Ansible
Ansible Queries List¶
This page contains all queries from Ansible.
GCP¶
Bellow are listed queries related with Ansible GCP:
Query | Severity | Category | Description | Help |
---|---|---|---|---|
SQL DB Instance Is Publicly Accessible 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b |
High | Access Control | Check if any Cloud SQL instances are publicly accessible. | Documentation |
VM With Full Cloud Access bc20bbc6-0697-4568-9a73-85af1dd97bdd |
High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs | Documentation |
SQL DB Instance Backup Disabled 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
DNSSEC Using RSASHA1 6cf4c3a7-ceb0-4475-8892-3745b84be24a |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm | Documentation |
High KMS Rotation Period 79f45008-60b3-4a0a-a302-8311fd3701b4 |
High | Encryption | Check if any KMS rotation period surpasses 365 days. | Documentation |
SQL DB Instance With SSL Disabled d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb |
High | Encryption | Cloud SQL Database Instance with SSL disabled for incoming connections | Documentation |
IP Aliasing Disabled ed672a9f-fbf0-44d8-a47d-779501b0db05 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. | Documentation |
GKE Legacy Authorization Enabled 300a9964-b086-41f7-9378-b6de3ba1c32b |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. | Documentation |
Client Certificate Disabled 20180133-a0d0-4745-bfe0-94049fbb12a9 |
High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true | Documentation |
MySQL Instance With Local Infile On a7b520bb-2509-4fb0-be05-bc38f54c7a4c |
High | Insecure Configurations | MySQL Instance should not have Local Infile On | Documentation |
Network Policy Disabled 98e04ca0-34f5-4c74-8fec-d2e611ce2790 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false | Documentation |
Cloud SQL Instance With Contained Database Authentication On 6d34aff3-fdd2-460c-8190-756a3b4969e8 |
High | Insecure Configurations | SQL Instance should not have Contained Database Authentication On | Documentation |
Cloud SQL Instance With Cross DB Ownership Chaining On 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f |
High | Insecure Configurations | GCP SQL Instance should not have Cross DB Ownership Chaining On | Documentation |
Cluster Labels Disabled fbe9b2d0-a2b7-47a1-a534-03775f3013f7 |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined | Documentation |
Private Cluster Disabled 3b30e3d6-c99b-4318-b38f-b99db74578b5 |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. | Documentation |
Cluster Master Authentication Disabled 9df7f78f-ebe3-432e-ac3b-b67189c15518 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
PostgreSQL Misconfigured Logging Duration Flag aed98a2a-e680-497a-8886-277cea0f4514 |
High | Insecure Configurations | PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' | Documentation |
GKE Basic Authentication Enabled 344bf8ab-9308-462b-a6b2-697432e40ba1 |
High | Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty | Documentation |
BigQuery Dataset Is Public 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 |
High | Insecure Configurations | BigQuery dataset is anonymously or publicly accessible | Documentation |
Compute Instance Is Publicly Accessible 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 |
High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. | Documentation |
GKE Master Authorized Networks Disabled d43366c5-80b0-45de-bbe8-2338f4ab0a83 |
High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters | Documentation |
Stackdriver Logging Disabled 19c9e2a0-fc33-4264-bba1-e3682661e8f7 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' | Documentation |
Object Versioning Not Enabled 7814ddda-e758-4a56-8be3-289a81ded929 |
High | Observability | Object Versioning not fully enabled on Cloud Storage Bucket | Documentation |
PostgreSQL Log Connections Disabled d7a5616f-0a3f-4d43-bc2b-29d1a183e317 |
High | Observability | PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' | Documentation |
PostgreSQL Logging Of Temporary Files Disabled d6fae5b6-ada9-46c0-8b36-3108a2a2f77b |
