Terraform

Terraform Queries List

This page contains all queries from Terraform.

GCP

Bellow are listed queries related with Terraform GCP:

Query	Severity	Category	Description	Help
SQL DB Instance Is Publicly Accessible b187edca-b81e-4fdc-aff4-aab57db45edb	High	Access Control	Check if any Cloud SQL instances are publicly accessible.	Documentation
Cloud Storage Bucket Is Publicly Accessible c010082c-76e0-4b91-91d9-6e8439e455dd	High	Access Control	Cloud Storage Bucket is anonymously or publicly accessible	Documentation
VM With Full Cloud Access bc280331-27b9-4acb-a010-018e8098aa5d	High	Access Control	A VM instance is configured to use the default service account with full access to all Cloud APIs	Documentation
OSLogin Disabled 32ecd6eb-0711-421f-9627-1a28d9eff217	High	Access Control	Verifies that the OSLogin is enabled	Documentation
BigQuery Dataset Is Public e576ce44-dd03-4022-a8c0-3906acca2ab4	High	Access Control	BigQuery dataset is anonymously or publicly accessible	Documentation
SQL DB Instance Backup Disabled cf3c7631-cd1e-42f3-8801-a561214a6e79	High	Backup	Checks if backup configuration is enabled for all Cloud SQL Database instances	Documentation
DNSSEC Using RSASHA1 ccc3100c-0fdd-4a5e-9908-c10107291860	High	Encryption	Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.	Documentation
High KMS Rotation Period 352271ca-842f-408a-8b24-f6f2b76eb027	High	Encryption	Check that keys aren't the same for a period greater than 365 days.	Documentation
SQL DB Instance With SSL Disabled 02474449-71aa-40a1-87ae-e14497747b00	High	Encryption	Cloud SQL Database Instance with SSL disabled for incoming connections	Documentation
IP Aliasing Disabled c606ba1d-d736-43eb-ac24-e16108f3a9e0	High	Insecure Configurations	Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE	Documentation
GKE Legacy Authorization Enabled 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067	High	Insecure Configurations	Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true	Documentation
COS Node Image Not Used 8a893e46-e267-485a-8690-51f39951de58	High	Insecure Configurations	A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image	Documentation
Client Certificate Disabled 73fb21a1-b19a-45b1-b648-b47b1678681e	High	Insecure Configurations	Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true	Documentation
Network Policy Disabled 11e7550e-c4b6-472e-adff-c698f157cdd7	High	Insecure Configurations	Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false	Documentation
Cluster Labels Disabled 65c1bc7a-4835-4ac4-a2b6-13d310b0648d	High	Insecure Configurations	Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined	Documentation
Private Cluster Disabled 6ccb85d7-0420-4907-9380-50313f80946b	High	Insecure Configurations	Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true	Documentation
Cluster Master Authentication Disabled 1baba08e-3c8a-4be7-95eb-dced5833de21	High	Insecure Configurations	Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty	Documentation
Not Proper Email Account In Use 9356962e-4a4f-4d06-ac59-dc8008775eaa	High	Insecure Configurations	Gmail accounts are being used instead of corporate credentials	Documentation
Pod Security Policy Disabled 9192e0f9-eca5-4056-9282-ae2a736a4088	High	Insecure Configurations	Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true	Documentation
GKE Basic Authentication Enabled 70cdf849-b7d9-4569-b87d-5d82ffd44719	High	Insecure Configurations	GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty	Documentation
Stackdriver Logging Disabled 4c7ebcb2-eae2-461e-bc83-456ee2d4f694	High	Observability	Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'	Documentation
Object Versioning Not Enabled e7e961ac-d17e-4413-84bc-8a1fbe242944	High	Observability	Object Versioning Not Enabled on Cloud Storage Bucket	Documentation
Cloud Storage Bucket Logging Not Enabled d6cabc3a-d57e-48c2-b341-bf3dd4f4a120	High	Observability	Cloud storage bucket with logging not enabled	Documentation
Stackdriver Monitoring Disabled 30e8dfd2-3591-4d19-8d11-79e93106c93d	High	Observability	Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'	Documentation
IAM Audit Not Properly Configured 89fe890f-b480-460c-8b6b-7d8b1468adb4	High	Observability	Audit Logging Configuration is defective	Documentation
Node Auto Upgrade Disabled b139213e-7d24-49c2-8025-c18faa21ecaa	High	Resource Management	Node 'auto_upgrade' should be enabled for Kubernetes Clusters	Documentation
Google Project IAM Member Service Account Has Admin Role 84d36481-fd63-48cb-838e-635c44806ec2	Medium	Access Control	Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated	Documentation
Cloud Storage Anonymous or Publicly Accessible a6cd52a1-3056-4910-96a5-894de9f3f3b3	Medium	Access Control	Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'	Documentation
Google Project IAM Member Service Account has Token Creator or Account User Role c68b4e6d-4e01-4ca1-b256-1e18e875785c	Medium	Access Control	Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated	Documentation
Google Project IAM Binding Service Account has Token Creator or Account User Role 617ef6ff-711e-4bd7-94ae-e965911b1b40	Medium	Access Control	Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated	Documentation
Google Compute SSL Policy Weak Cipher In Use 14a457f0-473d-4d1d-9e37-6d99b355b336	Medium	Encryption	This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers	Documentation
High Google KMS Crypto Key Rotation Period d8c57c4e-bf6f-4e32-a2bf-8643532de77b	Medium	Encryption	Make sure Encryption keys change after 90 days	Documentation
Disk Encryption Disabled b1d51728-7270-4991-ac2f-fc26e2695b38	Medium	Encryption	VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined	Documentation
OSLogin Is Disabled For VM Instance d0b4d550-c001-46c3-bbdb-d5d75d33f05f	Medium	Insecure Configurations	Check if any VM instance disables OSLogin	Documentation
Google Container Node Pool Auto Repair Disabled acfdbec6-4a17-471f-b412-169d77553332	Medium	Insecure Configurations	Verifies if Google Container Node Pool Auto Repair is Enabled	Documentation
Google Storage Bucket Level Access Enabled bb0db090-5509-4853-a827-75ced0b3caa0	Medium	Insecure Configurations	Validates if the Google Storage Bucket Level Access is Enabled	Documentation
Using Default Service Account 3cb4af0b-056d-4fb1-8b95-fdc4593625ff	Medium	Insecure Configurations	Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.	Documentation
Cloud DNS without DNSSEC 5ef61c88-bbb4-4725-b1df-55d23c9676bb	Medium	Insecure Configurations	Cloud DNS without DNSSEC	Documentation
Serial Ports Are Enabled For VM Instances 97fa667a-d05b-4f16-9071-58b939f34751	Medium	Insecure Configurations	Check if VM instance enables serial ports	Documentation
Project-wide SSH Keys Are Enabled In VM Instances 3e4d5ce6-3280-4027-8010-c26eeea1ec01	Medium	Insecure Configurations	Check if SSH keys are enabled project-wide in VM instances	Documentation
Google Project Auto Create Network Disabled 59571246-3f62-4965-a96f-c7d97e269351	Medium	Insecure Configurations	Verifies if the Google Project Auto Create Network is Disabled	Documentation
Shielded VM Disabled 1b44e234-3d73-41a8-9954-0b154135280e	Medium	Insecure Configurations	Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true	Documentation
IP Forwarding Enabled f34c0c25-47b4-41eb-9c79-249b4dd47b89	Medium	Networking and Firewall	Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true	Documentation
RDP Access Is Not Restricted 678fd659-96f2-454a-a2a0-c2571f83a4a3	Medium	Networking and Firewall	Check if Google Firewall ingress allows RDP access (port 3389)	Documentation
SSH Access Is Not Restricted c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0	Medium	Networking and Firewall	Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)	Documentation
Google Compute Subnetwork Logging Disabled 40430747-442d-450a-a34f-dc57149f4609	Medium	Observability	This query checks if logs are enabled for a Google Compute Subnetwork resource.	Documentation
### GITHUB
Bellow are listed queries related with Terraform GITHUB:

Query	Severity	Category	Description	Help
Github Organization Webhook With SSL Disabled ce7c874e-1b88-450b-a5e4-cb76ada3c8a9	Medium	Encryption	Check if insecure SSL is being used in the GitHub organization webhooks	Documentation
GitHub Repository Set To Public 15d8a7fd-465a-4d15-a868-add86552f17b	Medium	Insecure Configurations	Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')	Documentation
### KUBERNETES
Bellow are listed queries related with Terraform KUBERNETES:

Query	Severity	Category	Description	Help
Not Limited Capabilities For Pod Security Policy 2acb555f-f4ad-4b1b-b984-84e6588f4b05	High	Insecure Configurations	Limit capabilities for a Pod Security Policy	Documentation
NET_RAW Capabilities Not Being Dropped e5587d53-a673-4a6b-b3f2-ba07ec274def	High	Insecure Configurations	Containers should drop 'NET_RAW' or 'ALL' capabilities	Documentation
Cluster Allows Unsafe Sysctls a9174d31-d526-4ad9-ace4-ce7ddbf52e03	High	Insecure Configurations	A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.	Documentation
Privilege Escalation Allowed c878abb4-cca5-4724-92b9-289be68bd47c	High	Insecure Configurations	Admission of privileged containers should be minimized	Documentation
PSP Allows Containers To Share The Host Network Namespace 4950837c-0ce5-4e42-9bee-a25eae73740b	High	Insecure Configurations	Check if Pod Security Policies allow containers to share the host network namespace.	Documentation
Container Is Privileged 87065ef8-de9b-40d8-9753-f4a4303e27a4	High	Insecure Configurations	Do not allow container to be privileged.	Documentation
Shared Host IPC Namespace e94d3121-c2d1-4e34-a295-139bfeb73ea3	High	Insecure Configurations	Container should not share the host IPC namespace	Documentation
Shared Host Network Namespace ac1564a3-c324-4747-9fa1-9dfc234dace0	High	Insecure Configurations	Container should not share the host network namespace	Documentation
