help
SQL DB Instance Is Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b
High Access Control Check if any Cloud SQL instances are publicly accessible. Documentation
VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd
High Access Control A VM instance is configured to use the default service account with full access to all Cloud APIs Documentation
SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8
High Backup Checks if backup configuration is enabled for all Cloud SQL Database instances Documentation
DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a
High Encryption DNSSEC should not use the RSASHA1 algorithm Documentation
High KMS Rotation Period
79f45008-60b3-4a0a-a302-8311fd3701b4
High Encryption Check if any KMS rotation period surpasses 365 days. Documentation
SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb
High Encryption Cloud SQL Database Instance with SSL disabled for incoming connections Documentation
IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05
High Insecure Configurations Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. Documentation
GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b
High Insecure Configurations Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. Documentation
Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9
High Insecure Configurations Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true Documentation
MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c
High Insecure Configurations MySQL Instance should not have Local Infile On Documentation
Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790
High Insecure Configurations Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false Documentation
Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8
High Insecure Configurations SQL Instance should not have Contained Database Authentication On Documentation
Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f
High Insecure Configurations GCP SQL Instance should not have Cross DB Ownership Chaining On Documentation
Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7
High Insecure Configurations Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined Documentation
Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5
High Insecure Configurations Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. Documentation
Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518
High Insecure Configurations Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty Documentation
PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514
High Insecure Configurations PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' Documentation
GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1
High Insecure Configurations GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty Documentation
BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2
High Insecure Configurations BigQuery dataset is anonymously or publicly accessible Documentation
Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82
High Networking and Firewall Compute instances shouldn't be accessible from the Internet. Documentation
GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83
High Networking and Firewall Master authorized networks must be enabled in GKE clusters Documentation
Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7
High Observability Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' Documentation
Object Versioning Not Enabled
7814ddda-e758-4a56-8be3-289a81ded929
High Observability Object Versioning not fully enabled on Cloud Storage Bucket Documentation
PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317
High Observability PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' Documentation
PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b
High Observability PostgreSQL database 'log_temp_files' flag isn't set to '0' Documentation
Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd
High Observability Cloud storage bucket with logging not enabled Documentation
Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525
High Observability Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' Documentation
COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778
High Resource Management A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image Documentation
Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf
High Resource Management Node 'auto_upgrade' should be enabled for Kubernetes Clusters Documentation
Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26
Medium Encryption This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers Documentation
High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de
Medium Encryption Make sure Encryption keys changes after 90 days Documentation
Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3
Medium Encryption VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined Documentation
Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03
Medium Insecure Configurations DNSSEC must be enabled for Cloud DNS Documentation
OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33
Medium Insecure Configurations Check if any instance disables OSLogin. Documentation
Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b
Medium Insecure Configurations Verifies if Google Container Node Pool Auto Repair is Enabled Documentation
Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2
Medium Insecure Configurations Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' Documentation
Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc
Medium Insecure Configurations Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true Documentation
Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd
Medium Insecure Defaults Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. Documentation
Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350
Medium Networking and Firewall Check if serial ports are enabled in Google Compute Engine VM instances Documentation
IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f
Medium Networking and Firewall Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true Documentation
RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77
Medium Networking and Firewall Check if the Google compute firewall allows unrestricted RDP access. Documentation
SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016
Medium Networking and Firewall Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block). Documentation
PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c
Medium Observability PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' Documentation
PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711
Medium Observability PostgreSQL database 'log_min_messages' flag isn't set to a valid value Documentation
Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79
Medium Secret Management Check if the VM Instance doesn't block project-wide SSH keys. Documentation
### AZURE
Bellow are listed queries related with Ansible AZURE:
Query Severity Category Description Help
Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de
High Access Control Ensure Trusted Microsoft Services have Storage Account access. Documentation
Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604
High Access Control Admin user is enabled for Container Registry Documentation
Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f
High Access Control Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage Documentation
Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd
High Access Control Check if 'network_acls' is open to public. Documentation
Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522
High Encryption See that Storage Accounts forces the use of HTTPS Documentation
MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6
High Encryption Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled Documentation
SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555
High Encryption Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' Documentation
Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91
High Insecure Configurations Web app should only accept HTTPS traffic in Azure Web App Service. Documentation
VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce
High Insecure Configurations No Network Security Group is attached to the Virtual Machine Documentation
AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f
High Insecure Configurations The Active Directory Administrator is not configured for a SQL server Documentation
Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5
High Insecure Configurations Azurerm Container Registry Must Contain Associated Locks Documentation
SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039
High Networking and Firewall Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. Documentation
Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc
High Networking and Firewall A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol Documentation
Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from the Internet Documentation
CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717
High Networking and Firewall The IP range filter should be defined Documentation
Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445
High Networking and Firewall Firewall rule allowing unrestricted access to Redis from other Azure sources Documentation
AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39
Medium Access Control Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled Documentation
Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854
Medium Backup Make sure Soft Delete is enabled for Key Vault Documentation
SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308
Medium Best Practices Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict Documentation
Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f
Medium Best Practices Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0' Documentation
SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40
Medium Best Practices Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict Documentation
Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e
Medium Build Process Cosmos DB Account must have a mapping of tags. Documentation
Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee
Medium Encryption Ensure Storage Account is using the latest version of TLS encryption Documentation
Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f
Medium Insecure Configurations Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty Documentation
AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c
Medium Insecure Configurations Azure Kubernetes Service should have the proper network policy configuration Documentation
Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f
Medium Insecure Configurations Check if any Redis Cache resource allows non-SSL connections. Documentation
Default Network Access is Allowed
974e6fe7-63fd-4fa4-aa72-77b21a4a959d
Medium Insecure Defaults Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' Documentation
WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255
Medium Networking and Firewall Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049
Medium Networking and Firewall Check if any firewall rule allows too many hosts to access Redis Cache. Documentation
PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21
Medium Observability Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' Documentation
PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' Documentation
PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' Documentation
Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326
Medium Observability Ensure that Activity Log Retention is set 365 days or greater Documentation
PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' Documentation
PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a
Medium Observability Ensure that Connection Throttling is set for the PostgreSQL server Documentation
AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e
Medium Observability Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring Documentation
Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168
Medium Observability Monitoring log profile captures all the activities (Action, Write, Delete) Documentation
Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785
Medium Observability Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' Documentation
### AWS
Bellow are listed queries related with Ansible AWS:
Query Severity Category Description Help
DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209
High Access Control The field 'publicly_accessible' should not be set to 'true' (default is 'false'). Documentation
SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a
High Access Control Checks if the SQS Queue is exposed Documentation
S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e
High Access Control S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec
High Access Control S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion Documentation
IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba
High Access Control IAM policies that allow full administrative privileges (for all resources) Documentation
S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab
High Access Control S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf
High Access Control S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674
High Access Control Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion Documentation
S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a
High Access Control Checks if the S3 bucket is accessible for all users Documentation
S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d
High Access Control It's not recommended to allow read access for all user groups. Documentation
S3 Bucket Allows WriteACP Action From All Principals
7529b8d2-55d7-44d2-b1cd-d7d2984a2a81
High Access Control S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals. Documentation
S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163
High Access Control S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. Documentation
ECS Service Admin Role is Present
7db727c1-1720-468e-b80e-06697f71e09e
High Access Control ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role Documentation
EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20
High Encryption Elastic File System (EFS) must be encrypted Documentation
IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4
High Encryption IAM Database Auth Enabled must be configured to true Documentation
AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830
High Encryption AWS AMI Encryption is not enabled Documentation
User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89
High Encryption User Data Shell Script must be encoded Documentation
ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a
High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. Documentation
Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a
High Encryption AWS Autoscaling Launch Configurations should have encryption enabled Documentation
Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89
High Encryption Check if the Memcached is disabled on the ElastiCache Documentation
Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7
High Encryption AWS Kinesis Streams and metadata should be protected with KMS Documentation
ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5
High Encryption ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. Documentation
EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e
High Encryption Elastic File System (EFS) must have KMS Key ID Documentation
CloudTrail Log Files Not Encrypted
f5587077-3f57-4370-9b4e-4eb5b1bac85b
High Encryption CloudTrail Log Files should be encrypted with Key Management Service (KMS) Documentation
Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94
High Encryption RDS instance auto minor version upgrade feature must be true Documentation
S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4
High Encryption If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required Documentation
ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892
High Encryption It's not recommended to use plaintext environment variables for sensitive information, such as credential data. Documentation
Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709
High Encryption Check if secure ciphers aren't used in CloudFront Documentation
Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76
High Encryption Checks if the connection between the CloudFront and the origin server is encrypted Documentation
S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571
High Encryption AWS S3 Storage should be protected with SSE (Server-Side Encryption) Documentation
Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268
High Encryption Check if the redis version is compliant with the necessary AWS PCI DSS requirements Documentation
Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd
High Encryption Check if 'encrypted' field is false or undefined (default is false) Documentation
User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e
High Encryption User Data contains an encoded RSA Private Key Documentation
DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
High Encryption The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false'). Documentation
CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce
High Encryption The CA certificate Identifier must be 'rds-ca-2019'. Documentation
ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f
High Insecure Configurations Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations Documentation
DB Security Group Has Public IP
5330b503-3319-44ff-9b1c-00ee873f728a
High Insecure Configurations The CIDR IP must not be Public Documentation
KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47
High Insecure Configurations Checks if the policy is vulnerable and needs updating. Documentation
Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610
High Insecure Configurations Check if 'publicly_accessible' field is true (default is false) Documentation
Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40
High Insecure Configurations The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. Documentation
CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67
High Insecure Configurations CloudFront Minimum Protocol version should be at least TLS 1.2 Documentation
Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f
High Insecure Configurations Batch Job Definition should not have Privileged Container Properties Documentation
S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c
High Insecure Configurations If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure Documentation
Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4
High Insecure Defaults CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. Documentation
Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd
High Networking and Firewall Check if default security group does not restrict all inbound and outbound traffic. Documentation
ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895
High Networking and Firewall AWS Application Load Balancer (alb) should not listen on HTTP Documentation
Remote Desktop Port Open
eda7301d-1f3e-47cf-8d4e-976debc64341
High Networking and Firewall The Remote Desktop port is open in a Security Group Documentation
Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77
High Networking and Firewall SSH' (TCP:22) should not be public in AWS Security Group Documentation
Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4
High Networking and Firewall Route53 Record should have a list of records Documentation
Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b
High Networking and Firewall AWS Security Group should not have an unknown port exposed to the entire Internet Documentation
Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33
High Networking and Firewall AWS Security Group should not have public port wide Documentation
Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81
High Networking and Firewall AWS Security Group should restrict ingress access Documentation
HTTP Port Open
a14ad534-acbe-4a8e-9404-2f7e1045646e
High Networking and Firewall The HTTP port is open in a Security Group Documentation
DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad
High Networking and Firewall The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). Documentation
DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640
High Networking and Firewall The IP address in a DB Security Group must not have more than 256 hosts. Documentation
Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2
High Networking and Firewall Security groups allow ingress from 0.0.0.0/0 Documentation
EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1
High Networking and Firewall EC2 Instance should not have a public IP address. Documentation
Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96
High Observability AWS Config Configuration Aggregator All Regions must be set to True Documentation
CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1
High Observability Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. Documentation
CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5
High Observability Checks if logging is enabled for CloudTrail. Documentation
Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22
Medium Access Control Expired SSL/TLS certificates should be removed Documentation
ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd
Medium Access Control Amazon ECR image repositories shouldn't have public access Documentation
Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a
Medium Access Control Lambda Permission Principal should not contain a wildcard. Documentation
API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc
Medium Access Control API Gateway REST API should have an API Gateway Authorizer Documentation
AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f
Medium Access Control Limits access to AWS AMIs by checking if more than one account is using the same image Documentation
S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9
Medium Access Control S3 Bucket allows public access Documentation
SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4
Medium Access Control SQS policy allows ALL (*) actions Documentation
Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9
Medium Access Control Allowing to run lambda function using public API Gateway Documentation
IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f