High | Observability | PostgreSQL database 'log_temp_files' flag isn't set to '0' | Documentation |
Cloud Storage Bucket Logging Not Enabled 507df964-ad97-4035-ab14-94a82eabdfdd |
High | Observability | Cloud storage bucket with logging not enabled | Documentation |
Stackdriver Monitoring Disabled 20dcd953-a8b8-4892-9026-9afa6d05a525 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' | Documentation |
COS Node Image Not Used be41f891-96b1-4b9d-b74f-b922a918c778 |
High | Resource Management | A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image | Documentation |
Node Auto Upgrade Disabled d6e10477-2e19-4bcd-b8a8-19c65b89ccdf |
High | Resource Management | Node 'auto_upgrade' should be enabled for Kubernetes Clusters | Documentation |
Google Compute SSL Policy Weak Cipher In Use b28bcd2f-c309-490e-ab7c-35fc4023eb26 |
Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
High Google KMS Crypto Key Rotation Period f9b7086b-deb8-4034-9330-d7fd38f1b8de |
Medium | Encryption | Make sure Encryption keys changes after 90 days | Documentation |
Disk Encryption Disabled 092bae86-6105-4802-99d2-99cd7e7431f3 |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined | Documentation |
Cloud DNS Without DNSSEC 80b15fb1-6207-40f4-a803-6915ae619a03 |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
OSLogin Is Disabled In VM Instance 66dae697-507b-4aef-be18-eec5bd707f33 |
Medium | Insecure Configurations | Check if any instance disables OSLogin. | Documentation |
Google Container Node Pool Auto Repair Disabled d58c6f24-3763-4269-9f5b-86b2569a003b |
Medium | Insecure Configurations | Verifies if Google Container Node Pool Auto Repair is Enabled | Documentation |
Cloud Storage Anonymous or Publicly Accessible 086031e1-9d4a-4249-acb3-5bfe4c363db2 |
Medium | Insecure Configurations | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' | Documentation |
Shielded VM Disabled 18d3a83d-4414-49dc-90ea-f0387b2856cc |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true | Documentation |
Using Default Service Account 2775e169-e708-42a9-9305-b58aadd2c4dd |
Medium | Insecure Defaults | Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. | Documentation |
Serial Ports Are Enabled For VM Instances c6fc6f29-dc04-46b6-99ba-683c01aff350 |
Medium | Networking and Firewall | Check if serial ports are enabled in Google Compute Engine VM instances | Documentation |
IP Forwarding Enabled 11bd3554-cd56-4257-8e25-7aaf30cf8f5f |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true | Documentation |
RDP Access Is Not Restricted 75418eb9-39ec-465f-913c-6f2b6a80dc77 |
Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. | Documentation |
SSH Access Is Not Restricted b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 |
Medium | Networking and Firewall | Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block). | Documentation |
PostgreSQL log_checkpoints Flag Not Set To ON 89afe3f0-4681-4ce3-89ed-896cebd4277c |
Medium | Observability | PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' | Documentation |
PostgreSQL Misconfigured Log Messages Flag 28a757fc-3d8f-424a-90c0-4233363b2711 |
Medium | Observability | PostgreSQL database 'log_min_messages' flag isn't set to a valid value | Documentation |
Project-wide SSH Keys Are Enabled In VM Instances 099b4411-d11e-4537-a0fc-146b19762a79 |
Medium | Secret Management | Check if the VM Instance doesn't block project-wide SSH keys. | Documentation |
### AZURE | ||||
Bellow are listed queries related with Ansible AZURE: |
Query | Severity | Category | Description | Help |
---|---|---|---|---|
Trusted Microsoft Services Not Enabled 1bc398a8-d274-47de-a4c8-6ac867b353de |
High | Access Control | Ensure Trusted Microsoft Services have Storage Account access. | Documentation |
Admin User Enabled For Container Registry 29f35127-98e6-43af-8ec1-201b79f99604 |
High | Access Control | Admin user is enabled for Container Registry | Documentation |
Storage Container Is Publicly Accessible 4d3817db-dd35-4de4-a80d-3867157e7f7f |
High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage | Documentation |
Public Storage Account 35e2f133-a395-40de-a79d-b260d973d1bd |
