Ansible
Ansible Queries List¶
This page contains all queries from Ansible.
GCP¶
Bellow are listed queries related with Ansible GCP:
Query | Severity | Category | Description | Help |
---|---|---|---|---|
SQL DB Instance Is Publicly Accessible 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b |
High | Access Control | Check if any Cloud SQL instances are publicly accessible. | Documentation |
VM With Full Cloud Access bc20bbc6-0697-4568-9a73-85af1dd97bdd |
High | Access Control | A VM instance is configured to use the default service account with full access to all Cloud APIs | Documentation |
SQL DB Instance Backup Disabled 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 |
High | Backup | Checks if backup configuration is enabled for all Cloud SQL Database instances | Documentation |
DNSSEC Using RSASHA1 6cf4c3a7-ceb0-4475-8892-3745b84be24a |
High | Encryption | DNSSEC should not use the RSASHA1 algorithm | Documentation |
SQL DB Instance With SSL Disabled d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb |
High | Encryption | Cloud SQL Database Instance should have SLL enabled | Documentation |
High KMS Rotation Period 79f45008-60b3-4a0a-a302-8311fd3701b4 |
High | Encryption | Check if any KMS rotation period surpasses 365 days. | Documentation |
PostgreSQL Misconfigured Logging Duration Flag aed98a2a-e680-497a-8886-277cea0f4514 |
High | Insecure Configurations | PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' | Documentation |
Cloud SQL Instance With Cross DB Ownership Chaining On 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f |
High | Insecure Configurations | GCP SQL Instance should not have Cross DB Ownership Chaining On | Documentation |
Network Policy Disabled 98e04ca0-34f5-4c74-8fec-d2e611ce2790 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false | Documentation |
MySQL Instance With Local Infile On a7b520bb-2509-4fb0-be05-bc38f54c7a4c |
High | Insecure Configurations | MySQL Instance should not have Local Infile On | Documentation |
IP Aliasing Disabled ed672a9f-fbf0-44d8-a47d-779501b0db05 |
High | Insecure Configurations | Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. | Documentation |
GKE Basic Authentication Enabled 344bf8ab-9308-462b-a6b2-697432e40ba1 |
High | Insecure Configurations | GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty | Documentation |
Cluster Labels Disabled fbe9b2d0-a2b7-47a1-a534-03775f3013f7 |
High | Insecure Configurations | Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined | Documentation |
BigQuery Dataset Is Public 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 |
High | Insecure Configurations | BigQuery dataset is anonymously or publicly accessible | Documentation |
Cloud SQL Instance With Contained Database Authentication On 6d34aff3-fdd2-460c-8190-756a3b4969e8 |
High | Insecure Configurations | SQL Instance should not have Contained Database Authentication On | Documentation |
Client Certificate Disabled 20180133-a0d0-4745-bfe0-94049fbb12a9 |
High | Insecure Configurations | Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true | Documentation |
GKE Legacy Authorization Enabled 300a9964-b086-41f7-9378-b6de3ba1c32b |
High | Insecure Configurations | Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. | Documentation |
Cluster Master Authentication Disabled 9df7f78f-ebe3-432e-ac3b-b67189c15518 |
High | Insecure Configurations | Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty | Documentation |
Private Cluster Disabled 3b30e3d6-c99b-4318-b38f-b99db74578b5 |
High | Insecure Configurations | Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. | Documentation |
GKE Master Authorized Networks Disabled d43366c5-80b0-45de-bbe8-2338f4ab0a83 |
High | Networking and Firewall | Master authorized networks must be enabled in GKE clusters | Documentation |
Compute Instance Is Publicly Accessible 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 |
High | Networking and Firewall | Compute instances shouldn't be accessible from the Internet. | Documentation |
PostgreSQL Log Connections Disabled d7a5616f-0a3f-4d43-bc2b-29d1a183e317 |
High | Observability | PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' | Documentation |
Cloud Storage Bucket Versioning Disabled 7814ddda-e758-4a56-8be3-289a81ded929 |
High | Observability | Object Versioning not fully enabled on Cloud Storage Bucket | Documentation |
PostgreSQL Logging Of Temporary Files Disabled d6fae5b6-ada9-46c0-8b36-3108a2a2f77b |
High | Observability | PostgreSQL database 'log_temp_files' flag isn't set to '0' | Documentation |
Stackdriver Monitoring Disabled 20dcd953-a8b8-4892-9026-9afa6d05a525 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' | Documentation |
Stackdriver Logging Disabled 19c9e2a0-fc33-4264-bba1-e3682661e8f7 |
High | Observability | Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' | Documentation |