Host Aliases Undefined Or Empty 5d05ea11-ae3e-470e-9864-97e55fb2b2e0	High	Insecure Configurations	A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.	Documentation
Tiller (Helm v2) Is Deployed ca2fba76-c1a7-4afd-be67-5249f861cb0e	High	Insecure Configurations	Check if Tiller is deployed.	Documentation
Role Binding To Default Service Account 3360c01e-c8c0-4812-96a2-a6329b9b7f9f	High	Insecure Defaults	No role nor cluster role should bind to a default service account	Documentation
RBAC Roles with Read Secrets Permissions 826abb30-3cd5-4e0b-a93b-67729b4f7e63	Medium	Access Control	Minimize access to secrets (RBAC)	Documentation
Non Kube System Pod With Host Mount 86a947ea-f577-4efb-a8b0-5fc00257d521	Medium	Access Control	A non kube-system workload should not have hostPath mounted	Documentation
Readiness Probe Is Not Configured 8657197e-3f87-4694-892b-8144701d83c1	Medium	Availability	Check if Readiness Probe is not configured.	Documentation
Liveness Probe Is Not Defined 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3	Medium	Availability	Liveness Probe must be defined	Documentation
Root Containers Admitted 4c415497-7410-4559-90e8-f2c8ac64ee38	Medium	Best Practices	Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden	Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce 26b047a9-0329-48fd-8fb7-05bbe5ba80ee	Medium	Build Process	Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'	Documentation
Containers With Added Capabilities fe771ff7-ba15-4f8f-ad7a-8aa232b49a28	Medium	Insecure Configurations	Kubernetes Pod should not have extra capabilities allowed	Documentation
PSP Allows Sharing Host IPC 51bed0ac-a8ae-407a-895e-90c6cb0610ce	Medium	Insecure Configurations	Pod Security Policy allows containers to share the host IPC namespace	Documentation
Containers With Sys Admin Capabilities 3f55386d-75cd-4e9a-ac47-167b26c04724	Medium	Insecure Configurations	Containers should not have CAP_SYS_ADMIN Linux capability	Documentation
Seccomp Profile Is Not Configured 455f2e0c-686d-4fcb-8b5f-3f953f12c43c	Medium	Insecure Configurations	Check if any resource does not configure Seccomp default profile properly	Documentation
Container Resources Limits Undefined 60af03ff-a421-45c8-b214-6741035476fa	Medium	Insecure Configurations	Kubernetes container should have resource limitations defined such as CPU and memory	Documentation
Workload Mounting With Sensitive OS Directory a737be28-37d8-4bff-aa6d-1be8aa0a0015	Medium	Insecure Configurations	Workload is mounting a volume with sensitive OS Directory	Documentation
PSP With Added Capabilities 48388bd2-7201-4dcc-b56d-e8a9efa58fad	Medium	Insecure Configurations	PodSecurityPolicy should not have added capabilities	Documentation
NET_RAW Capabilities Disabled for PSP 9aa32890-ac1a-45ee-81ca-5164e2098556	Medium	Insecure Configurations	Containers need to have NET_RAW or All as drop capabilities	Documentation
Default Service Account In Use 737a0dd9-0aaa-4145-8118-f01778262b8a	Medium	Insecure Configurations	Default service accounts should not be actively used	Documentation
PSP Allows Privilege Escalation 2bff9906-4e9b-4f71-9346-8ebedfdf43ef	Medium	Insecure Configurations	PodSecurityPolicy should not allow privilege escalation	Documentation
Using Default Namespace abcb818b-5af7-4d72-aba9-6dd84956b451	Medium	Insecure Configurations	The default namespace should not be used	Documentation
Container Runs Unmasked 0ad60203-c050-4115-83b6-b94bde92541d	Medium	Insecure Configurations	Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.	Documentation
PSP Set To Privileged a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9	Medium	Insecure Configurations	Do not allow pod to request execution as privileged	Documentation
Container Host Pid Is True 587d5d82-70cf-449b-9817-f60f9bccb88c	Medium	Insecure Configurations	Minimize the admission of containers wishing to share the host process ID namespace	Documentation
Ingress Controller Exposes Workload e2c83c1f-84d7-4467-966c-ed41fd015bb9	Medium	Insecure Configurations	Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks	Documentation
Service Account Name Undefined Or Empty 24b132df-5cc7-4823-8029-f898e1c50b72	Medium	Insecure Defaults	A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.	Documentation
Service Account Token Automount Not Disabled a9a13d4f-f17a-491b-b074-f54bffffcb4a	Medium	Insecure Defaults	Service Account Tokens are automatically mounted even if not necessary	Documentation
Network Policy Is Not Targeting Any Pod b80b14c6-aaa2-4876-b651-8a48b6c32fbf	Medium	Networking and Firewall	Check if any network policy is not targeting any pod.	Documentation
Service With External Load Balance 2a52567c-abb8-4651-a038-52fa27c77aed	Medium	Networking and Firewall	Service has an external load balancer, which may cause accessibility from other networks and the Internet	Documentation
Memory Limits Not Defined fd097ed0-7fe6-4f58-8b71-fef9f0820a21	Medium	Resource Management	Memory limits should be specified	Documentation
CPU Limits Not Set 5f4735ce-b9ba-4d95-a089-a37a767b716f	Medium	Resource Management	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests	Documentation
Volume Mount With OS Directory Write Permissions a62a99d1-8196-432f-8f80-3c100b05d62a	Medium	Resource Management	Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.	Documentation
CPU Requests Not Set 577ac19c-6a77-46d7-9f14-e049cdd15ec2	Medium	Resource Management	CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node	Documentation
Memory Requests Not Defined 21719347-d02b-497d-bda4-04a03c8e5b61	Medium	Resource Management	Memory requests should be specified	Documentation
Shared Service Account f74b9c43-161a-4799-bc95-0b0ec81801b9	Medium	Secret Management	A Service Account token is shared between workloads	Documentation
Service Account Allows Access Secrets 07fc3413-e572-42f7-9877-5c8fc6fccfb5	Medium	Secret Management	Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs	Documentation
Missing App Armor Config bd6bd46c-57db-4887-956d-d372f21291b6	Low	Access Control	Containers should be configured with AppArmor for any application to reduce its potential attack	Documentation
Cluster Admin Rolebinding With Superuser Permissions 17172bc2-56fb-4f17-916f-a014147706cd	Low	Access Control	Ensure that the cluster-admin role is only used where required (RBAC)	Documentation
Permissive Access to Create Pods 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba	Low	Access Control	The permission to create pods in a cluster should be restricted because it allows privilege escalation.	Documentation
Docker Daemon Socket is Exposed to Containers 4e203a65-c8d8-49a2-b749-b124d43c9dc1	Low	Access Control	Sees if Docker Daemon Socket is not exposed to Containers	Documentation
StatefulSet Without PodDisruptionBudget 7249e3b0-9231-4af3-bc5f-5daf4988ecbf	Low	Availability	StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability	Documentation
StatefulSet Without Service Name 420e6360-47bb-46f6-9072-b20ed22c842d	Low	Availability	Check if the StatefulSet have a headless 'serviceName'	Documentation
Deployment Without PodDisruptionBudget a05331ee-1653-45cb-91e6-13637a76e4f0	Low	Availability	Deployments should be assigned with a PodDisruptionBudget to ensure high availability	Documentation
HPA Targets Invalid Object 17e52ca3-ddd0-4610-9d56-ce107442e110	Low	Availability	The Horizontal Pod Autoscale must target a valid object	Documentation
No Drop Capabilities for Containers 21cef75f-289f-470e-8038-c7cee0664164	Low	Best Practices	Sees if Kubernetes Drop Capabilities exists to ensure containers security context	Documentation
Metadata Label Is Invalid bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e	Low	Best Practices	Check if any label in the metadata is invalid.	Documentation
Root Container Not Mounted As Read-only d532566b-8d9d-4f3b-80bd-361fe802f9c2	Low	Build Process	Check if the root container filesystem is not being mounted as read-only.	Documentation
StatefulSet Requests Storage fcc2612a-1dfe-46e4-8ce6-0320959f0040	Low	Build Process	A StatefulSet requests volume storage.	Documentation
Image Pull Policy Of The Container Is Not Set To Always aa737abf-6b1d-4aba-95aa-5c160bd7f96e	Low	Insecure Configurations	Image Pull Policy of the container must be defined and set to Always	Documentation
Image Without Digest 228c4c19-feeb-4c18-848c-800ac70fdfb7	Low	Insecure Configurations	Sees if Kubernetes image has digest on	Documentation
Pod or Container Without Security Context ad69e38a-d92e-4357-a8da-f2f29d545883	Low	Insecure Configurations	A security context defines privilege and access control settings for a Pod or Container	Documentation
Workload Host Port Not Specified 4e74cf4f-ff65-4c1a-885c-67ab608206ce	Low	Networking and Firewall	Verifies if Kubernetes workload's host port is specified	Documentation
Service Type is NodePort 5c281bf8-d9bb-47f2-b909-3f6bb11874ad	Low	Networking and Firewall	Service type should not be NodePort	Documentation
CronJob Deadline Not Configured 58876b44-a690-4e9f-9214-7735fa0dd15d	Low	Resource Management	Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined	Documentation
Deployment Has No PodAntiAffinity 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3	Low	Resource Management	Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.	Documentation
Secrets As Environment Variables 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8	Low	Secret Management	Container should not use secrets as environment variables	Documentation
Invalid Image e76cca7c-c3f9-4fc9-884c-b2831168ebd8	Low	Supply-Chain	Image must be defined and not be empty or equal to latest.	Documentation
### AZURE
Bellow are listed queries related with Terraform AZURE:

Query	Severity	Category	Description	Help
Role Assignment Not Limit Guest User Permissions 8e75e431-449f-49e9-b56a-c8f1378025cf	High	Access Control	Role Assignment should limit guest user permissions	Documentation