Medium Access Control Check if IAM Access Key is active for some user besides 'root' Documentation
IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8
Medium Access Control IAM policies allow all ('*') in a statement action Documentation
SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10
Medium Access Control SQS policy with public access Documentation
SNS Topic is Publicly Accessible For Subscription
905f4741-f965-45c1-98db-f7a00a0e5c73
Medium Access Control This query checks if SNS Topic is Accessible For Subscription Documentation
CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4
Medium Availability AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. Documentation
ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84
Medium Availability ECS Service should have at least 1 task running Documentation
Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f
Medium Availability AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. Documentation
Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7
Medium Backup Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction Documentation
RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96
Medium Backup RDS configured without backup Documentation
IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951
Medium Best Practices Check if IAM account password has at least one lowercase letter Documentation
Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9
Medium Best Practices No password expiration policy Documentation
Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1
Medium Best Practices Users should authenticate with MFA (Multi-factor Authentication) Documentation
IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d
Medium Best Practices Check if IAM account password has the required minimum length Documentation
IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8
Medium Best Practices Check if IAM account password has at least one number Documentation
Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c
Medium Best Practices Password policy password_reuse_prevention doesn't exist or is equal to 0 Documentation
Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145
Medium Build Process AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body Documentation
EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57
Medium Encryption EBS Encryption should be enabled Documentation
Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84
Medium Encryption Check if AWS config rules do not identify Encrypted Volumes as a source. Documentation
CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9
Medium Encryption CodeBuild Project should be encrypted Documentation
Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f
Medium Insecure Configurations Instance should be configured in VPC (Virtual Private Cloud) Documentation
AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472
Medium Insecure Configurations Unchangeable passwords in AWS password policy Documentation
Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31
Medium Insecure Configurations The certificate should use a RSA key with a length equal to or higher than 256 bytes Documentation
API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33
Medium Insecure Configurations SSL Client Certificate should be enabled in aws_api_gateway Documentation
ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789
Medium Insecure Configurations ECR should have an image tag immutable Documentation
IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354
Medium Insecure Configurations Check if IAM account password has at least one uppercase letter Documentation
Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5
Medium Insecure Configurations AWS Lambda Functions must have associated tags. Documentation
API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215
Medium Networking and Firewall The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet Documentation
SQL Analysis Services Port 2383 (TCP) is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac
Medium Networking and Firewall Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. Documentation
CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98
Medium Observability Check if MultiRegion is Enabled Documentation
API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a
Medium Observability AWS CloudWatch Logs for APIs is not enabled Documentation
CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24
Medium Observability AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events Documentation
API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f
Medium Observability API Gateway should have X-Ray Tracing enabled Documentation
Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58
Medium Observability AWS CloudFormation should have stack notifications enabled Documentation
S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5
Medium Observability S3 bucket without versioning Documentation
Cloudfront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd
Medium Observability AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true Documentation
CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3
Medium Observability CloudTrail should be integrated with CloudWatch Documentation
CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92
Medium Observability Check if SNS topic name is set for CloudTrail Documentation
No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9
Medium Resource Management AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions Documentation
Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645
Medium Secret Management Lambda access key should not be in plaintext. Documentation
IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd
Low Access Control IAM role allows all services or principals to assume it Documentation
IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193
Low Access Control IAM Group should have at least one user associated Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c
Low Access Control IAM role allows All services or principals to assume it Documentation
CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6
Low Best Practices Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. Documentation
IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060
Low Best Practices IAM policies should be attached only to groups or roles Documentation
Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520
Low Best Practices Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' Documentation
EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851
Low Build Process Amazon Elastic Filesystem should have filesystem tags associated Documentation
SQS with SSE disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb
Low Encryption SQS Queue should be protected with CMK encryption Documentation
Cloudfront Without WAF
22c80725-e390-4055-8d14-a872230f6607
Low Networking and Firewall All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service Documentation
Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74
Low Observability AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' Documentation
CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e
Low Observability CloudTrail Log Files should have validation enabled Documentation
S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d
Low Observability S3 bucket without debug_botocore_endpoint_logs Documentation
Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c
Low Secret Management Check if the user data in the EC2 instance has the access key hardcoded Documentation