Cloud Storage Bucket Logging Not Enabled 507df964-ad97-4035-ab14-94a82eabdfdd |
High | Observability | Cloud storage bucket with logging not enabled | Documentation |
COS Node Image Not Used be41f891-96b1-4b9d-b74f-b922a918c778 |
High | Resource Management | A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image | Documentation |
Node Auto Upgrade Disabled d6e10477-2e19-4bcd-b8a8-19c65b89ccdf |
High | Resource Management | Node 'auto_upgrade' should be enabled for Kubernetes Clusters | Documentation |
High Google KMS Crypto Key Rotation Period f9b7086b-deb8-4034-9330-d7fd38f1b8de |
Medium | Encryption | Make sure Encryption keys changes after 90 days | Documentation |
Google Compute SSL Policy Weak Cipher In Use b28bcd2f-c309-490e-ab7c-35fc4023eb26 |
Medium | Encryption | This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers | Documentation |
Disk Encryption Disabled 092bae86-6105-4802-99d2-99cd7e7431f3 |
Medium | Encryption | VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined | Documentation |
GKE Using Default Service Account dc126833-125a-40fb-905a-ce5f2afde240 |
Medium | Insecure Configurations | Kubernetes Engine Clusters should not be configured to use the default service account | Documentation |
Google Container Node Pool Auto Repair Disabled d58c6f24-3763-4269-9f5b-86b2569a003b |
Medium | Insecure Configurations | Verifies if Google Container Node Pool Auto Repair is Enabled | Documentation |
Shielded VM Disabled 18d3a83d-4414-49dc-90ea-f0387b2856cc |
Medium | Insecure Configurations | Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true | Documentation |
Cloud Storage Anonymous or Publicly Accessible 086031e1-9d4a-4249-acb3-5bfe4c363db2 |
Medium | Insecure Configurations | Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' | Documentation |
OSLogin Is Disabled In VM Instance 66dae697-507b-4aef-be18-eec5bd707f33 |
Medium | Insecure Configurations | Check if any instance disables OSLogin. | Documentation |
Cloud DNS Without DNSSEC 80b15fb1-6207-40f4-a803-6915ae619a03 |
Medium | Insecure Configurations | DNSSEC must be enabled for Cloud DNS | Documentation |
Using Default Service Account 2775e169-e708-42a9-9305-b58aadd2c4dd |
Medium | Insecure Defaults | Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. | Documentation |
Google Compute Network Using Firewall Rule that Allows All Ports 3602d273-3290-47b2-80fa-720162b1a8af |
Medium | Networking and Firewall | Google Compute Network should not use a firewall rule that allows all ports | Documentation |
SSH Access Is Not Restricted b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 |
Medium | Networking and Firewall | Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block). | Documentation |
Google Compute Network Using Default Firewall Rule 29b8224a-60e9-4011-8ac2-7916a659841f |
Medium | Networking and Firewall | Google Compute Network should not use default firewall rule | Documentation |
IP Forwarding Enabled 11bd3554-cd56-4257-8e25-7aaf30cf8f5f |
Medium | Networking and Firewall | Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true | Documentation |
RDP Access Is Not Restricted 75418eb9-39ec-465f-913c-6f2b6a80dc77 |
Medium | Networking and Firewall | Check if the Google compute firewall allows unrestricted RDP access. | Documentation |
Serial Ports Are Enabled For VM Instances c6fc6f29-dc04-46b6-99ba-683c01aff350 |
Medium | Networking and Firewall | Check if serial ports are enabled in Google Compute Engine VM instances | Documentation |
PostgreSQL log_checkpoints Flag Not Set To ON 89afe3f0-4681-4ce3-89ed-896cebd4277c |
Medium | Observability | PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' | Documentation |
PostgreSQL Misconfigured Log Messages Flag 28a757fc-3d8f-424a-90c0-4233363b2711 |
Medium | Observability | PostgreSQL database 'log_min_messages' flag isn't set to a valid value | Documentation |
Project-wide SSH Keys Are Enabled In VM Instances 099b4411-d11e-4537-a0fc-146b19762a79 |
Medium | Secret Management | Check if the VM Instance doesn't block project-wide SSH keys. | Documentation |
Google Compute Subnetwork with Private Google Access Disabled 6a4080ae-79bd-42f6-a924-8f534c1c018b |
Low | Networking and Firewall | Google Compute Subnetwork should have 'private_ip_google_access' set to yes | Documentation |
Google Compute Network Using Firewall Rule that Allows Port Range 7289eebd-a477-4064-8ad4-3c044bd70b00 |
Low | Networking and Firewall | Google Compute Network should not use a firewall rule that allows port range | Documentation |
### AZURE | ||||
Bellow are listed queries related with Ansible AZURE: |
Query | Severity | Category | Description | Help |
---|---|---|---|---|
Admin User Enabled For Container Registry 29f35127-98e6-43af-8ec1-201b79f99604 |
High | Access Control | Admin user is enabled for Container Registry | Documentation |
Storage Container Is Publicly Accessible 4d3817db-dd35-4de4-a80d-3867157e7f7f |