High | Access Control | Check if 'network_acls' is open to public. | Documentation |
Storage Account Not Forcing HTTPS 2c99a474-2a3c-4c17-8294-53ffa5ed0522 |
High | Encryption | See that Storage Accounts forces the use of HTTPS | Documentation |
MySQL SSL Connection Disabled 2a901825-0f3b-4655-a0fe-e0470e50f8e6 |
High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled | Documentation |
SSL Enforce Disabled 961ce567-a16d-4d7d-9027-f0ec2628a555 |
High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' | Documentation |
Web App Accepting Traffic Other Than HTTPS eb8c2560-8bee-4248-9d0d-e80c8641dd91 |
High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. | Documentation |
VM Not Attached To Network 1e5f5307-3e01-438d-8da6-985307ed25ce |
High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine | Documentation |
AD Admin Not Configured For SQL Server b176e927-bbe2-44a6-a9c3-041417137e5f |
High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server | Documentation |
Azure Container Registry With No Locks 581dae78-307d-45d5-aae4-fe2b0db267a5 |
High | Insecure Configurations | Azurerm Container Registry Must Contain Associated Locks | Documentation |
SQLServer Ingress From Any IP f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 |
High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. | Documentation |
Sensitive Port Is Exposed To Entire Network 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
Redis Entirely Accessible 0d0c12b9-edce-4510-9065-13f6a758750c |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet | Documentation |
CosmosDB Account IP Range Filter Not Set e8c80448-31d8-4755-85fc-6dbab69c2717 |
High | Networking and Firewall | The IP range filter should be defined | Documentation |
Redis Publicly Accessible 0632d0db-9190-450a-8bb3-c283bffea445 |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources | Documentation |
AKS RBAC Disabled 149fa56c-4404-4f90-9e25-d34b676d5b39 |
Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled | Documentation |
Key Vault Soft Delete Is Disabled 881696a8-68c5-4073-85bc-7c38a3deb854 |
Medium | Backup | Make sure Soft Delete is enabled for Key Vault | Documentation |
SQL Server Predictable Active Directory Account Name 530e8291-2f22-4bab-b7ea-306f1bc2a308 |
Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict | Documentation |
Unrestricted SQL Server Access 3f23c96c-f9f5-488d-9b17-605b8da5842f |
Medium | Best Practices | Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0' | Documentation |
SQL Server Predictable Admin Account Name 663062e9-473d-4e87-99bc-6f3684b3df40 |
Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict | Documentation |
Cosmos DB Account Without Tags 23a4dc83-4959-4d99-8056-8e051a82bc1e |
Medium | Build Process | Cosmos DB Account must have a mapping of tags. | Documentation |
Storage Account Not Using Latest TLS Encryption Version c62746cf-92d5-4649-9acf-7d48d086f2ee |
Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption | Documentation |
Security Group is Not Configured da4f2739-174f-4cdd-b9ef-dc3f14b5931f |
Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty | Documentation |
AKS Network Policy Misconfigured 8c3bedf1-c570-4c3b-b414-d068cd39a00c |
Medium | Insecure Configurations | Azure Kubernetes Service should have the proper network policy configuration | Documentation |
Redis Cache Allows Non SSL Connections 869e7fb4-30f0-4bdb-b360-ad548f337f2f |
Medium | Insecure Configurations | Check if any Redis Cache resource allows non-SSL connections. | Documentation |
Default Network Access is Allowed 974e6fe7-63fd-4fa4-aa72-77b21a4a959d |
Medium | Insecure Defaults | Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' | Documentation |
WAF Is Disabled For Azure Application Gateway 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 |
Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. | Documentation |
Firewall Rule Allows Too Many Hosts To Access Redis Cache 69f72007-502e-457b-bd2d-5012e31ac049 |
Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache. | Documentation |
PostgreSQL Log Checkpoints Disabled 7ab33ac0-e4a3-418f-a673-50da4e34df21 |
Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' | Documentation |
PostgreSQL Log Disconnections Not Set 054d07b5-941b-4c28-8eef-18989dc62323 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' | Documentation |
PostgreSQL Log Connections Not Set 7b47138f-ec0e-47dc-8516-e7728fe3cc17 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' | Documentation |
Small Activity Log Retention Period 37fafbea-dedb-4e0d-852e-d16ee0589326 |
Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater | Documentation |
PostgreSQL Log Duration Not Set 729ebb15-8060-40f7-9017-cb72676a5487 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' | Documentation |
PostgreSQL Server Without Connection Throttling a9becca7-892a-4af7-b9e1-44bf20a4cd9a |
Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server | Documentation |
AKS Monitoring Logging Disabled d5e83b32-56dd-4247-8c2e-074f43b38a5e |
Medium | Observability | Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring | Documentation |
Monitoring Log Profile Without All Activities 89f84a1e-75f8-47c5-83b5-bee8e2de4168 |
Medium | Observability | Monitoring log profile captures all the activities (Action, Write, Delete) | Documentation |
Log Retention Is Not Set 0461b4fd-21ef-4687-929e-484ee4796785 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' | Documentation |
### AWS | ||||
Bellow are listed queries related with Ansible AWS: |
Query | Severity | Category | Description | Help |
---|---|---|---|---|
DB Instance Publicly Accessible c09e3ca5-f08a-4717-9c87-3919c5e6d209 |
High | Access Control | The field 'publicly_accessible' should not be set to 'true' (default is 'false'). | Documentation |
SQS Queue Exposed 86b0efa7-4901-4edd-a37a-c034bec6645a |
High | Access Control | Checks if the SQS Queue is exposed | Documentation |
S3 Bucket Allows List Action From All Principals d395a950-12ce-4314-a742-ac5a785ab44e |
High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
S3 Bucket With All Permissions 6a6d7e56-c913-4549-b5c5-5221e624d2ec |
High | Access Control | S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
IAM Policies With Full Privileges e401d614-8026-4f4b-9af9-75d1197461ba |
High | Access Control | IAM policies that allow full administrative privileges (for all resources) | Documentation |
S3 Bucket Allows Put Action From All Principals a0f1bfe0-741e-473f-b3b2-13e66f856fab |
High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
S3 Bucket Allows Get Action From All Principals 53bce6a8-5492-4b1b-81cf-664385f0c4bf |
High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
S3 Bucket ACL Allows Read to Any Authenticated User 75480b31-f349-4b9a-861f-bce19588e674 |
High | Access Control | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
S3 Bucket Access to Any Principal 3ab1f27d-52cc-4943-af1d-43c1939e739a |
High | Access Control | Checks if the S3 bucket is accessible for all users | Documentation |
S3 Bucket ACL Allows Read to All Users a1ef9d2e-4163-40cb-bd92-04f0d602a15d |
High | Access Control | It's not recommended to allow read access for all user groups. | Documentation |
S3 Bucket Allows WriteACP Action From All Principals 7529b8d2-55d7-44d2-b1cd-d7d2984a2a81 |
High | Access Control | S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals. | Documentation |
S3 Bucket Allows Delete Action From All Principals 6fa44721-ef21-41c6-8665-330d59461163 |
High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
ECS Service Admin Role is Present 7db727c1-1720-468e-b80e-06697f71e09e |
High | Access Control | ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role | Documentation |
EFS Not Encrypted 727c4fd4-d604-4df6-a179-7713d3c85e20 |
High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
IAM Database Auth Not Enabled 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 |
High | Encryption | IAM Database Auth Enabled must be configured to true | Documentation |
AMI Not Encrypted 97707503-a22c-4cd7-b7c0-f088fa7cf830 |
High | Encryption | AWS AMI Encryption is not enabled | Documentation |
User Data Shell Script Is Encoded 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 |