Admin User Enabled For Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51	High	Access Control	Admin user is enabled for Container Registry	Documentation
Function App Authentication Disabled e65a0733-94a0-4826-82f4-df529f4c593f	High	Access Control	Azure Function App authentication settings should be enabled	Documentation
Role Assignment Of Guest Users 2bc626a8-0751-446f-975d-8139214fc790	High	Access Control	There is a role assignment for guest user	Documentation
Storage Container Is Publicly Accessible dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299	High	Access Control	Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage	Documentation
Public Storage Account 17f75827-0684-48f4-8747-61129c7e4198	High	Access Control	Storage Account should not be public	Documentation
Geo Redundancy Is Disabled 8b042c30-e441-453f-b162-7696982ebc58	High	Backup	Make sure that on PostgreSQL Geo Redundant Backups is enabled	Documentation
App Service Not Using Latest TLS Encryption Version b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643	High	Encryption	Ensure App Service is using the latest version of TLS encryption	Documentation
Storage Account Not Forcing HTTPS 12944ec4-1fa0-47be-8b17-42a034f937c2	High	Encryption	See that Storage Accounts forces the use of HTTPS	Documentation
MySQL SSL Connection Disabled 73e42469-3a86-4f39-ad78-098f325b4e9f	High	Encryption	Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled	Documentation
SSL Enforce Disabled 0437633b-daa6-4bbc-8526-c0d2443b946e	High	Encryption	Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'	Documentation
Function App Not Using Latest TLS Encryption Version 45fc717a-bd86-415c-bdd8-677901be1aa6	High	Encryption	Ensure Function App is using the latest version of TLS encryption	Documentation
Trusted Microsoft Services Not Enabled 5400f379-a347-4bdd-a032-446465fdcc6f	High	Insecure Configurations	Trusted MIcrosoft Services are not enabled for Storage Account access	Documentation
Web App Accepting Traffic Other Than HTTPS 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe	High	Insecure Configurations	Web app should only accept HTTPS traffic in Azure Web App Service.	Documentation
Function App FTPS Enforce Disabled 9dab0179-433d-4dff-af8f-0091025691df	High	Insecure Configurations	Azure Function App should only enforce FTPS when 'ftps_state' is enabled	Documentation
App Service FTPS Enforce Disabled 85da374f-b00f-4832-9d44-84a1ca1e89f8	High	Insecure Configurations	Azure App Service should only enforce FTPS when 'ftps_state' is enabled	Documentation
VM Not Attached To Network bbf6b3df-4b65-4f87-82cc-da9f30f8c033	High	Insecure Configurations	No Network Security Group is attached to the Virtual Machine	Documentation
AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b	High	Insecure Configurations	The Active Directory Administrator is not configured for a SQL server	Documentation
Redis Not Updated Regularly b947809d-dd2f-4de9-b724-04d101c515aa	High	Insecure Configurations	Redis Cache is not configured to be updated regularly with security and operational updates	Documentation
Network Watcher Flow Disabled b90842e5-6779-44d4-9760-972f4c03ba1c	High	Insecure Configurations	Check if enable field in the resource azurerm_network_watcher_flow_log is false.	Documentation
Azure Container Registry With No Locks a187ac47-8163-42ce-8a63-c115236be6fb	High	Insecure Configurations	Azurerm Container Registry Must Contain Associated Locks	Documentation
MySQL Server Public Access Enabled f118890b-2468-42b1-9ce9-af35146b425b	High	Networking and Firewall	MySQL Server public access should be disabled	Documentation
SSH Is Exposed To The Internet 3e3c175e-aadf-4e2b-a464-3fdac5748d24	High	Networking and Firewall	Port 22 (SSH) is exposed to the internet	Documentation
SQLServer Ingress From Any IP 25c0ea09-f1c5-4380-b055-3b83863f2bb8	High	Networking and Firewall	Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.	Documentation
Sensitive Port Is Exposed To Entire Network 594c198b-4d79-41b8-9b36-fde13348b619	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol	Documentation
Redis Entirely Accessible fd8da341-6760-4450-b26c-9f6d8850575e	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from the Internet	Documentation
Azure App Service Client Certificate Disabled a81573f9-3691-4d83-88a0-7d4af63e17a3	High	Networking and Firewall	Azure App Service client certificate should be enabled	Documentation
CosmosDB Account IP Range Filter Not Set c2a3efb6-8a58-481c-82f2-bfddf34bb4b7	High	Networking and Firewall	The Ip Range Must Contain Ips	Documentation
MSSQL Server Public Network Access Enabled ade36cf4-329f-4830-a83d-9db72c800507	High	Networking and Firewall	MSSQL Server public network access should be disabled	Documentation
Redis Publicly Accessible 5089d055-53ff-421b-9482-a5267bdce629	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from other Azure sources	Documentation
RDP Is Exposed To The Internet efbf6449-5ec5-4cfe-8f15-acc51e0d787c	High	Networking and Firewall	Port 3389 (Remote Desktop) is exposed to the internet	Documentation
Vault Auditing Disabled 38c71c00-c177-4cd7-8d36-cd1007cdb190	High	Observability	Ensure that logging for Azure KeyVault is 'Enabled'	Documentation
SQL Database Audit Disabled 83a229ba-483e-47c6-8db7-dc96969bce5a	High	Resource Management	Ensure that 'Threat Detection' is enabled for Azure SQL Database	Documentation
App Service Managed Identity Disabled b61cce4b-0cc4-472b-8096-15617a6d769b	High	Resource Management	Azure App Service should have managed identity enabled	Documentation
PostgreSQL Server Threat Detection Policy Disabled c407c3cf-c409-4b29-b590-db5f4138d332	High	Resource Management	PostgreSQL Server Threat Detection Policy should be enabled	Documentation
Key Expiration Not Set 4d080822-5ee2-49a4-8984-68f3d4c890fc	High	Secret Management	Make sure that for all keys the expiration date is set	Documentation
Secret Expiration Not Set dfa20ffa-f476-428f-a490-424b41e91c7f	High	Secret Management	Make sure that for all secrets the expiration date is set	Documentation
Role Definition Allows Custom Role Creation 3fa5900f-9aac-4982-96b2-a6143d9c99fb	Medium	Access Control	Role Definition should not allow custom role creation	Documentation
Storage Share File Allows All ACL Permissions 48bbe0fd-57e4-4678-a4a1-119e79c90fc3	Medium	Access Control	Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).	Documentation
AKS RBAC Disabled 86f92117-eed8-4614-9c6c-b26da20ff37f	Medium	Access Control	Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled	Documentation
Storage Table Allows All ACL Permissions 3ac3e75c-6374-4a32-8ba0-6ed69bda404e	Medium	Access Control	Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).	Documentation
SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450	Medium	Best Practices	Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict	Documentation
Unrestricted SQL Server Access d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28	Medium	Best Practices	Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'	Documentation
Security Contact Email 34664094-59e0-4524-b69f-deaa1a68cce3	Medium	Best Practices	Security Contact Email should be defined	Documentation
SQL Server Predictable Admin Account Name 2ab6de9a-0136-415c-be92-79d2e4fd750f	Medium	Best Practices	Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict	Documentation
Cosmos DB Account Without Tags 56dad03e-e94f-4dd6-93a4-c253a03ff7a0	Medium	Build Process	Cosmos DB Account must have a mapping of tags.	Documentation
AKS Disk Encryption Set ID Undefined b17d8bb8-4c08-4785-867e-cb9e62a622aa	Medium	Encryption	Azure Container Service (AKS) should use Disk Encryption Set ID	Documentation
Storage Account Not Using Latest TLS Encryption Version 8263f146-5e03-43e0-9cfe-db960d56d1e7	Medium	Encryption	Ensure Storage Account is using the latest version of TLS encryption	Documentation
Redis Cache Allows Non SSL Connections e29a75e6-aba3-4896-b42d-b87818c16b58	Medium	Encryption	Check if any Redis Cache resource allows non-SSL connections.	Documentation
Encryption On Managed Disk Disabled a99130ab-4c0e-43aa-97f8-78d4fcb30024	Medium	Encryption	Ensure that the encryption is active on the disk	Documentation
Small Flow Logs Retention Period 7750fcca-dd03-4d38-b663-4b70289bcfd4	Medium	Insecure Configurations	Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches	Documentation
Security Group is Not Configured 5c822443-e1ea-46b8-84eb-758ec602e844	Medium	Insecure Configurations	Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty	Documentation
Function App Managed Identity Disabled c87749b3-ff10-41f5-9df2-c421e8151759	Medium	Insecure Configurations	Azure Function App should have managed identity enabled	Documentation
Security Center Pricing Tier Is Not Standard 819d50fd-1cdf-45c3-9936-be408aaad93e	Medium	Insecure Configurations	Make sure that the 'Standard' pricing tiers were selected.	Documentation
Function App Client Certificates Unrequired 9bb3c639-5edf-458c-8ee5-30c17c7d671d	Medium	Insecure Configurations	Azure Function App should have 'client_cert_mode' set to required	Documentation
AKS Network Policy Misconfigured f5342045-b935-402d-adf1-8dbbd09c0eef	Medium	Insecure Configurations	Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.	Documentation
Default Network Access is Allowed 9be09caf-2ba4-4fa9-9787-a670dc32c639	Medium	Insecure Defaults	Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'	Documentation
Default Azure Storage Account Network Access Is Too Permissive a5613650-32ec-4975-a305-31af783153ea	Medium	Insecure Defaults	Default Azure Storage Account network access should be set to Deny	Documentation
Sensitive Port Is Exposed To Small Public Network e9dee01f-2505-4df2-b9bf-7804d1fd9082	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol	Documentation
Azure Cognitive Search Public Network Access Enabled 4a9e0f00-0765-4f72-a0d4-d31110b78279	Medium	Networking and Firewall	Public Network Access should be disabled for Azure Cognitive Search	Documentation