High | Access Control | Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage | Documentation |
Public Storage Account 35e2f133-a395-40de-a79d-b260d973d1bd |
High | Access Control | Check if 'network_acls' is open to public. | Documentation |
Trusted Microsoft Services Not Enabled 1bc398a8-d274-47de-a4c8-6ac867b353de |
High | Access Control | Ensure Trusted Microsoft Services have Storage Account access. | Documentation |
SSL Enforce Disabled 961ce567-a16d-4d7d-9027-f0ec2628a555 |
High | Encryption | Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' | Documentation |
MySQL SSL Connection Disabled 2a901825-0f3b-4655-a0fe-e0470e50f8e6 |
High | Encryption | Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled | Documentation |
Storage Account Not Forcing HTTPS 2c99a474-2a3c-4c17-8294-53ffa5ed0522 |
High | Encryption | See that Storage Accounts forces the use of HTTPS | Documentation |
Azure Container Registry With No Locks 581dae78-307d-45d5-aae4-fe2b0db267a5 |
High | Insecure Configurations | Azurerm Container Registry should contain associated locks through 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association | Documentation |
AD Admin Not Configured For SQL Server b176e927-bbe2-44a6-a9c3-041417137e5f |
High | Insecure Configurations | The Active Directory Administrator is not configured for a SQL server | Documentation |
Web App Accepting Traffic Other Than HTTPS eb8c2560-8bee-4248-9d0d-e80c8641dd91 |
High | Insecure Configurations | Web app should only accept HTTPS traffic in Azure Web App Service. | Documentation |
VM Not Attached To Network 1e5f5307-3e01-438d-8da6-985307ed25ce |
High | Insecure Configurations | No Network Security Group is attached to the Virtual Machine | Documentation |
CosmosDB Account IP Range Filter Not Set e8c80448-31d8-4755-85fc-6dbab69c2717 |
High | Networking and Firewall | The IP range filter should be defined | Documentation |
Redis Publicly Accessible 0632d0db-9190-450a-8bb3-c283bffea445 |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from other Azure sources | Documentation |
SQLServer Ingress From Any IP f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 |
High | Networking and Firewall | Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. | Documentation |
Redis Entirely Accessible 0d0c12b9-edce-4510-9065-13f6a758750c |
High | Networking and Firewall | Firewall rule allowing unrestricted access to Redis from the Internet | Documentation |
Sensitive Port Is Exposed To Entire Network 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc |
High | Networking and Firewall | A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol | Documentation |
AKS RBAC Disabled 149fa56c-4404-4f90-9e25-d34b676d5b39 |
Medium | Access Control | Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled | Documentation |
Key Vault Soft Delete Is Disabled 881696a8-68c5-4073-85bc-7c38a3deb854 |
Medium | Backup | Make sure Soft Delete is enabled for Key Vault | Documentation |
SQL Server Predictable Admin Account Name 663062e9-473d-4e87-99bc-6f3684b3df40 |
Medium | Best Practices | Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict | Documentation |
Unrestricted SQL Server Access 3f23c96c-f9f5-488d-9b17-605b8da5842f |
Medium | Best Practices | Azure SQL Server Accessibility should be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0' | Documentation |
SQL Server Predictable Active Directory Account Name 530e8291-2f22-4bab-b7ea-306f1bc2a308 |
Medium | Best Practices | Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict | Documentation |
Cosmos DB Account Without Tags 23a4dc83-4959-4d99-8056-8e051a82bc1e |
Medium | Build Process | Cosmos DB Account must have a mapping of tags. | Documentation |
Storage Account Not Using Latest TLS Encryption Version c62746cf-92d5-4649-9acf-7d48d086f2ee |
Medium | Encryption | Ensure Storage Account is using the latest version of TLS encryption | Documentation |
AKS Network Policy Misconfigured 8c3bedf1-c570-4c3b-b414-d068cd39a00c |
Medium | Insecure Configurations | Azure Kubernetes Service should have the proper network policy configuration | Documentation |
Security Group is Not Configured da4f2739-174f-4cdd-b9ef-dc3f14b5931f |
Medium | Insecure Configurations | Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty | Documentation |
Redis Cache Allows Non SSL Connections 869e7fb4-30f0-4bdb-b360-ad548f337f2f |
Medium | Insecure Configurations | Check if any Redis Cache resource allows non-SSL connections. | Documentation |
Default Network Access is Allowed 974e6fe7-63fd-4fa4-aa72-77b21a4a959d |
Medium | Insecure Defaults | Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny' | Documentation |
WAF Is Disabled For Azure Application Gateway 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 |
Medium | Networking and Firewall | Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. | Documentation |