High | Encryption | User Data Shell Script must be encoded | Documentation |
ELB Using Insecure Protocols 730a5951-2760-407a-b032-dd629b55c23a |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. | Documentation |
Launch Configuration Is Not Encrypted 66477506-6abb-49ed-803d-3fa174cd5f6a |
High | Encryption | AWS Autoscaling Launch Configurations should have encryption enabled | Documentation |
Memcached Disabled 2d55ef88-b616-4890-b822-47f280763e89 |
High | Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
Kinesis Not Encrypted With KMS f2ea6481-1d31-4d40-946a-520dc6321dd7 |
High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS | Documentation |
ELB Using Weak Ciphers 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. | Documentation |
EFS Without KMS bd77554e-f138-40c5-91b2-2a09f878608e |
High | Encryption | Elastic File System (EFS) must have KMS Key ID | Documentation |
CloudTrail Log Files Not Encrypted f5587077-3f57-4370-9b4e-4eb5b1bac85b |
High | Encryption | CloudTrail Log Files should be encrypted with Key Management Service (KMS) | Documentation |
Automatic Minor Upgrades Disabled 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 |
High | Encryption | RDS instance auto minor version upgrade feature must be true | Documentation |
S3 Bucket SSE Disabled 309edc5b-5a59-42b4-a357-d4d098311fd4 |
High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
ECS Task Definition Container With Plaintext Password 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 |
High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
Secure Ciphers Disabled 218413a0-c716-4b94-9e08-0bb70d854709 |
High | Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
Viewer Protocol Policy Allows HTTP a6d27cf7-61dc-4bde-ae08-3b353b609f76 |
High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
S3 Bucket Without Server-side-encryption 594f54e7-f744-45ab-93e4-c6dbaf6cd571 |
High | Encryption | AWS S3 Storage should be protected with SSE (Server-Side Encryption) | Documentation |
Redis Not Compliant 9f34885e-c08f-4d13-a7d1-cf190c5bd268 |
High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements | Documentation |
Redshift Not Encrypted 6a647814-def5-4b85-88f5-897c19f509cd |
High | Encryption | Check if 'encrypted' field is false or undefined (default is false) | Documentation |
User Data Contains Encoded Private Key c09f4d3e-27d2-4d46-9453-abbe9687a64e |
High | Encryption | User Data contains an encoded RSA Private Key | Documentation |
DB Instance Storage Not Encrypted 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff |
High | Encryption | The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false'). | Documentation |
CA Certificate Identifier Is Outdated 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce |
High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. | Documentation |
ECS Task Definition Network Mode Not Recommended 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f |
High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
DB Security Group Has Public IP 5330b503-3319-44ff-9b1c-00ee873f728a |
High | Insecure Configurations | The CIDR IP must not be Public | Documentation |
KMS Key With Vulnerable Policy 5b9d237a-57d5-4177-be0e-71434b0fef47 |
High | Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
Redshift Publicly Accessible 5c6b727b-1382-4629-8ba9-abd1365e5610 |
High | Insecure Configurations | Check if 'publicly_accessible' field is true (default is false) | Documentation |
Root Account Has Active Access Keys e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 |
High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
CloudFront Without Minimum Protocol TLS 1.2 d0c13053-d2c8-44a6-95da-d592996e9e67 |
High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
Batch Job Definition With Privileged Container Properties defe5b18-978d-4722-9325-4d1975d3699f |
High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties | Documentation |
S3 Bucket with Unsecured CORS Rule 3505094c-f77c-4ba0-95da-f83db712f86c |
High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure | Documentation |
Vulnerable Default SSL Certificate fb8f8929-afeb-4c46-99f0-a6cf410f7df4 |