Sensitive Port Is Exposed To Wide Private Network c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol	Documentation
MariaDB Server Public Network Access Enabled 7f0a8696-7159-4337-ad0d-8a3ab4a78195	Medium	Networking and Firewall	MariaDB Server Public Network Access should be disabled	Documentation
WAF Is Disabled For Azure Application Gateway 2e48d91c-50e4-45c8-9312-27b625868a72	Medium	Networking and Firewall	Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.	Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache a829b715-cf75-4e92-b645-54c9b739edfb	Medium	Networking and Firewall	Check if any firewall rule allows too many hosts to access Redis Cache	Documentation
Network Interfaces With Public IP c1573577-e494-4417-8854-7e119368dc8b	Medium	Networking and Firewall	Network Interfaces must not be exposed with a public IP address	Documentation
PostgreSQL Log Checkpoints Disabled 3790d386-be81-4dcf-9850-eaa7df6c10d9	Medium	Observability	Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'	Documentation
PostgreSQL Log Disconnections Not Set 07f7134f-9f37-476e-8664-670c218e4702	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'	Documentation
PostgreSQL Log Connections Not Set c640d783-10c5-4071-b6c1-23507300d333	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'	Documentation
MSSQL Server Auditing Disabled 609839ae-bd81-4375-9910-5bce72ae7b92	Medium	Observability	Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'	Documentation
Small Activity Log Retention Period 2b856bf9-8e8c-4005-875f-303a8cba3918	Medium	Observability	Ensure that Activity Log Retention is set 365 days or greater	Documentation
PostgreSQL Log Duration Not Set 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'	Documentation
Small MSSQL Audit Retention Period 9c301481-e6ec-44f7-8a49-8ec63e2969ea	Medium	Observability	Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days	Documentation
Small MSSQL Server Audit Retention 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc	Medium	Observability	Make sure for SQL Servers that Auditing Retention is greater than 90 days	Documentation
Small PostgreSQL DB Server Log Retention Period 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606	Medium	Observability	Check if PostgreSQL Database Server retains logs for less than 3 Days	Documentation
SQL Server Auditing Disabled f7e296b0-6660-4bc5-8f87-22ac4a815edf	Medium	Observability	Make sure that for SQL Servers, 'Auditing' is set to 'On'	Documentation
PostgreSQL Server Without Connection Throttling 2b3c671f-1b76-4741-8789-ed1fe0785dc4	Medium	Observability	Ensure that Connection Throttling is set for the PostgreSQL server	Documentation
Log Retention Is Not Set ffb02aca-0d12-475e-b77c-a726f7aeff4b	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'	Documentation
Email Alerts Disabled 9db38e87-f6aa-4b5e-a1ec-7266df259409	Medium	Observability	Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact	Documentation
Azure Active Directory Authentication a21c8da9-41bf-40cf-941d-330cf0d11fc7	Low	Access Control	Azure Active Directory must be used for authentication for Service Fabric	Documentation
MariaDB Server Geo-redundant Backup Disabled 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1	Low	Backup	MariaDB Server Geo-redundant Backup should be enabled	Documentation
Key Vault Secrets Content Type Undefined f8e08a38-fc6e-4915-abbe-a7aadf1d59ef	Low	Best Practices	Key Vault Secrets should have set Content Type	Documentation
AKS Uses Azure Policies Add-On Disabled 43789711-161b-4708-b5bb-9d1c626f7492	Low	Best Practices	Azure Container Service (AKS) should use Azure Policies Add-On	Documentation
PostgreSQL Server Infrastructure Encryption Disabled 6425c98b-ca4e-41fe-896a-c78772c131f8	Low	Encryption	PostgreSQL Server Infrastructure Encryption should be enabled	Documentation
Function App HTTP2 Disabled ace823d1-4432-4dee-945b-cdf11a5a6bd0	Low	Insecure Configurations	Function App should have 'http2_enabled' enabled	Documentation
Dashboard Is Enabled 61c3cb8b-0715-47e4-b788-86dde40dd2db	Low	Insecure Configurations	Check if the Kubernetes Dashboard is enabled.	Documentation
App Service HTTP2 Disabled 525b53be-62ed-4244-b4df-41aecfcb4071	Low	Insecure Configurations	App Service should have 'http2_enabled' enabled	Documentation
Network Interfaces IP Forwarding Enabled 4216ebac-d74c-4423-b437-35025cb88af5	Low	Networking and Firewall	Network Interfaces IP Forwarding should be disabled	Documentation
Azure Front Door WAF Disabled 835a4f2f-df43-437d-9943-545ccfc55961	Low	Networking and Firewall	Azure Front Door WAF should be enabled	Documentation
AKS Private Cluster Disabled 599318f2-6653-4569-9e21-041d06c63a89	Low	Networking and Firewall	Azure Kubernetes Service (AKS) API should not be exposed to the internet	Documentation
App Service Authentication Disabled c7fc1481-2899-4490-bbd8-544a3a61a2f3	Info	Access Control	Azure App Service authentication settings should be enabled	Documentation
SQL Server Alert Email Disabled 55975007-f6e7-4134-83c3-298f1fe4b519	Info	Best Practices	SQL Server alert email should be enabled	Documentation
### AWS
Bellow are listed queries related with Terraform AWS:

Query	Severity	Category	Description	Help
Neptune Cluster Instance is Publicly Accessible 9ba198e0-fef4-464a-8a4d-75ea55300de7	High	Access Control	Neptune Cluster Instance should not be publicly accessible	Documentation
S3 Bucket ACL Allows Read Or Write to All Users 38c5ee0d-7f22-4260-ab72-5073048df100	High	Access Control	S3 bucket with public READ/WRITE access	Documentation
SQS Queue Exposed abb06e5f-ef9a-4a99-98c6-376d396bfcdf	High	Access Control	Checks if the SQS Queue is exposed	Documentation
S3 Bucket Allows List Action From All Principals 66c6f96f-2d9e-417e-a998-9058aeeecd44	High	Access Control	S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.	Documentation
S3 Bucket With All Permissions a4966c4f-9141-48b8-a564-ffe9959945bc	High	Access Control	S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion	Documentation
IAM Policies With Full Privileges 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84	High	Access Control	IAM policies that allow full administrative privileges (for all resources)	Documentation
EFS With Vulnerable Policy fae52418-bb8b-4ac2-b287-0b9082d6a3fd	High	Access Control	EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.	Documentation
S3 Bucket Allows Put Action From All Principals d24c0755-c028-44b1-b503-8e719c898832	High	Access Control	S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.	Documentation
S3 Bucket Allows Public Policy 1a4bc881-9f69-4d44-8c9a-d37d08f54c50	High	Access Control	S3 bucket allows public policy	Documentation
S3 Bucket Allows Get Action From All Principals 1df37f4b-7197-45ce-83f8-9994d2fcf885	High	Access Control	S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.	Documentation
S3 Bucket ACL Allows Read to Any Authenticated User 57b9893d-33b1-4419-bcea-a717ea87e139	High	Access Control	Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion	Documentation
S3 Bucket Access to Any Principal 7af43613-6bb9-4a0e-8c4d-1314b799425e	High	Access Control	S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals	Documentation
IAM Role With Full Privileges b1ffa705-19a3-4b73-b9d0-0c97d0663842	High	Access Control	IAM role policy that allow full administrative privileges (for all resources)	Documentation
S3 Bucket Allows WriteACP Action From All Principals 64a222aa-7793-4e40-915f-4b302c76e4d4	High	Access Control	S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.	Documentation
S3 Bucket Allows Delete Action From All Principals ffdf4b37-7703-4dfe-a682-9d2e99bc6c09	High	Access Control	S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.	Documentation
ECS Service Admin Role is Present 3206240f-2e87-4e58-8d24-3e19e7c83d7c	High	Access Control	ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role	Documentation
S3 Bucket Allows All Actions From All Principals 51cf6f14-6a52-4642-97fb-10db078382d3	High	Access Control	S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.	Documentation
EFS Not Encrypted 48207659-729f-4b5c-9402-f884257d794f	High	Encryption	Elastic File System (EFS) must be encrypted	Documentation
DOCDB Cluster Not Encrypted bc1f9009-84a0-490f-ae09-3e0ea6d74ad6	High	Encryption	AWS DOCDB Cluster storage should be encrypted	Documentation
IAM Database Auth Not Enabled 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6	High	Encryption	IAM Database Auth Enabled must be configured to true	Documentation
Athena Workgroup Not Encrypted d364984a-a222-4b5f-a8b0-e23ab19ebff3	High	Encryption	Athena Workgroup query results should be encrypted, for all queries that run in the workgroup	Documentation
AMI Not Encrypted 8bbb242f-6e38-4127-86d4-d8f0b2687ae2	High	Encryption	AWS AMI Encryption is not enabled	Documentation
User Data Shell Script Is Encoded 9cf718ce-46f9-430e-89ec-c456f8b469ee	High	Encryption	Base64 Shell Script must be encoded	Documentation
ELB Using Insecure Protocols 126c1788-23c2-4a10-906c-ef179f4f96ec	High	Encryption	ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.	Documentation
Launch Configuration Is Not Encrypted 4de9de27-254e-424f-bd70-4c1e95790838	High	Encryption	Data stored in the Launch configuration EBS is not securely encrypted	Documentation
Memcached Disabled 4bd15dd9-8d5e-4008-8532-27eb0c3706d3	High	Encryption	Check if the Memcached is disabled on the ElastiCache	Documentation
Kinesis Not Encrypted With KMS 862fe4bf-3eec-4767-a517-40f378886b88	High	Encryption	AWS Kinesis Streams and metadata should be protected with KMS	Documentation
ELB Using Weak Ciphers 4a800e14-c94a-442d-9067-5a2e9f6c0a4c	High	Encryption	ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.	Documentation
EFS Without KMS 25d251f3-f348-4f95-845c-1090e41a615c	High	Encryption	Elastic File System (EFS) must have KMS Key ID	Documentation