Firewall Rule Allows Too Many Hosts To Access Redis Cache 69f72007-502e-457b-bd2d-5012e31ac049 |
Medium | Networking and Firewall | Check if any firewall rule allows too many hosts to access Redis Cache. | Documentation |
PostgreSQL Server Without Connection Throttling a9becca7-892a-4af7-b9e1-44bf20a4cd9a |
Medium | Observability | Ensure that Connection Throttling is set for the PostgreSQL server | Documentation |
AKS Monitoring Logging Disabled d5e83b32-56dd-4247-8c2e-074f43b38a5e |
Medium | Observability | Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring | Documentation |
PostgreSQL Log Checkpoints Disabled 7ab33ac0-e4a3-418f-a673-50da4e34df21 |
Medium | Observability | Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' | Documentation |
Monitoring Log Profile Without All Activities 89f84a1e-75f8-47c5-83b5-bee8e2de4168 |
Medium | Observability | Monitoring log profile captures all the activities (Action, Write, Delete) | Documentation |
Small Activity Log Retention Period 37fafbea-dedb-4e0d-852e-d16ee0589326 |
Medium | Observability | Ensure that Activity Log Retention is set 365 days or greater | Documentation |
PostgreSQL Log Connections Not Set 7b47138f-ec0e-47dc-8516-e7728fe3cc17 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' | Documentation |
PostgreSQL Log Disconnections Not Set 054d07b5-941b-4c28-8eef-18989dc62323 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' | Documentation |
Log Retention Is Not Set 0461b4fd-21ef-4687-929e-484ee4796785 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' | Documentation |
PostgreSQL Log Duration Not Set 729ebb15-8060-40f7-9017-cb72676a5487 |
Medium | Observability | Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' | Documentation |
### AWS | ||||
Bellow are listed queries related with Ansible AWS: |
Query | Severity | Category | Description | Help |
---|---|---|---|---|
S3 Bucket ACL Allows Read to Any Authenticated User 75480b31-f349-4b9a-861f-bce19588e674 |
High | Access Control | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
SQS Queue Exposed 86b0efa7-4901-4edd-a37a-c034bec6645a |
High | Access Control | Checks if the SQS Queue is exposed | Documentation |
S3 Bucket Allows Delete Action From All Principals 6fa44721-ef21-41c6-8665-330d59461163 |
High | Access Control | S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
S3 Bucket Allows List Action From All Principals d395a950-12ce-4314-a742-ac5a785ab44e |
High | Access Control | S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
ECS Service Admin Role is Present 7db727c1-1720-468e-b80e-06697f71e09e |
High | Access Control | ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role | Documentation |
DB Instance Publicly Accessible c09e3ca5-f08a-4717-9c87-3919c5e6d209 |
High | Access Control | The field 'publicly_accessible' should not be set to 'true' (default is 'false'). | Documentation |
S3 Bucket Access to Any Principal 3ab1f27d-52cc-4943-af1d-43c1939e739a |
High | Access Control | Checks if the S3 bucket is accessible for all users | Documentation |
S3 Bucket Allows Put Action From All Principals a0f1bfe0-741e-473f-b3b2-13e66f856fab |
High | Access Control | S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
S3 Bucket ACL Allows Read to All Users a1ef9d2e-4163-40cb-bd92-04f0d602a15d |
High | Access Control | It's not recommended to allow read access for all user groups. | Documentation |
IAM Policies With Full Privileges e401d614-8026-4f4b-9af9-75d1197461ba |
High | Access Control | IAM policies that allow full administrative privileges (for all resources) | Documentation |
S3 Bucket Allows Get Action From All Principals 53bce6a8-5492-4b1b-81cf-664385f0c4bf |
High | Access Control | S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. | Documentation |
S3 Bucket With All Permissions 6a6d7e56-c913-4549-b5c5-5221e624d2ec |
High | Access Control | S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion | Documentation |
S3 Bucket Allows WriteACP Action From All Principals 7529b8d2-55d7-44d2-b1cd-d7d2984a2a81 |
High | Access Control | S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals. | Documentation |
Kinesis Not Encrypted With KMS f2ea6481-1d31-4d40-946a-520dc6321dd7 |
High | Encryption | AWS Kinesis Streams and metadata should be protected with KMS | Documentation |
User Data Shell Script Is Encoded 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 |
High | Encryption | User Data Shell Script must be encoded | Documentation |
CA Certificate Identifier Is Outdated 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce |
High | Encryption | The CA certificate Identifier must be 'rds-ca-2019'. | Documentation |
User Data Contains Encoded Private Key c09f4d3e-27d2-4d46-9453-abbe9687a64e |
High | Encryption | User Data contains an encoded RSA Private Key | Documentation |
ECS Task Definition Container With Plaintext Password 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 |
