Terraform

Terraform Queries List¶

This page contains all queries from Terraform.

GCP¶

Bellow are listed queries related with Terraform GCP:

Query	Severity	Category	Description	Help
OSLogin Disabled ^{_{32ecd6eb-0711-421f-9627-1a28d9eff217}}	High	Access Control	Verifies that the OSLogin is enabled	Documentation
BigQuery Dataset Is Public ^{_{e576ce44-dd03-4022-a8c0-3906acca2ab4}}	High	Access Control	BigQuery dataset is anonymously or publicly accessible	Documentation
Cloud Storage Bucket Is Publicly Accessible ^{_{c010082c-76e0-4b91-91d9-6e8439e455dd}}	High	Access Control	Cloud Storage Bucket is anonymously or publicly accessible	Documentation
SQL DB Instance Is Publicly Accessible ^{_{b187edca-b81e-4fdc-aff4-aab57db45edb}}	High	Access Control	Check if any Cloud SQL instances are publicly accessible.	Documentation
VM With Full Cloud Access ^{_{bc280331-27b9-4acb-a010-018e8098aa5d}}	High	Access Control	A VM instance is configured to use the default service account with full access to all Cloud APIs	Documentation
SQL DB Instance Backup Disabled ^{_{cf3c7631-cd1e-42f3-8801-a561214a6e79}}	High	Backup	Checks if backup configuration is enabled for all Cloud SQL Database instances	Documentation
DNSSEC Using RSASHA1 ^{_{ccc3100c-0fdd-4a5e-9908-c10107291860}}	High	Encryption	Checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.	Documentation
SQL DB Instance With SSL Disabled ^{_{02474449-71aa-40a1-87ae-e14497747b00}}	High	Encryption	Cloud SQL Database Instance should have SLL enabled	Documentation
KMS Crypto Key is Publicly Accessible ^{_{16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5}}	High	Encryption	KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'	Documentation
High KMS Rotation Period ^{_{352271ca-842f-408a-8b24-f6f2b76eb027}}	High	Encryption	Check that keys aren't the same for a period greater than 365 days.	Documentation
Network Policy Disabled ^{_{11e7550e-c4b6-472e-adff-c698f157cdd7}}	High	Insecure Configurations	Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false	Documentation
IP Aliasing Disabled ^{_{c606ba1d-d736-43eb-ac24-e16108f3a9e0}}	High	Insecure Configurations	Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE	Documentation
GKE Basic Authentication Enabled ^{_{70cdf849-b7d9-4569-b87d-5d82ffd44719}}	High	Insecure Configurations	GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty	Documentation
Cluster Labels Disabled ^{_{65c1bc7a-4835-4ac4-a2b6-13d310b0648d}}	High	Insecure Configurations	Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined	Documentation
Not Proper Email Account In Use ^{_{9356962e-4a4f-4d06-ac59-dc8008775eaa}}	High	Insecure Configurations	Gmail accounts are being used instead of corporate credentials	Documentation
COS Node Image Not Used ^{_{8a893e46-e267-485a-8690-51f39951de58}}	High	Insecure Configurations	A node image, that is not Container-Optimized OS (COS), is used for Kubernetes Engine Clusters Node image	Documentation
Client Certificate Disabled ^{_{73fb21a1-b19a-45b1-b648-b47b1678681e}}	High	Insecure Configurations	Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true	Documentation
GKE Legacy Authorization Enabled ^{_{5baa92d2-d8ee-4c75-88a4-52d9d8bb8067}}	High	Insecure Configurations	Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true	Documentation
Cluster Master Authentication Disabled ^{_{1baba08e-3c8a-4be7-95eb-dced5833de21}}	High	Insecure Configurations	Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty	Documentation
Private Cluster Disabled ^{_{6ccb85d7-0420-4907-9380-50313f80946b}}	High	Insecure Configurations	Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true	Documentation
Pod Security Policy Disabled ^{_{9192e0f9-eca5-4056-9282-ae2a736a4088}}	High	Insecure Configurations	Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true	Documentation
Cloud Storage Bucket Versioning Disabled ^{_{e7e961ac-d17e-4413-84bc-8a1fbe242944}}	High	Observability	Object Versioning Not Enabled on Cloud Storage Bucket	Documentation
Stackdriver Monitoring Disabled ^{_{30e8dfd2-3591-4d19-8d11-79e93106c93d}}	High	Observability	Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'	Documentation
Stackdriver Logging Disabled ^{_{4c7ebcb2-eae2-461e-bc83-456ee2d4f694}}	High	Observability	Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'	Documentation
IAM Audit Not Properly Configured ^{_{89fe890f-b480-460c-8b6b-7d8b1468adb4}}	High	Observability	Audit Logging Configuration is defective	Documentation
Cloud Storage Bucket Logging Not Enabled ^{_{d6cabc3a-d57e-48c2-b341-bf3dd4f4a120}}	High	Observability	Cloud storage bucket with logging not enabled	Documentation
Node Auto Upgrade Disabled ^{_{b139213e-7d24-49c2-8025-c18faa21ecaa}}	High	Resource Management	Node 'auto_upgrade' should be enabled for Kubernetes Clusters	Documentation
KMS Admin and CryptoKey Roles In Use ^{_{92e4464a-4139-4d57-8742-b5acc0347680}}	Medium	Access Control	Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member	Documentation
Google Project IAM Binding Service Account has Token Creator or Account User Role ^{_{617ef6ff-711e-4bd7-94ae-e965911b1b40}}	Medium	Access Control	Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated	Documentation