DOCDB Cluster Without KMS 4766d3ea-241c-4ee6-93ff-c380c996bd1a	High	Encryption	AWS DOCDB Cluster should be encrypted with a KMS encryption key	Documentation
ECS Task Definition Volume Not Encrypted 4d46ff3b-7160-41d1-a310-71d6d370b08f	High	Encryption	AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted	Documentation
Automatic Minor Upgrades Disabled 3b6d777b-76e3-4133-80a3-0d6f667ade7f	High	Encryption	RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true	Documentation
EKS Cluster Encryption Disabled 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281	High	Encryption	EKS Cluster should be encrypted	Documentation
S3 Bucket SSE Disabled 6726dcc0-5ff5-459d-b473-a780bef7665c	High	Encryption	If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required	Documentation
ECS Task Definition Container With Plaintext Password d40210ea-64b9-4cce-a4fb-e8604f3c062c	High	Encryption	It's not recommended to use plaintext environment variables for sensitive information, such as credential data.	Documentation
Sagemaker Endpoint Configuration Encryption Disabled 58b35504-0287-4154-bf69-02c0573deab8	High	Encryption	Sagemaker endpoint configuration should encrypt data	Documentation
S3 Bucket Object Not Encrypted 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e	High	Encryption	S3 Bucket Object should have server-side encryption enabled	Documentation
CodeBuild Project Encrypted With AWS Managed Key 3deec14b-03d2-4d27-9670-7d79322e3340	High	Encryption	CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
Kinesis SSE Not Configured 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3	High	Encryption	AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled	Documentation
Workspaces Workspace Volume Not Encrypted b9033580-6886-401a-8631-5f19f5bb24c7	High	Encryption	AWS Workspaces Workspace data stored in volumes should be encrypted	Documentation
Secure Ciphers Disabled 5c0003fb-9aa0-42c1-9da3-eb0e332bef21	High	Encryption	Check if secure ciphers aren't used in CloudFront	Documentation
MSK Cluster Encryption Disabled 6db52fa6-d4da-4608-908a-89f0c59e743e	High	Encryption	Ensure MSK Cluster encryption in rest and transit is enabled	Documentation
Viewer Protocol Policy Allows HTTP 55af1353-2f62-4fa0-a8e1-a210ca2708f5	High	Encryption	Checks if the connection between the CloudFront and the origin server is encrypted	Documentation
EBS Volume Snapshot Not Encrypted e6b4b943-6883-47a9-9739-7ada9568f8ca	High	Encryption	The value on AWS EBS Volume Snapshot Encryptation must be true	Documentation
Redis Not Compliant 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4	High	Encryption	Check if the redis version is compliant with the necessary AWS PCI DSS requirements	Documentation
API Gateway Method Settings Cache Not Encrypted b7c9a40c-23e4-4a2d-8d39-a3352f10f288	High	Encryption	API Gateway Method Settings Cache should be encrypted	Documentation
Redshift Not Encrypted cfdcabb0-fc06-427c-865b-c59f13e898ce	High	Encryption	Check if 'encrypted' field is false or undefined (default is false)	Documentation
RDS Database Cluster not Encrypted 656880aa-1388-488f-a6d4-8f73c23149b2	High	Encryption	RDS Database Cluster Encryption should be enabled	Documentation
Glue Security Configuration Encryption Disabled ad5b4e97-2850-4adf-be17-1d293e0b85ee	High	Encryption	Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled	Documentation
Athena Database Not Encrypted b2315cae-b110-4426-81e0-80bb8640cdd3	High	Encryption	AWS Athena Database data in S3 should be encrypted	Documentation
User Data Contains Encoded Private Key 443488f5-c734-460b-a36d-5b3f330174dc	High	Encryption	User Data Base64 contains an encoded RSA Private Key	Documentation
Glue Data Catalog Encryption Disabled 01d50b14-e933-4c99-b314-6d08cd37ad35	High	Encryption	Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled	Documentation
RDS Storage Not Encrypted 3199c26c-7871-4cb3-99c2-10a59244ce7f	High	Encryption	Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'	Documentation
Sagemaker Notebook Instance Without KMS f3674e0c-f6be-43fa-b71c-bf346d1aed99	High	Encryption	AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS	Documentation
DB Instance Storage Not Encrypted 08bd0760-8752-44e1-9779-7bb369b2b4e4	High	Encryption	The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').	Documentation
CA certificate Identifier is outdated 9f40c07e-699e-4410-8856-3ba0f2e3a2dd	High	Encryption	The CA certificate Identifier must be 'rds-ca-2019'.	Documentation
CloudWatch Log Group Not Encrypted 0afbcfe9-d341-4b92-a64c-7e6de0543879	High	Encryption	AWS CloudWatch Log groups should be encrypted using KMS	Documentation
DAX Cluster Not Encrypted f11aec39-858f-4b6f-b946-0a1bf46c0c87	High	Encryption	AWS DAX Cluster should have server-side encryption at rest	Documentation
EBS Default Encryption Disabled 3d3f6270-546b-443c-adb4-bb6fb2187ca6	High	Encryption	EBS Encryption should be enabled	Documentation
DB Instance Publicly Accessible 35113e6f-2c6b-414d-beec-7a9482d3b2d1	High	Insecure Configurations	The field 'publicly_accessible' should not be set to 'true' (default is 'false').	Documentation
Authentication Without MFA 3ddfa124-6407-4845-a501-179f90c65097	High	Insecure Configurations	Users should authenticate with MFA (Multi-factor Authentication)	Documentation
S3 Static Website Host Enabled 42bb6b7f-6d54-4428-b707-666f669d94fb	High	Insecure Configurations	Checks if any static websties are hosted on buckets	Documentation
SQS With SSE Disabled 6e8849c1-3aa7-40e3-9063-b85ee300f29f	High	Insecure Configurations	Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)	Documentation
ECS Task Definition Network Mode Not Recommended 9f4a9409-9c60-4671-be96-9716dbf63db1	High	Insecure Configurations	Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations	Documentation
S3 Bucket Without Restriction Of Public Bucket 1ec253ab-c220-4d63-b2de-5b40e0af9293	High	Insecure Configurations	S3 bucket without restriction of public bucket	Documentation
IAM User Policy Without MFA b5681959-6c09-4f55-b42b-c40fa12d03ec	High	Insecure Configurations	Check if the root user is authenticated with MFA	Documentation
DB Security Group Has Public IP f0d8781f-99bf-4958-9917-d39283b168a0	High	Insecure Configurations	The CIDR IP must not be Public	Documentation
KMS Key With Vulnerable Policy 7ebc9038-0bde-479a-acc4-6ed7b6758899	High	Insecure Configurations	Checks if the policy is vulnerable and needs updating.	Documentation
Redshift Publicly Accessible af173fde-95ea-4584-b904-bb3923ac4bda	High	Insecure Configurations	Check if 'publicly_accessible' field is true or undefined (default is true)	Documentation
API Gateway Without Security Policy 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b	High	Insecure Configurations	API Gateway should have a Security Policy defined and use TLS 1.2.	Documentation
Root Account Has Active Access Keys 970d224d-b42a-416b-81f9-8f4dfe70c4bc	High	Insecure Configurations	The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.	Documentation
CloudFront Without Minimum Protocol TLS 1.2 00e5e55e-c2ff-46b3-a757-a7a1cd802456	High	Insecure Configurations	CloudFront Minimum Protocol version should be at least TLS 1.2	Documentation
S3 Bucket Without Enabled MFA Delete c5b31ab9-0f26-4a49-b8aa-4cc064392f4d	High	Insecure Configurations	S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='	Documentation
Batch Job Definition With Privileged Container Properties 66cd88ac-9ddf-424a-b77e-e55e17630bee	High	Insecure Configurations	Batch Job Definition should not have Privileged Container Properties	Documentation
S3 Bucket with Unsecured CORS Rule 98a8f708-121b-455b-ae2f-da3fb59d17e1	High	Insecure Configurations	If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure	Documentation
No Password Policy Enabled b592ffd4-0577-44b6-bd35-8c5ee81b5918	High	Insecure Configurations	IAM password policies should be set through the password minimum length and reset password attributes	Documentation
Vulnerable Default SSL Certificate 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef	High	Insecure Defaults	CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.	Documentation
Default Security Groups With Unrestricted Traffic 46883ce1-dc3e-4b17-9195-c6a601624c73	High	Networking and Firewall	Check if default security group does not restrict all inbound and outbound traffic.	Documentation
Network ACL With Unrestricted Access To SSH 3af7f2fd-06e6-4dab-b996-2912bea19ba4	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Network ACL	Documentation
ALB Listening on HTTP de7f5e83-da88-4046-871f-ea18504b1d43	High	Networking and Firewall	AWS Application Load Balancer (alb) should not listen on HTTP	Documentation
VPC Default Security Group Accepts All Traffic 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75	High	Networking and Firewall	Default Security Group attached to every VPC should restrict all traffic	Documentation
Remote Desktop Port Open 151187cb-0efc-481c-babd-ad24e3c9bc22	High	Networking and Firewall	The Remote Desktop port is open in a Security Group	Documentation
Security Group With Unrestricted Access To SSH 65905cec-d691-4320-b320-2000436cb696	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Security Group	Documentation
Route53 Record Undefined 25db74bf-fa3b-44da-934e-8c3e005c0453	High	Networking and Firewall	Check if Record is set	Documentation
Unknown Port Exposed To Internet 590d878b-abdc-428f-895a-e2b68a0e1998	High	Networking and Firewall	AWS Security Group should not have an unknown port exposed to the entire Internet	Documentation
Sensitive Port Is Exposed To Entire Network 381c3f2a-ef6f-4eff-99f7-b169cda3422c	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol	Documentation
EKS Cluster Has Public Access CIDRs 61cf9883-1752-4768-b18c-0d57f2737709	High	Networking and Firewall	Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"	Documentation