High | Encryption | It's not recommended to use plaintext environment variables for sensitive information, such as credential data. | Documentation |
EFS Without KMS bd77554e-f138-40c5-91b2-2a09f878608e |
High | Encryption | Elastic File System (EFS) must have KMS Key ID | Documentation |
Secure Ciphers Disabled 218413a0-c716-4b94-9e08-0bb70d854709 |
High | Encryption | Check if secure ciphers aren't used in CloudFront | Documentation |
ELB Using Weak Ciphers 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. | Documentation |
Automatic Minor Upgrades Disabled 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 |
High | Encryption | RDS instance auto minor version upgrade feature must be true | Documentation |
DB Instance Storage Not Encrypted 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff |
High | Encryption | The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false'). | Documentation |
Launch Configuration Is Not Encrypted 66477506-6abb-49ed-803d-3fa174cd5f6a |
High | Encryption | AWS Autoscaling Launch Configurations should have encryption enabled | Documentation |
Redis Not Compliant 9f34885e-c08f-4d13-a7d1-cf190c5bd268 |
High | Encryption | Check if the redis version is compliant with the necessary AWS PCI DSS requirements | Documentation |
AMI Not Encrypted 97707503-a22c-4cd7-b7c0-f088fa7cf830 |
High | Encryption | AWS AMI Encryption is not enabled | Documentation |
Redshift Not Encrypted 6a647814-def5-4b85-88f5-897c19f509cd |
High | Encryption | Check if 'encrypted' field is false or undefined (default is false) | Documentation |
IAM Database Auth Not Enabled 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 |
High | Encryption | IAM Database Auth Enabled must be configured to true | Documentation |
S3 Bucket SSE Disabled 309edc5b-5a59-42b4-a357-d4d098311fd4 |
High | Encryption | If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required | Documentation |
EFS Not Encrypted 727c4fd4-d604-4df6-a179-7713d3c85e20 |
High | Encryption | Elastic File System (EFS) must be encrypted | Documentation |
CloudTrail Log Files Not Encrypted f5587077-3f57-4370-9b4e-4eb5b1bac85b |
High | Encryption | CloudTrail Log Files should be encrypted with Key Management Service (KMS) | Documentation |
Viewer Protocol Policy Allows HTTP a6d27cf7-61dc-4bde-ae08-3b353b609f76 |
High | Encryption | Checks if the connection between the CloudFront and the origin server is encrypted | Documentation |
S3 Bucket Without Server-side-encryption 594f54e7-f744-45ab-93e4-c6dbaf6cd571 |
High | Encryption | AWS S3 Storage should be protected with SSE (Server-Side Encryption) | Documentation |
Memcached Disabled 2d55ef88-b616-4890-b822-47f280763e89 |
High | Encryption | Check if the Memcached is disabled on the ElastiCache | Documentation |
ELB Using Insecure Protocols 730a5951-2760-407a-b032-dd629b55c23a |
High | Encryption | ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. | Documentation |
Root Account Has Active Access Keys e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 |
High | Insecure Configurations | The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. | Documentation |
ECS Task Definition Network Mode Not Recommended 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f |
High | Insecure Configurations | Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | Documentation |
CloudFront Without Minimum Protocol TLS 1.2 d0c13053-d2c8-44a6-95da-d592996e9e67 |
High | Insecure Configurations | CloudFront Minimum Protocol version should be at least TLS 1.2 | Documentation |
Batch Job Definition With Privileged Container Properties defe5b18-978d-4722-9325-4d1975d3699f |
High | Insecure Configurations | Batch Job Definition should not have Privileged Container Properties | Documentation |
EC2 Group Has Public Interface 5330b503-3319-44ff-9b1c-00ee873f728a |
High | Insecure Configurations | The CIDR IP should not be a public interface | Documentation |
S3 Bucket with Unsecured CORS Rule 3505094c-f77c-4ba0-95da-f83db712f86c |
High | Insecure Configurations | If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure | Documentation |
KMS Key With Vulnerable Policy 5b9d237a-57d5-4177-be0e-71434b0fef47 |
High | Insecure Configurations | Checks if the policy is vulnerable and needs updating. | Documentation |
Redshift Publicly Accessible 5c6b727b-1382-4629-8ba9-abd1365e5610 |
High | Insecure Configurations | Check if 'publicly_accessible' field is true (default is false) | Documentation |
Vulnerable Default SSL Certificate fb8f8929-afeb-4c46-99f0-a6cf410f7df4 |
High | Insecure Defaults | CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. | Documentation |
Public Port Wide 71ea648a-d31a-4b5a-a589-5674243f1c33 |
High | Networking and Firewall | AWS Security Group should not have public port wide | Documentation |
Route53 Record Undefined 445dce51-7e53-4e50-80ef-7f94f14169e4 |