High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. | Documentation |
Default Security Groups With Unrestricted Traffic 8010e17a-00e9-4635-a692-90d6bcec68bd |
High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
ALB Listening on HTTP f81d63d2-c5d7-43a4-a5b5-66717a41c895 |
High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
Remote Desktop Port Open eda7301d-1f3e-47cf-8d4e-976debc64341 |
High | Networking and Firewall | The Remote Desktop port is open in a Security Group | Documentation |
Security Group With Unrestricted Access To SSH 57ced4b9-6ba4-487b-8843-b65562b90c77 |
High | Networking and Firewall | SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
Route53 Record Undefined 445dce51-7e53-4e50-80ef-7f94f14169e4 |
High | Networking and Firewall | Route53 Record should have a list of records | Documentation |
Unknown Port Exposed To Internet 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b |
High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
Public Port Wide 71ea648a-d31a-4b5a-a589-5674243f1c33 |
High | Networking and Firewall | AWS Security Group should not have public port wide | Documentation |
Security Group Ingress Not Restricted ea6bc7a6-d696-4dcf-a788-17fa03c17c81 |
High | Networking and Firewall | AWS Security Group should restrict ingress access | Documentation |
HTTP Port Open a14ad534-acbe-4a8e-9404-2f7e1045646e |
High | Networking and Firewall | The HTTP port is open in a Security Group | Documentation |
DB Security Group With Public Scope 0956aedf-6a7a-478b-ab56-63e2b19923ad |
High | Networking and Firewall | The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). | Documentation |
DB Security Group Open To Large Scope ea0ed1c7-9aef-4464-b7c7-94c762da3640 |
High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. | Documentation |
Unrestricted Security Group Ingress 83c5fa4c-e098-48fc-84ee-0a537287ddd2 |
High | Networking and Firewall | Security groups allow ingress from 0.0.0.0/0 | Documentation |
EC2 Instance Has Public IP a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 |
High | Networking and Firewall | EC2 Instance should not have a public IP address. | Documentation |
Configuration Aggregator to All Regions Disabled a2fdf451-89dd-451e-af92-bf6c0f4bab96 |
High | Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
CMK Rotation Disabled af96d737-0818-4162-8c41-40d969bd65d1 |
High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. | Documentation |
CloudTrail Logging Disabled d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 |
High | Observability | Checks if logging is enabled for CloudTrail. | Documentation |
Certificate Has Expired 5a443297-19d4-4381-9e5b-24faf947ec22 |
Medium | Access Control | Expired SSL/TLS certificates should be removed | Documentation |
ECR Repository Is Publicly Accessible fb5a5df7-6d74-4243-ab82-ff779a958bfd |
Medium | Access Control | Amazon ECR image repositories shouldn't have public access | Documentation |
Lambda Permission Principal Is Wildcard 1d972c56-8ec2-48c1-a578-887adb09c57a |
Medium | Access Control | Lambda Permission Principal should not contain a wildcard. | Documentation |
API Gateway Without Configured Authorizer b16cdb37-ce15-4ab2-8401-d42b05d123fc |
Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer | Documentation |
AMI Shared With Multiple Accounts a19b2942-142e-4e2b-93b7-6cf6a6c8d90f |
Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image | Documentation |
S3 Bucket With Public Access c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 |
Medium | Access Control | S3 Bucket allows public access | Documentation |
SQS Policy Allows All Actions ed9b3beb-92cf-44d9-a9d2-171eeba569d4 |
Medium | Access Control | SQS policy allows ALL (*) actions | Documentation |
Public Lambda via API Gateway 5e92d816-2177-4083-85b4-f61b4f7176d9 |
Medium | Access Control | Allowing to run lambda function using public API Gateway | Documentation |
IAM Access Key Is Exposed 7f79f858-fbe8-4186-8a2c-dfd0d958a40f |
Medium | Access Control | Check if IAM Access Key is active for some user besides 'root' | Documentation |