HTTP Port Open ffac8a12-322e-42c1-b9b9-81ff85c39ef7	High	Networking and Firewall	The HTTP port is open in a Security Group	Documentation
DB Security Group With Public Scope 1e0ef61b-ad85-4518-a3d3-85eaad164885	High	Networking and Firewall	The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).	Documentation
EKS node group remote access disabled ba40ace1-a047-483c-8a8d-bc2d3a67a82d	High	Networking and Firewall	EKS node group remote access is disabled when 'SourceSecurityGroups' is missing	Documentation
Network ACL With Unrestricted Access To RDP a20be318-cac7-457b-911d-04cc6e812c25	High	Networking and Firewall	'RDP' (TCP:3389) should not be public in AWS Network ACL	Documentation
VPC Peering Route Table with Unrestricted CIDR b3a41501-f712-4c4f-81e5-db9a7dc0e34e	High	Networking and Firewall	VPC Peering Route Table should restrict CIDR	Documentation
DB Security Group Open To Large Scope 4f615f3e-fb9c-4fad-8b70-2e9f781806ce	High	Networking and Firewall	The IP address in a DB Security Group must not have more than 256 hosts.	Documentation
Unrestricted Security Group Ingress 4728cd65-a20c-49da-8b31-9c08b423e4db	High	Networking and Firewall	Security groups allow ingress from 0.0.0.0:0	Documentation
EC2 Instance Has Public IP 5a2486aa-facf-477d-a5c1-b010789459ce	High	Networking and Firewall	EC2 Instance should not have a public IP address.	Documentation
CloudWatch IAM Policy Changes Alarm Missing eaaba502-2f94-411a-a3c2-83d63cc1776d	High	Observability	Ensure a log metric filter and alarm exist for IAM policy changes	Documentation
Configuration Aggregator to All Regions Disabled ac5a0bc0-a54c-45aa-90c3-15f7703b9132	High	Observability	AWS Config Configuration Aggregator All Regions must be set to True	Documentation
KMS Key With No Deletion Window 0b530315-0ea4-497f-b34c-4ff86268f59d	High	Observability	AWS KMS Key should have a valid deletion window	Documentation
CloudTrail Log Files Not Encrypted 5d9e3164-9265-470c-9a10-57ae454ac0c7	High	Observability	Logs delivered by CloudTrail should be encrypted using KMS	Documentation
CloudWatch Console Sign-in Without MFA Alarm Missing 44ceb4fa-0897-4fd2-b676-30e7a58f2933	High	Observability	Ensure a log metric filter and alarm exist for management console sign-in without MFA	Documentation
CloudWatch Root Account Use Missing 8b1b1e67-6248-4dca-bbad-93486bb181c0	High	Observability	Ensure a log metric filter and alarm exist for root acount usage	Documentation
CMK Rotation Disabled 22fbfeac-7b5a-421a-8a27-7a2178bb910b	High	Observability	Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.	Documentation
CloudTrail Logging Disabled 4bb76f17-3d63-4529-bdca-2b454529d774	High	Observability	Checks if logging is enabled for CloudTrail.	Documentation
CloudWatch Unauthorized Access Alarm Missing 4c18a45b-4ab1-4790-9f83-399ac695f1e5	High	Observability	Ensure a log metric filter and alarm exist for unauthorized API calls	Documentation
CloudTrail Log Files S3 Bucket with Logging Disabled ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4	High	Observability	CloudTrail Log Files S3 Bucket should have 'logging' enabled	Documentation
CloudTrail Log Files S3 Bucket is Publicly Accessible bd0088a5-c133-4b20-b129-ec9968b16ef3	High	Observability	CloudTrail Log Files S3 Bucket should not be publicly accessible	Documentation
Certificate Has Expired c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6	Medium	Access Control	Expired SSL/TLS certificates should be removed	Documentation
Elasticsearch Domain With Vulnerable Policy 16c4216a-50d3-4785-bfb2-4adb5144a8ba	Medium	Access Control	Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.	Documentation
ECR Repository Is Publicly Accessible e86e26fc-489e-44f0-9bcd-97305e4ba69a	Medium	Access Control	Amazon ECR image repositories shouldn't have public access	Documentation
Public and Private EC2 Share Role c53c7a89-f9d7-4c7b-8b66-8a555be99593	Medium	Access Control	Public and private EC2 istances should not share the same role.	Documentation
Lambda Permission Principal Is Wildcard e08ed7eb-f3ef-494d-9d22-2e3db756a347	Medium	Access Control	Lambda Permission Principal should not contain a wildcard.	Documentation
IAM Role Policy passRole Allows All e39bee8c-fe54-4a3f-824d-e5e2d1cca40a	Medium	Access Control	Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources	Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously 5ea624e4-c8b1-4bb3-87a4-4235a776adcc	Medium	Access Control	SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.	Documentation
AMI Shared With Multiple Accounts ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698	Medium	Access Control	Limits access to AWS AMIs by checking if more than one account is using the same image	Documentation
Glue With Vulnerable Policy d25edb51-07fb-4a73-97d4-41cecdc53a22	Medium	Access Control	Glue policy should avoid wildcard in 'principals' and 'actions'	Documentation
CloudWatch Logs Destination With Vulnerable Policy db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8	Medium	Access Control	CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'	Documentation
S3 Bucket Allows Public ACL d0cc8694-fcad-43ff-ac86-32331d7e867f	Medium	Access Control	S3 bucket allows public ACL	Documentation
API Gateway Method Does Not Contains An API Key 671211c5-5d2a-4e97-8867-30fc28b02216	Medium	Access Control	An API Key should be required on a method request.	Documentation
Policy Without Principal bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54	Medium	Access Control	All policies, except IAM identity-based policies, should have the 'Principal' element defined	Documentation
Neptune Cluster With IAM Database Authentication Disabled c91d7ea0-d4d1-403b-8fe1-c9961ac082c5	Medium	Access Control	Neptune Cluster should have IAM Database Authentication enabled	Documentation
REST API With Vulnerable Policy b161c11b-a59b-4431-9a29-4e19f63e6b27	Medium	Access Control	REST API policy should avoid wildcard in 'Action' and 'Principal'	Documentation
SQS Policy Allows All Actions 816ea8cf-d589-442d-a917-2dd0ce0e45e3	Medium	Access Control	SQS policy allows ALL (*) actions	Documentation
IAM Access Key Is Exposed 7081f85c-b94d-40fd-8b45-a4f1cac75e46	Medium	Access Control	Check if IAM Access Key is active for some user besides 'root'	Documentation
IAM Policy Grants Full Permissions 575a2155-6af1-4026-b1af-d5bc8fe2a904	Medium	Access Control	IAM policies allow all ('*') in a statement action	Documentation
Secrets Manager With Vulnerable Policy fa00ce45-386d-4718-8392-fb485e1f3c5b	Medium	Access Control	Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'	Documentation
IAM User With Access To Console 9ec311bf-dfd9-421f-8498-0b063c8bc552	Medium	Access Control	AWS IAM Users should not have access to console	Documentation
SQS Policy With Public Access 730675f9-52ed-49b6-8ead-0acb5dd7df7f	Medium	Access Control	SQS policy with public access	Documentation
Lambda With Vulnerable Policy ad9dabc7-7839-4bae-a957-aa9120013f39	Medium	Access Control	The attribute 'action' should not have wildcard	Documentation
SNS Topic is Publicly Accessible For Subscription b26d2b7e-60f6-413d-a3a1-a57db24aa2b3	Medium	Access Control	This query checks if SNS Topic is Accessible For Subscription	Documentation
CMK Is Unusable 7350fa23-dcf7-4938-916d-6a60b0c73b50	Medium	Availability	AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true	Documentation
ECS Service Without Running Tasks 91f16d09-689e-4926-aca7-155157f634ed	Medium	Availability	ECS Service should have at least 1 task running	Documentation
Auto Scaling Group With No Associated ELB 8e94dced-9bcc-4203-8eb7-7e41202b2505	Medium	Availability	AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.	Documentation
ElastiCache Nodes Not Created Across Multi AZ 6db03a91-f933-4f13-ab38-a8b87a7de54d	Medium	Availability	Check if ElastiCache nodes are not being created across multi AZ	Documentation
Stack Retention Disabled 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97	Medium	Backup	Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction	Documentation
RDS With Backup Disabled 1dc73fb4-5b51-430c-8c5f-25dcf9090b02	Medium	Backup	RDS configured without backup	Documentation
ElastiCache Redis Cluster Without Backup 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab	Medium	Backup	ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0	Documentation
RDS Cluster With Backup Disabled e542bd46-58c4-4e0f-a52a-1fb4f9548e02	Medium	Best Practices	RDS Cluster backup retention period should be specifically defined	Documentation
Misconfigured Password Policy Expiration ce60d060-efb8-4bfd-9cf7-ff8945d00d90	Medium	Best Practices	No password expiration policy	Documentation
IAM Password Without Symbol 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48	Medium	Best Practices	Check if IAM account password has the required symbols	Documentation
IAM Password Without Minimum Length 1bc1c685-e593-450e-88fb-19db4c82aa1d	Medium	Best Practices	Check if IAM account password has the required minimum length	Documentation
ALB Not Dropping Invalid Headers 6e3fd2ed-5c83-4c68-9679-7700d224d379	Medium	Best Practices	It's considered a best practice when using Application Load Balancers to drop invalid header fields	Documentation
Cognito UserPool Without MFA ec28bf61-a474-4dbe-b414-6dd3a067d6f0	Medium	Best Practices	AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users	Documentation
Password Without Reuse Prevention 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a	Medium	Best Practices	Check if IAM account password has the reuse password configured with 24	Documentation
Stack Without Template 91bea7b8-0c31-4863-adc9-93f6177266c4	Medium	Build Process	AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body	Documentation
SSM Session Transit Encryption Disabled ce60cc6b-6831-4bd7-84a2-cc7f8ee71433	Medium	Encryption	SSM Session should be encrypted in transit	Documentation