High | Networking and Firewall | Route53 Record should have a list of records | Documentation |
EC2 Instance Has Public IP a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 |
High | Networking and Firewall | EC2 Instance should not have a public IP address. | Documentation |
Security Group With Unrestricted Access To SSH 57ced4b9-6ba4-487b-8843-b65562b90c77 |
High | Networking and Firewall | SSH' (TCP:22) should not be public in AWS Security Group | Documentation |
Unrestricted Security Group Ingress 83c5fa4c-e098-48fc-84ee-0a537287ddd2 |
High | Networking and Firewall | Security groups allow ingress from 0.0.0.0/0 | Documentation |
Unknown Port Exposed To Internet 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b |
High | Networking and Firewall | AWS Security Group should not have an unknown port exposed to the entire Internet | Documentation |
Default Security Groups With Unrestricted Traffic 8010e17a-00e9-4635-a692-90d6bcec68bd |
High | Networking and Firewall | Check if default security group does not restrict all inbound and outbound traffic. | Documentation |
Remote Desktop Port Open eda7301d-1f3e-47cf-8d4e-976debc64341 |
High | Networking and Firewall | The Remote Desktop port is open in a Security Group | Documentation |
DB Security Group Open To Large Scope ea0ed1c7-9aef-4464-b7c7-94c762da3640 |
High | Networking and Firewall | The IP address in a DB Security Group must not have more than 256 hosts. | Documentation |
DB Security Group With Public Scope 0956aedf-6a7a-478b-ab56-63e2b19923ad |
High | Networking and Firewall | The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). | Documentation |
ALB Listening on HTTP f81d63d2-c5d7-43a4-a5b5-66717a41c895 |
High | Networking and Firewall | AWS Application Load Balancer (alb) should not listen on HTTP | Documentation |
Security Group Ingress Not Restricted ea6bc7a6-d696-4dcf-a788-17fa03c17c81 |
High | Networking and Firewall | AWS Security Group should restrict ingress access | Documentation |
HTTP Port Open a14ad534-acbe-4a8e-9404-2f7e1045646e |
High | Networking and Firewall | The HTTP port is open in a Security Group | Documentation |
CMK Rotation Disabled af96d737-0818-4162-8c41-40d969bd65d1 |
High | Observability | Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. | Documentation |
Configuration Aggregator to All Regions Disabled a2fdf451-89dd-451e-af92-bf6c0f4bab96 |
High | Observability | AWS Config Configuration Aggregator All Regions must be set to True | Documentation |
CloudTrail Logging Disabled d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 |
High | Observability | Checks if logging is enabled for CloudTrail. | Documentation |
ECR Repository Is Publicly Accessible fb5a5df7-6d74-4243-ab82-ff779a958bfd |
Medium | Access Control | Amazon ECR image repositories shouldn't have public access | Documentation |
Lambda Permission Principal Is Wildcard 1d972c56-8ec2-48c1-a578-887adb09c57a |
Medium | Access Control | Lambda Permission Principal should not contain a wildcard. | Documentation |
SES Policy With Allowed IAM Actions 8ed0bfce-f780-46d4-b086-21c3628f09ad |
Medium | Access Control | SES policy should not allow IAM actions to all principals | Documentation |
API Gateway Without Configured Authorizer b16cdb37-ce15-4ab2-8401-d42b05d123fc |
Medium | Access Control | API Gateway REST API should have an API Gateway Authorizer | Documentation |
Public Lambda via API Gateway 5e92d816-2177-4083-85b4-f61b4f7176d9 |
Medium | Access Control | Allowing to run lambda function using public API Gateway | Documentation |
SQS Policy With Public Access d994585f-defb-4b51-b6d2-c70f020ceb10 |
Medium | Access Control | SQS policy with public access | Documentation |
S3 Bucket With Public Access c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 |
Medium | Access Control | S3 Bucket allows public access | Documentation |
SNS Topic is Publicly Accessible For Subscription 905f4741-f965-45c1-98db-f7a00a0e5c73 |
Medium | Access Control | This query checks if SNS Topic is Accessible For Subscription | Documentation |
Cross-Account IAM Assume Role Policy Without ExternalId or MFA af167837-9636-4086-b815-c239186b9dda |
Medium | Access Control | Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access | Documentation |
Certificate Has Expired 5a443297-19d4-4381-9e5b-24faf947ec22 |
Medium | Access Control | Expired SSL/TLS certificates should be removed | Documentation |
IAM Access Key Is Exposed 7f79f858-fbe8-4186-8a2c-dfd0d958a40f |
Medium | Access Control | Check if IAM Access Key is active for some user besides 'root' | Documentation |
SQS Policy Allows All Actions ed9b3beb-92cf-44d9-a9d2-171eeba569d4 |
Medium | Access Control | SQS policy allows ALL (*) actions | Documentation |
AMI Shared With Multiple Accounts a19b2942-142e-4e2b-93b7-6cf6a6c8d90f |
Medium | Access Control | Limits access to AWS AMIs by checking if more than one account is using the same image | Documentation |