IAM Policy Grants Full Permissions b5ed026d-a772-4f07-97f9-664ba0b116f8 |
Medium | Access Control | IAM policies allow all ('*') in a statement action | Documentation |
SQS Policy With Public Access d994585f-defb-4b51-b6d2-c70f020ceb10 |
Medium | Access Control | SQS policy with public access | Documentation |
SNS Topic is Publicly Accessible For Subscription 905f4741-f965-45c1-98db-f7a00a0e5c73 |
Medium | Access Control | This query checks if SNS Topic is Accessible For Subscription | Documentation |
CMK Is Unusable 133fee21-37ef-45df-a563-4d07edc169f4 |
Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. | Documentation |
ECS Service Without Running Tasks f5c45127-1d28-4b49-a692-0b97da1c3a84 |
Medium | Availability | ECS Service should have at least 1 task running | Documentation |
Auto Scaling Group With No Associated ELB 050f085f-a8db-4072-9010-2cca235cc02f |
Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. | Documentation |
Stack Retention Disabled 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 |
Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
RDS With Backup Disabled e69890e6-fce5-461d-98ad-cb98318dfc96 |
Medium | Backup | RDS configured without backup | Documentation |
IAM Password Without Lowercase Letter 8e3063f4-b511-45c3-b030-f3b0c9131951 |
Medium | Best Practices | Check if IAM account password has at least one lowercase letter | Documentation |
Misconfigured Password Policy Expiration 3f2cf811-88fa-4eda-be45-7a191a18aba9 |
Medium | Best Practices | No password expiration policy | Documentation |
Authentication Without MFA eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 |
Medium | Best Practices | Users should authenticate with MFA (Multi-factor Authentication) | Documentation |
IAM Password Without Minimum Length 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d |
Medium | Best Practices | Check if IAM account password has the required minimum length | Documentation |
IAM Password Without Number 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 |
Medium | Best Practices | Check if IAM account password has at least one number | Documentation |
Password Without Reuse Prevention 6f5f5444-1422-495f-81ef-24cefd61ed2c |
Medium | Best Practices | Password policy password_reuse_prevention doesn't exist or is equal to 0 |
Documentation |
Stack Without Template 32d31f1f-0f83-4721-b7ec-1e6948c60145 |
Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body | Documentation |
EBS Volume Encryption Disabled 4b6012e7-7176-46e4-8108-e441785eae57 |
Medium | Encryption | EBS Encryption should be enabled | Documentation |
Config Rule For Encrypted Volumes Disabled 7674a686-e4b1-4a95-83d4-1fd53c623d84 |
Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
CodeBuild Not Encrypted a1423864-2fbc-4f46-bfe1-fbbf125c71c9 |
Medium | Encryption | CodeBuild Project should be encrypted | Documentation |
Instance With No VPC 61d1a2d0-4db8-405a-913d-5d2ce49dff6f |
Medium | Insecure Configurations | Instance should be configured in VPC (Virtual Private Cloud) | Documentation |
AWS Password Policy With Unchangeable Passwords e28ceb92-d588-4166-aac5-766c8f5b7472 |
Medium | Insecure Configurations | Unchangeable passwords in AWS password policy | Documentation |
Certificate RSA Key Bytes Lower Than 256 d5ec2080-340a-4259-b885-f833c4ea6a31 |
Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes | Documentation |
API Gateway Without SSL Certificate b47b98ab-e481-4a82-8bb1-1ab39fd36e33 |
Medium | Insecure Configurations | SSL Client Certificate should be enabled in aws_api_gateway | Documentation |
ECR Image Tag Not Immutable 60bfbb8a-c72f-467f-a6dd-a46b7d612789 |
Medium | Insecure Configurations | ECR should have an image tag immutable | Documentation |
IAM Password Without Uppercase Letter 83957b81-39c1-4191-8e12-671d2ce14354 |
Medium | Insecure Configurations | Check if IAM account password has at least one uppercase letter | Documentation |
Lambda Function Without Tags 265d9725-2fb8-42a2-bc57-3279c5db82d5 |
Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. | Documentation |
API Gateway Endpoint Config is Not Private 559439b2-3e9c-4739-ac46-17e3b24ec215 |
Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet | Documentation |
SQL Analysis Services Port 2383 (TCP) is Publicly Accessible 7af1c447-c014-4f05-bd8b-ebe3a15734ac |
Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. | Documentation |
CloudTrail Multi Region Disabled 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 |
Medium | Observability | Check if MultiRegion is Enabled | Documentation |
API Gateway With CloudWatch Logging Disabled 72a931c2-12f5-40d1-93cc-47bff2f7aa2a |
Medium | Observability | AWS CloudWatch Logs for APIs is not enabled | Documentation |
CloudWatch Without Retention Period Specified e24e18d9-4c2b-4649-b3d0-18c088145e24 |
Medium | Observability | AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events | Documentation |
API Gateway X-Ray Disabled 2059155b-27fd-441e-b616-6966c468561f |
Medium | Observability | API Gateway should have X-Ray Tracing enabled | Documentation |
Stack Notifications Disabled d39761d7-94ab-45b0-ab5e-27c44e381d58 |
Medium | Observability | AWS CloudFormation should have stack notifications enabled | Documentation |
S3 Bucket Without Versioning 9232306a-f839-40aa-b3ef-b352001da9a5 |
Medium | Observability | S3 bucket without versioning | Documentation |
Cloudfront Logging Disabled d31cb911-bf5b-4eb6-9fc3-16780c77c7bd |
Medium | Observability | AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true | Documentation |
CloudTrail Not Integrated With CloudWatch ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 |
Medium | Observability | CloudTrail should be integrated with CloudWatch | Documentation |
CloudTrail SNS Topic Name Undefined 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 |
Medium | Observability | Check if SNS topic name is set for CloudTrail | Documentation |
No Stack Policy ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 |
Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions | Documentation |
Hardcoded AWS Access Key In Lambda f34508b9-f574-4330-b42d-88c44cced645 |
Medium | Secret Management | Lambda access key should not be in plaintext. | Documentation |
IAM Role Allows All Principals To Assume babdedcf-d859-43da-9a7b-6d72e661a8fd |
Low | Access Control | IAM role allows all services or principals to assume it | Documentation |
IAM Group Without Users f509931b-bbb0-443c-bd9b-10e92ecf2193 |
Low | Access Control | IAM Group should have at least one user associated | Documentation |
IAM Policy Grants 'AssumeRole' Permission Across All Services 12a7a7ce-39d6-49dd-923d-aeb4564eb66c |
Low | Access Control | IAM role allows All services or principals to assume it | Documentation |
CDN Configuration Is Missing b25398a2-0625-4e61-8e4d-a1bb23905bf6 |
Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. | Documentation |
IAM Policies Attached To User eafe4bc3-1042-4f88-b988-1939e64bf060 |
Low | Best Practices | IAM policies should be attached only to groups or roles | Documentation |
Lambda Permission Misconfigured 3ddf3417-424d-420d-8275-0724dc426520 |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
EFS Without Tags b8a9852c-9943-4973-b8d5-77dae9352851 |
Low | Build Process | Amazon Elastic Filesystem should have filesystem tags associated | Documentation |
SQS with SSE disabled e1e7b278-2a8b-49bd-a26e-66a7f70b17eb |
Low | Encryption | SQS Queue should be protected with CMK encryption | Documentation |
Cloudfront Without WAF 22c80725-e390-4055-8d14-a872230f6607 |
Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
Lambda Functions Without X-Ray Tracing 71397b34-1d50-4ee1-97cb-c96c34676f74 |
Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' | Documentation |
CloudTrail Log File Validation Disabled 4d8681a2-3d30-4c89-8070-08acd142748e |
Low | Observability | CloudTrail Log Files should have validation enabled | Documentation |
S3 Bucket Logging Disabled c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d |
Low | Observability | S3 bucket without debug_botocore_endpoint_logs | Documentation |
Hardcoded AWS Access Key c2f15af3-66a0-4176-a56e-e4711e502e5c |
Low | Secret Management | Check if the user data in the EC2 instance has the access key hardcoded | Documentation |