Secretsmanager Secret Encrypted With AWS Managed Key b0d3ef3f-845d-4b1b-83d6-63a5a380375f	Medium	Encryption	Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
SNS Topic Not Encrypted 28545147-2fc6-42d5-a1f9-cf226658e591	Medium	Encryption	SNS (Simple Notification Service) Topic should be encrypted	Documentation
SNS Topic Encrypted With AWS Managed Key b1a72f66-2236-4f3b-87ba-0da1b366956f	Medium	Encryption	SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
AmazonMQ Broker Encryption Disabled 3db3f534-e3a3-487f-88c7-0a9fbf64b702	Medium	Encryption	AmazonMQ Broker should have Encryption Options defined	Documentation
EBS Volume Encryption Disabled cc997676-481b-4e93-aa81-d19f8c5e9b12	Medium	Encryption	The value on AWS EBS Volume Cluster Encryption must be true	Documentation
Elasticsearch Domain Not Encrypted Node To Node 967eb3e6-26fc-497d-8895-6428beb6e8e2	Medium	Encryption	Elasticsearch Domain encryption should be enabled node to node	Documentation
DOCDB Cluster Encrypted With AWS Managed Key 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d	Medium	Encryption	DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
ElastiCache Replication Group Not Encrypted At Rest 76976de7-c7b1-4f64-a94f-90c1345914c2	Medium	Encryption	ElastiCache Replication Group encryption should be enabled at Rest	Documentation
Unscanned ECR Image 9630336b-3fed-4096-8173-b9afdfe346a7	Medium	Encryption	Checks if the ECR Image has been scanned	Documentation
S3 Bucket Policy Accepts HTTP Requests 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9	Medium	Encryption	S3 Bucket policy should not accept HTTP Requests	Documentation
ElasticSearch Encryption With KMS Disabled 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2	Medium	Encryption	Check if any ElasticSearch domain isn't encrypted with KMS	Documentation
ECR Repository Not Encrypted 0e32d561-4b5a-4664-a6e3-a3fa85649157	Medium	Encryption	ECR (Elastic Container Registry) Repository encryption should be set	Documentation
ElastiCache Replication Group Not Encrypted At Transit 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e	Medium	Encryption	ElastiCache Replication Group encryption should be enabled at Transit	Documentation
API Gateway Without Content Encoding ed35928e-195c-4405-a252-98ccb664ab7b	Medium	Encryption	Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760	Documentation
DynamoDB Table Not Encrypted ce089fd4-1406-47bd-8aad-c259772bb294	Medium	Encryption	AWS DynamoDB Tables should have server-side encryption	Documentation
Config Rule For Encrypted Volumes Disabled abdb29d4-5ca1-4e91-800b-b3569bbd788c	Medium	Encryption	Check if AWS config rules do not identify Encrypted Volumes as a source.	Documentation
Secretsmanager Secret Without KMS a2f548f2-188c-4fff-b172-e9a6acb216bd	Medium	Encryption	AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret	Documentation
Neptune Database Cluster Encryption Disabled 98d59056-f745-4ef5-8613-32bca8d40b7e	Medium	Encryption	Check if Neptune Cluster Storage is securely encrypted	Documentation
ElasticSearch Not Encrypted At Rest 24e16922-4330-4e9d-be8a-caa90299466a	Medium	Encryption	Check if ElasticSearch encryption is disabled at Rest	Documentation
Instance With No VPC a31a5a29-718a-4ff4-8001-a69e5e4d029e	Medium	Insecure Configurations	Instance should be configured in VPC (Virtual Private Cloud)	Documentation
IAM Password Without Lowercase Letter bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9	Medium	Insecure Configurations	Check if IAM account password has at least one lowercase letter	Documentation
AWS Password Policy With Unchangeable Passwords 9ef7d25d-9764-4224-9968-fa321c56ef76	Medium	Insecure Configurations	Unchangeable passwords in AWS password policy	Documentation
Certificate RSA Key Bytes Lower Than 256 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b	Medium	Insecure Configurations	The certificate should use a RSA key with a length equal to or higher than 256 bytes	Documentation
EKS Cluster Has Public Access 42f4b905-3736-4213-bfe9-c0660518cda8	Medium	Insecure Configurations	Amazon EKS public endpoint shoud be set to false	Documentation
API Gateway With Open Access 15ccec05-5476-4890-ad19-53991eba1db8	Medium	Insecure Configurations	API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.	Documentation
API Gateway Without SSL Certificate 0b4869fc-a842-4597-aa00-1294df425440	Medium	Insecure Configurations	SSL Client Certificate should be enabled in aws_api_gateway_stage resource	Documentation
MQ Broker Is Publicly Accessible 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb	Medium	Insecure Configurations	Check if any MQ Broker is not publicly accessible	Documentation
ECR Image Tag Not Immutable d1846b12-20c5-4d45-8798-fc35b79268eb	Medium	Insecure Configurations	ECR should have an image tag be immutable	Documentation
IAM Password Without Uppercase Letter c5ff7bc9-d8ea-46dd-81cb-8286f3222249	Medium	Insecure Configurations	Check if IAM account password has at least one uppercase letter	Documentation
Service Control Policies Disabled 5ba6229c-8057-433e-91d0-21cf13569ca9	Medium	Insecure Configurations	Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).	Documentation
Public Lambda via API Gateway 3ef8696c-e4ae-4872-92c7-520bb44dfe77	Medium	Insecure Configurations	Allowing to run lambda function using public API Gateway	Documentation
IAM User Has Too Many Access Keys 3561130e-9c5f-485b-9e16-2764c82763e5	Medium	Insecure Configurations	Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials	Documentation
Lambda Function Without Tags 875b86b1-7fd4-4728-9a18-de63d87ad82f	Medium	Insecure Configurations	AWS Lambda Functions must have associated tags.	Documentation
Redshift Cluster Without VPC 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3	Medium	Insecure Configurations	Redshift Cluster should be configured in VPC (Virtual Private Cloud)	Documentation
ALB Is Not Integrated With WAF 0afa6ab8-a047-48cf-be07-93a2f8c34cf7	Medium	Networking and Firewall	All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service	Documentation
Sensitive Port Is Exposed To Small Public Network e35c16a2-d54e-419d-8546-a804d8e024d0	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol	Documentation
Sensitive Port Is Exposed To Wide Private Network 92fe237e-074c-4262-81a4-2077acb928c1	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol	Documentation
Dynamodb VPC Endpoint Without Route Table Association 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d	Medium	Networking and Firewall	Dynamodb VPC Endpoint should be associated with Route Table Association	Documentation
SQS VPC Endpoint Without DNS Resolution e9b7acf9-9ba0-4837-a744-31e7df1e434d	Medium	Networking and Firewall	SQS VPC Endpoint should have DNS resolution enabled	Documentation
VPC Subnet Assigns Public IP 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c	Medium	Networking and Firewall	VPC Subnet should not assign public IP	Documentation
API Gateway Endpoint Config is Not Private 6b2739db-9c49-4db7-b980-7816e0c248c1	Medium	Networking and Firewall	The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet	Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible 54c417bf-c762-48b9-9d31-b3d87047e3f0	Medium	Networking and Firewall	Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.	Documentation
Elasticsearch Log is disabled acb6b4e2-a086-4f35-aefd-4db6ea51ada2	Medium	Observability	AWS Elasticsearch should have logs enabled	Documentation
Default VPC Exists 96ed3526-0179-4c73-b1b2-372fde2e0d13	Medium	Observability	It isn't recommended to use resources in default VPC	Documentation
CloudTrail Multi Region Disabled 8173d5eb-96b5-4aa6-a71b-ecfa153c123d	Medium	Observability	CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled	Documentation
Cloudwatch Cloudtrail Configuration Changes Alarm Missing 0f6cbf69-41bb-47dc-93f3-3844640bf480	Medium	Observability	Ensure a log metric filter and alarm exist for CloudTrail configuration changes	Documentation
API Gateway Deployment Without Access Log Setting 625abc0e-f980-4ac9-a775-f7519ee34296	Medium	Observability	API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.	Documentation
MSK Cluster Logging Disabled 2f56b7ab-7fba-4e93-82f0-247e5ddeb239	Medium	Observability	Ensure MSK Cluster Logging is enabled	Documentation
CloudWatch S3 policy Change Alarm Missing 27c6a499-895a-4dc7-9617-5c485218db13	Medium	Observability	Ensure a log metric filter and alarm exist for S3 bucket policy changes	Documentation
Api Gateway Access Logging Disabled 1b6799eb-4a7a-4b04-9001-8cceb9999326	Medium	Observability	RDS does not have any kind of logger	Documentation
CloudWatch AWS Organizations Changes Missing Alarm 38b85c45-e772-4de8-a247-69619ca137b3	Medium	Observability	Ensure a log metric filter and alarm exist for AWS organizations changes	Documentation
API Gateway With CloudWatch Logging Disabled 982aa526-6970-4c59-8b9b-2ce7e019fe36	Medium	Observability	AWS CloudWatch Logs for APIs is not enabled	Documentation
CloudWatch Without Retention Period Specified ef0b316a-211e-42f1-888e-64efe172b755	Medium	Observability	AWS CloudWatch Log groups should have retention days specified	Documentation
API Gateway X-Ray Disabled 5813ef56-fa94-406a-b35d-977d4a56ff2b	Medium	Observability	X-ray Tracing is not enabled	Documentation
Elasticsearch Without Slow Logs e979fcbc-df6c-422d-9458-c33d65e71c45	Medium	Observability	Ensure that AWS Elasticsearch enables support for slow logs	Documentation
CloudWatch Metrics Disabled 081069cb-588b-4ce1-884c-2a1ce3029fe5	Medium	Observability	Checks if CloudWatch Metrics is Enabled	Documentation
CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing 56a585f5-555c-48b2-8395-e64e4740a9cf	Medium	Observability	Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK	Documentation
Stack Notifications Disabled b72d0026-f649-4c91-a9ea-15d8f681ac09	Medium	Observability	Enable AWS CloudFormation Stack Notifications	Documentation