IAM Policy Grants Full Permissions b5ed026d-a772-4f07-97f9-664ba0b116f8 |
Medium | Access Control | IAM policies allow all ('*') in a statement action | Documentation |
Auto Scaling Group With No Associated ELB 050f085f-a8db-4072-9010-2cca235cc02f |
Medium | Availability | AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. | Documentation |
CMK Is Unusable 133fee21-37ef-45df-a563-4d07edc169f4 |
Medium | Availability | AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. | Documentation |
ECS Service Without Running Tasks f5c45127-1d28-4b49-a692-0b97da1c3a84 |
Medium | Availability | ECS Service should have at least 1 task running | Documentation |
RDS With Backup Disabled e69890e6-fce5-461d-98ad-cb98318dfc96 |
Medium | Backup | RDS configured without backup | Documentation |
Stack Retention Disabled 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 |
Medium | Backup | Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction | Documentation |
Password Without Reuse Prevention 6f5f5444-1422-495f-81ef-24cefd61ed2c |
Medium | Best Practices | Password policy password_reuse_prevention doesn't exist or is equal to 0 |
Documentation |
IAM Password Without Lowercase Letter 8e3063f4-b511-45c3-b030-f3b0c9131951 |
Medium | Best Practices | Check if IAM account password has at least one lowercase letter | Documentation |
Misconfigured Password Policy Expiration 3f2cf811-88fa-4eda-be45-7a191a18aba9 |
Medium | Best Practices | No password expiration policy | Documentation |
Authentication Without MFA eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 |
Medium | Best Practices | Users should authenticate with MFA (Multi-factor Authentication) | Documentation |
IAM Password Without Minimum Length 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d |
Medium | Best Practices | Check if IAM account password has the required minimum length | Documentation |
IAM Password Without Number 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 |
Medium | Best Practices | Check if IAM account password has at least one number | Documentation |
Stack Without Template 32d31f1f-0f83-4721-b7ec-1e6948c60145 |
Medium | Build Process | AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body | Documentation |
Config Rule For Encrypted Volumes Disabled 7674a686-e4b1-4a95-83d4-1fd53c623d84 |
Medium | Encryption | Check if AWS config rules do not identify Encrypted Volumes as a source. | Documentation |
EBS Volume Encryption Disabled 4b6012e7-7176-46e4-8108-e441785eae57 |
Medium | Encryption | EBS Encryption should be enabled | Documentation |
CodeBuild Not Encrypted a1423864-2fbc-4f46-bfe1-fbbf125c71c9 |
Medium | Encryption | CodeBuild Project should be encrypted | Documentation |
ECR Image Tag Not Immutable 60bfbb8a-c72f-467f-a6dd-a46b7d612789 |
Medium | Insecure Configurations | ECR should have an image tag immutable | Documentation |
Certificate RSA Key Bytes Lower Than 256 d5ec2080-340a-4259-b885-f833c4ea6a31 |
Medium | Insecure Configurations | The certificate should use a RSA key with a length equal to or higher than 256 bytes | Documentation |
API Gateway Without SSL Certificate b47b98ab-e481-4a82-8bb1-1ab39fd36e33 |
Medium | Insecure Configurations | SSL Client Certificate should be enabled in aws_api_gateway | Documentation |
Instance With No VPC 61d1a2d0-4db8-405a-913d-5d2ce49dff6f |
Medium | Insecure Configurations | Instance should be configured in VPC (Virtual Private Cloud) | Documentation |
Lambda Function Without Tags 265d9725-2fb8-42a2-bc57-3279c5db82d5 |
Medium | Insecure Configurations | AWS Lambda Functions must have associated tags. | Documentation |
IAM Password Without Uppercase Letter 83957b81-39c1-4191-8e12-671d2ce14354 |
Medium | Insecure Configurations | Check if IAM account password has at least one uppercase letter | Documentation |
AWS Password Policy With Unchangeable Passwords e28ceb92-d588-4166-aac5-766c8f5b7472 |
Medium | Insecure Configurations | Unchangeable passwords in AWS password policy | Documentation |
API Gateway without WAF f5f38943-664b-4acc-ab11-f292fa10ed0b |
Medium | Networking and Firewall | API Gateway should have WAF (Web Application Firewall) enabled | Documentation |
SQL Analysis Services Port 2383 (TCP) is Publicly Accessible 7af1c447-c014-4f05-bd8b-ebe3a15734ac |
Medium | Networking and Firewall | Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. | Documentation |
API Gateway Endpoint Config is Not Private 559439b2-3e9c-4739-ac46-17e3b24ec215 |
Medium | Networking and Firewall | The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet | Documentation |
CloudTrail SNS Topic Name Undefined 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 |
Medium | Observability | Check if SNS topic name is set for CloudTrail | Documentation |
API Gateway With CloudWatch Logging Disabled 72a931c2-12f5-40d1-93cc-47bff2f7aa2a |
Medium | Observability | AWS CloudWatch Logs for APIs is not enabled | Documentation |