S3 Bucket Without Versioning 568a4d22-3517-44a6-a7ad-6a7eed88722c	Medium	Observability	S3 bucket without versioning	Documentation
MQ Broker Logging Disabled 31245f98-a6a9-4182-9fc1-45482b9d030a	Medium	Observability	Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).	Documentation
GuardDuty Detector Disabled 704dadd3-54fc-48ac-b6a0-02f170011473	Medium	Observability	Make sure that Amazon GuardDuty is Enabled	Documentation
Cloudfront Logging Disabled 94690d79-b3b0-43de-b656-84ebef5753e5	Medium	Observability	AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined	Documentation
S3 Bucket Object Level CloudTrail Logging Disabled a8fc2180-b3ac-4c93-bd0d-a55b974e4b07	Medium	Observability	S3 Bucket object-level CloudTrail logging should be enabled for read and write events	Documentation
CloudWatch Management Console Auth Failed Alarm Missing 5864d189-ee9a-4009-ac0c-8a582e6b7919	Medium	Observability	Ensure a log metric filter and alarm exist for AWS Management Console authentication failures	Documentation
CloudWatch Logging Disabled 7dbba512-e244-42dc-98bb-422339827967	Medium	Observability	Check if CloudWatch logging is disabled for Route53 hosted zones	Documentation
Redshift Cluster Logging Disabled 15ffbacc-fa42-4f6f-a57d-2feac7365caa	Medium	Observability	Make sure Logging is enabled for Redshift Cluster	Documentation
VPC FlowLogs Disabled f83121ea-03da-434f-9277-9cd247ab3047	Medium	Observability	VPC hasn't got any FlowLog associated	Documentation
CloudTrail Not Integrated With CloudWatch 17b30f8f-8dfb-4597-adf6-57600b6cf25e	Medium	Observability	CloudTrail should be integrated with CloudWatch	Documentation
CloudTrail SNS Topic Name Undefined 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd	Medium	Observability	Check if SNS topic name is set for CloudTrail	Documentation
Cloudwatch Security Group Changes Alarm Missing 4beaf898-9f8b-4237-89e2-5ffdc7ee6006	Medium	Observability	Ensure a log metric filter and alarm exist for security group changes	Documentation
No Stack Policy 2f01fb2d-828a-499d-b98e-b83747305052	Medium	Resource Management	AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions	Documentation
Hardcoded AWS Access Key In Lambda 1402afd8-a95c-4e84-8b0b-6fb43758e6ce	Medium	Secret Management	Lambda hardcoded AWS access/secret keys	Documentation
IAM Role Allows All Principals To Assume 12b7e704-37f0-4d1e-911a-44bf60c48c21	Low	Access Control	IAM role allows all services or principals to assume it	Documentation
IAM Group Without Users fc101ca7-c9dd-4198-a1eb-0fbe92e80044	Low	Access Control	IAM Group should have at least one user associated	Documentation
S3 Bucket Public ACL Overridden By Public Access Block bf878b1a-7418-4de3-b13c-3a86cf894920	Low	Access Control	S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'	Documentation
EC2 Instance Using API Keys 0b93729a-d882-4803-bdc3-ac429a21f158	Low	Access Control	EC2 instances should use roles to be granted access to other AWS services	Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services bcdcbdc6-a350-4855-ae7c-d1e6436f7c97	Low	Access Control	IAM role allows All services or principals to assume it	Documentation
Autoscaling Groups Supply Tags ba48df05-eaa1-4d64-905e-4a4b051e7587	Low	Availability	Autoscaling groups should supply tags to configurate	Documentation
CDN Configuration Is Missing 1bc367f6-901d-4870-ad0c-71d79762ef52	Low	Best Practices	Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.	Documentation
ECR Repository Without Policy 69e7c320-b65d-41bb-be02-d63ecc0bcc9d	Low	Best Practices	ECR Repository should have Policies attached to it	Documentation
IAM Policies Attached To User b4378389-a9aa-44ee-91e7-ef183f11079e	Low	Best Practices	IAM policies should be attached only to groups or roles	Documentation
Lambda Permission Misconfigured 75ec6890-83af-4bf1-9f16-e83726df0bd0	Low	Best Practices	Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'	Documentation
S3 Bucket Without Ignore Public ACL 4fa66806-0dd9-4f8d-9480-3174d39c7c91	Low	Insecure Configurations	S3 bucket without ignore public ACL	Documentation
Open Access To Resources Through API 108aa260-6dab-4a75-ae3f-de917d634840	Low	Insecure Configurations	Open access to back-end resources through API	Documentation
ALB Deletion Protection Disabled afecd1f1-6378-4f7e-bb3b-60c35801fdd4	Low	Insecure Configurations	Application Load Balancer should have deletion protection enabled	Documentation
Cloudfront Without WAF 1419b4c6-6d5c-4534-9cf6-6a5266085333	Low	Networking and Firewall	All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service	Documentation
Missing Cluster Log Types 66f130d9-b81d-4e8e-9b08-da74b9c891df	Low	Observability	Amazon EKS control plane logging don't enabled for all log types	Documentation
DocDB Logging Is Disabled 56f6a008-1b14-4af4-b9b2-ab7cf7e27641	Low	Observability	DocDB logging should be enabled	Documentation
ECS Cluster with Container Insights Disabled 97cb0688-369a-4d26-b1f7-86c4c91231bc	Low	Observability	ECS Cluster should enable container insights	Documentation
CloudWatch Route Table Changes Alarm Missing 2285e608-ddbc-47f3-ba54-ce7121e31216	Low	Observability	Ensure a log metric filter and alarm exist for route table changes	Documentation
CloudWatch Network Gateways Changes Alarm Missing 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e	Low	Observability	Ensure a log metric filter and alarm exist for network gateways changes	Documentation
CloudWatch VPC Changes Alarm Missing 9d0d4512-1959-43a2-a17f-72360ff06d1b	Low	Observability	Ensure a log metric filter and alarm exist for VPC changes	Documentation
Lambda Functions Without X-Ray Tracing 8152e0cf-d2f0-47ad-96d5-d003a76eabd1	Low	Observability	AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'	Documentation
CloudTrail Log File Validation Disabled 52ffcfa6-6c70-4ea6-8376-d828d3961669	Low	Observability	CloudTrail log file validation should be enabled	Documentation
S3 Bucket Logging Disabled f861041c-8c9f-4156-acfc-5e6e524f5884	Low	Observability	S3 bucket without logging	Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated b3a59b8e-94a3-403e-b6e2-527abaf12034	Low	Observability	API Gateway Deployment should have API Gateway UsagePlan defined and associated.	Documentation
CloudWatch AWS Config Configuration Changes Alarm Missing 5b8d7527-de8e-4114-b9dd-9d988f1f418f	Low	Observability	Ensure a log metric filter and alarm exist for AWS Config configuration changes	Documentation
EKS cluster logging is not enabled 37304d3f-f852-40b8-ae3f-725e87a7cedf	Low	Observability	Amazon EKS control plane logging is not enabled	Documentation
CloudWatch Changes To NACL Alarm Missing 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0	Low	Observability	Ensure a log metric filter and alarm exist for changes to NACL	Documentation
Global Accelerator Flow Logs Disabled 96e8183b-e985-457b-90cd-61c0503a3369	Low	Observability	Global Accelerator should have flow logs enabled	Documentation
API Gateway Stage Without API Gateway UsagePlan Associated c999cf62-0920-40f8-8dda-0caccd66ed7e	Low	Resource Management	API Gateway Stage should have API Gateway UsagePlan defined and associated.	Documentation
Hardcoded AWS Access Key d7b9d850-3e06-4a75-852f-c46c2e92240b	Low	Secret Management	Hard-coded AWS access key / secret key exists in EC2 user data	Documentation
Security Group Not Used 4849211b-ac39-479e-ae78-5694d506cb24	Info	Access Control	Security group must be used or not declared	Documentation
DynamoDB Table Point In Time Recovery Disabled 741f1291-47ac-4a85-a07b-3d32a9d6bd3e	Info	Best Practices	It's considered a best practice to have point in time recovery enabled for DynamoDB Table	Documentation
Security Group Rules Without Description 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e	Info	Best Practices	It's considered a best practice for all rules in AWS Security Group to have a description	Documentation
EC2 Not EBS Optimized 60224630-175a-472a-9e23-133827040766	Info	Best Practices	It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance	Documentation
Resource Not Using Tags e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10	Info	Best Practices	AWS services resource tags are an essential part of managing components	Documentation
Security Group Without Description cb3f5ed6-0d18-40de-a93d-b3538db31e8c	Info	Best Practices	It's considered a best practice for AWS Security Group to have a description	Documentation
RDS Without Logging 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56	Info	Observability	RDS does not have any kind of logger	Documentation
EC2 Instance Monitoring Disabled 23b70e32-032e-4fa6-ba5c-82f56b9980e6	Info	Observability	EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods	Documentation
Neptune Logging Is Disabled 45cff7b6-3b80-40c1-ba7b-2cf480678bb8	Info	Observability	Neptune logging should be enabled	Documentation
ELB Access Logging Disabled 20018359-6fd7-4d05-ab26-d4dffccbdf79	Info	Observability	ELB should have logging enabled to help on error investigation	Documentation
### SHARED (V2/V3)
Bellow are listed queries related with Terraform SHARED (V2/V3):

Query	Severity	Category	Description	Help
Variable Without Type fc5109bf-01fd-49fb-8bde-4492b543c34a	Info	Best Practices	All variables should contain a valid type.	Documentation
Generic Git Module Without Revision 3a81fc06-566f-492a-91dd-7448e409e2cd	Info	Best Practices	All generic git repositories should reference a revision.	Documentation
Output Without Description 59312e8a-a64e-41e7-a252-618533dd1ea8	Info	Best Practices	All outputs should contain a valid description.	Documentation
Variable Without Description 2a153952-2544-4687-bcc9-cc8fea814a9b	Info	Best Practices	All variables should contain a valid description.	Documentation
Name Is Not Snake Case 1e434b25-8763-4b00-a5ca-ca03b7abbb66	Info	Best Practices	All names should follow snake case pattern.	Documentation
### AWS_BOM
Bellow are listed queries related with Terraform AWS_BOM:

Query	Severity	Category	Description	Help