Cloudfront Logging Disabled d31cb911-bf5b-4eb6-9fc3-16780c77c7bd |
Medium | Observability | AWS Cloudfront distributions must have logging enabled, which means the attribute 'logging' must be defined with 'enabled' set to true | Documentation |
S3 Bucket Without Versioning 9232306a-f839-40aa-b3ef-b352001da9a5 |
Medium | Observability | S3 bucket without versioning | Documentation |
CloudTrail Not Integrated With CloudWatch ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 |
Medium | Observability | CloudTrail should be integrated with CloudWatch | Documentation |
CloudWatch Without Retention Period Specified e24e18d9-4c2b-4649-b3d0-18c088145e24 |
Medium | Observability | AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events | Documentation |
CloudTrail Multi Region Disabled 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 |
Medium | Observability | Check if MultiRegion is Enabled | Documentation |
API Gateway X-Ray Disabled 2059155b-27fd-441e-b616-6966c468561f |
Medium | Observability | API Gateway should have X-Ray Tracing enabled | Documentation |
Stack Notifications Disabled d39761d7-94ab-45b0-ab5e-27c44e381d58 |
Medium | Observability | AWS CloudFormation should have stack notifications enabled | Documentation |
No Stack Policy ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 |
Medium | Resource Management | AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions | Documentation |
Hardcoded AWS Access Key In Lambda f34508b9-f574-4330-b42d-88c44cced645 |
Medium | Secret Management | Lambda access key should not be in plaintext. | Documentation |
IAM Policy Grants 'AssumeRole' Permission Across All Services 12a7a7ce-39d6-49dd-923d-aeb4564eb66c |
Low | Access Control | IAM role allows All services or principals to assume it | Documentation |
IAM Role Allows All Principals To Assume babdedcf-d859-43da-9a7b-6d72e661a8fd |
Low | Access Control | IAM role allows all services or principals to assume it | Documentation |
IAM Group Without Users f509931b-bbb0-443c-bd9b-10e92ecf2193 |
Low | Access Control | IAM Group should have at least one user associated | Documentation |
EC2 Instance Using Default Security Group 8d03993b-8384-419b-a681-d1f55149397c |
Low | Access Control | EC2 instances should not use default security group(s) | Documentation |
Lambda Permission Misconfigured 3ddf3417-424d-420d-8275-0724dc426520 |
Low | Best Practices | Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' | Documentation |
IAM Policies Attached To User eafe4bc3-1042-4f88-b988-1939e64bf060 |
Low | Best Practices | IAM policies should be attached only to groups or roles | Documentation |
CDN Configuration Is Missing b25398a2-0625-4e61-8e4d-a1bb23905bf6 |
Low | Best Practices | Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. | Documentation |
EFS Without Tags b8a9852c-9943-4973-b8d5-77dae9352851 |
Low | Build Process | Amazon Elastic Filesystem should have filesystem tags associated | Documentation |
SQS with SSE disabled e1e7b278-2a8b-49bd-a26e-66a7f70b17eb |
Low | Encryption | SQS Queue should be protected with CMK encryption | Documentation |
Cloudfront Without WAF 22c80725-e390-4055-8d14-a872230f6607 |
Low | Networking and Firewall | All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service | Documentation |
RDS Using Default Port 2cb674f6-32f9-40be-97f2-62c0dc38f0d5 |
Low | Networking and Firewall | RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 | Documentation |
Redshift Using Default Port e01de151-a7bd-4db4-b49b-3c4775a5e881 |
Low | Networking and Firewall | Redshift should not use the default port (5439) because an attacker can easily guess the port | Documentation |
ElastiCache Without VPC 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f |
Low | Networking and Firewall | ElastiCache should be launched in a Virtual Private Cloud (VPC) | Documentation |
ElastiCache Using Default Port 7cc6c791-5f68-4816-a564-b9b699f9d26e |
Low | Networking and Firewall | ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 | Documentation |
Lambda Functions Without X-Ray Tracing 71397b34-1d50-4ee1-97cb-c96c34676f74 |
Low | Observability | AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' | Documentation |
S3 Bucket Logging Disabled c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d |
Low | Observability | S3 bucket without debug_botocore_endpoint_logs | Documentation |
CloudTrail Log File Validation Disabled 4d8681a2-3d30-4c89-8070-08acd142748e |
Low | Observability | CloudTrail Log Files should have validation enabled | Documentation |
Hardcoded AWS Access Key c2f15af3-66a0-4176-a56e-e4711e502e5c |
Low | Secret Management | Check if the user data in the EC2 instance has the access key hardcoded | Documentation |
EC2 Not EBS Optimized 338b6cab-961d-4998-bb49-e5b6a11c9a5c |
Info | Best Practices | It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance | Documentation |