Cloud Storage Anonymous or Publicly Accessible ^{_{a6cd52a1-3056-4910-96a5-894de9f3f3b3}}	Medium	Access Control	Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'	Documentation
Google Project IAM Member Service Account Has Admin Role ^{_{84d36481-fd63-48cb-838e-635c44806ec2}}	Medium	Access Control	Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated	Documentation
Google Project IAM Member Service Account has Token Creator or Account User Role ^{_{c68b4e6d-4e01-4ca1-b256-1e18e875785c}}	Medium	Access Control	Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated	Documentation
High Google KMS Crypto Key Rotation Period ^{_{d8c57c4e-bf6f-4e32-a2bf-8643532de77b}}	Medium	Encryption	Make sure Encryption keys change after 90 days	Documentation
Google Compute SSL Policy Weak Cipher In Use ^{_{14a457f0-473d-4d1d-9e37-6d99b355b336}}	Medium	Encryption	This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers	Documentation
Disk Encryption Disabled ^{_{b1d51728-7270-4991-ac2f-fc26e2695b38}}	Medium	Encryption	VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined	Documentation
GKE Using Default Service Account ^{_{1c8eef02-17b1-4a3e-b01d-dcc3292d2c38}}	Medium	Insecure Configurations	Kubernetes Engine Clusters should not be configured to use the default service account	Documentation
Google Container Node Pool Auto Repair Disabled ^{_{acfdbec6-4a17-471f-b412-169d77553332}}	Medium	Insecure Configurations	Verifies if Google Container Node Pool Auto Repair is Enabled	Documentation
Cloud DNS without DNSSEC ^{_{5ef61c88-bbb4-4725-b1df-55d23c9676bb}}	Medium	Insecure Configurations	Cloud DNS without DNSSEC	Documentation
Shielded VM Disabled ^{_{1b44e234-3d73-41a8-9954-0b154135280e}}	Medium	Insecure Configurations	Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true	Documentation
Serial Ports Are Enabled For VM Instances ^{_{97fa667a-d05b-4f16-9071-58b939f34751}}	Medium	Insecure Configurations	Check if VM instance enables serial ports	Documentation
OSLogin Is Disabled For VM Instance ^{_{d0b4d550-c001-46c3-bbdb-d5d75d33f05f}}	Medium	Insecure Configurations	Check if any VM instance disables OSLogin	Documentation
Using Default Service Account ^{_{3cb4af0b-056d-4fb1-8b95-fdc4593625ff}}	Medium	Insecure Configurations	Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.	Documentation
Google Storage Bucket Level Access Disabled ^{_{bb0db090-5509-4853-a827-75ced0b3caa0}}	Medium	Insecure Configurations	Google Storage Bucket Level Access should be enabled	Documentation
Google Project Auto Create Network Disabled ^{_{59571246-3f62-4965-a96f-c7d97e269351}}	Medium	Insecure Configurations	Verifies if the Google Project Auto Create Network is Disabled	Documentation
Project-wide SSH Keys Are Enabled In VM Instances ^{_{3e4d5ce6-3280-4027-8010-c26eeea1ec01}}	Medium	Insecure Configurations	Check if SSH keys are enabled project-wide in VM instances	Documentation
Google Compute Network Using Firewall Rule that Allows All Ports ^{_{22ef1d26-80f8-4a6c-8c15-f35aab3cac78}}	Medium	Networking and Firewall	Google Compute Network should not use a firewall rule that allows all ports	Documentation
SSH Access Is Not Restricted ^{_{c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0}}	Medium	Networking and Firewall	Check if Google Firewall allows SSH access (port 22) from the Internet (public CIDR block)	Documentation
Google Compute Network Using Default Firewall Rule ^{_{40abce54-95b1-478c-8e5f-ea0bf0bb0e33}}	Medium	Networking and Firewall	Google Compute Network should not use default firewall rule	Documentation
IP Forwarding Enabled ^{_{f34c0c25-47b4-41eb-9c79-249b4dd47b89}}	Medium	Networking and Firewall	Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true	Documentation
RDP Access Is Not Restricted ^{_{678fd659-96f2-454a-a2a0-c2571f83a4a3}}	Medium	Networking and Firewall	Check if Google Firewall ingress allows RDP access (port 3389)	Documentation
Google Compute Subnetwork Logging Disabled ^{_{40430747-442d-450a-a34f-dc57149f4609}}	Medium	Observability	This query checks if logs are enabled for a Google Compute Subnetwork resource.	Documentation
Service Account with Improper Privileges ^{_{cefdad16-0dd5-4ac5-8ed2-a37502c78672}}	Medium	Resource Management	Service account should not have improper privileges like admin, editor, owner, or write roles	Documentation
User with IAM Role ^{_{704fcc44-a58f-4af5-82e2-93f2a58ef918}}	Low	Best Practices	As a best practice, it is better to assign an IAM Role to a group than to a user	Documentation
Google Compute Subnetwork with Private Google Access Disabled ^{_{ee7b93c1-b3f8-4a3b-9588-146d481814f5}}	Low	Networking and Firewall	Google Compute Subnetwork should have 'private_ip_google_access' set to true	Documentation
Google Compute Network Using Firewall Rule that Allows Port Range ^{_{e6f61c37-106b-449f-a5bb-81bfcaceb8b4}}	Low	Networking and Firewall	Google Compute Network should not use a firewall rule that allows port range	Documentation
### GITHUB
Bellow are listed queries related with Terraform GITHUB:

Query	Severity	Category	Description	Help
Github Organization Webhook With SSL Disabled ^{_{ce7c874e-1b88-450b-a5e4-cb76ada3c8a9}}	Medium	Encryption	Check if insecure SSL is being used in the GitHub organization webhooks	Documentation
GitHub Repository Set To Public ^{_{15d8a7fd-465a-4d15-a868-add86552f17b}}	Medium	Insecure Configurations	Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')	Documentation
### SHARED (V2/V3)
Bellow are listed queries related with Terraform SHARED (V2/V3):

Query	Severity	Category	Description	Help
Variable Without Type ^{_{fc5109bf-01fd-49fb-8bde-4492b543c34a}}	Info	Best Practices	All variables should contain a valid type.	Documentation
Generic Git Module Without Revision ^{_{3a81fc06-566f-492a-91dd-7448e409e2cd}}	Info	Best Practices	All generic git repositories should reference a revision.	Documentation
Variable Without Description ^{_{2a153952-2544-4687-bcc9-cc8fea814a9b}}	Info	Best Practices	All variables should contain a valid description.	Documentation
Output Without Description ^{_{59312e8a-a64e-41e7-a252-618533dd1ea8}}	Info	Best Practices	All outputs should contain a valid description.	Documentation
Name Is Not Snake Case ^{_{1e434b25-8763-4b00-a5ca-ca03b7abbb66}}	Info	Best Practices	All names should follow snake case pattern.	Documentation
### AWS_BOM
Bellow are listed queries related with Terraform AWS_BOM:

Query	Severity	Category	Description	Help
### AZURE
Bellow are listed queries related with Terraform AZURE:

Query	Severity	Category	Description	Help
Admin User Enabled For Container Registry ^{_{b897dfbf-322c-45a8-b67c-1e698beeaa51}}	High	Access Control	Admin user is enabled for Container Registry	Documentation
Storage Container Is Publicly Accessible ^{_{dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299}}	High	Access Control	Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage	Documentation
Role Assignment Not Limit Guest User Permissions ^{_{8e75e431-449f-49e9-b56a-c8f1378025cf}}	High	Access Control	Role Assignment should limit guest user permissions	Documentation
Public Storage Account ^{_{17f75827-0684-48f4-8747-61129c7e4198}}	High	Access Control	Storage Account should not be public	Documentation
Role Assignment Of Guest Users ^{_{2bc626a8-0751-446f-975d-8139214fc790}}	High	Access Control	There is a role assignment for guest user	Documentation
Function App Authentication Disabled ^{_{e65a0733-94a0-4826-82f4-df529f4c593f}}	High	Access Control	Azure Function App authentication settings should be enabled	Documentation
Geo Redundancy Is Disabled ^{_{8b042c30-e441-453f-b162-7696982ebc58}}	High	Backup	Make sure that on PostgreSQL Geo Redundant Backups is enabled	Documentation
App Service Not Using Latest TLS Encryption Version ^{_{b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643}}	High	Encryption	Ensure App Service is using the latest version of TLS encryption	Documentation
SSL Enforce Disabled ^{_{0437633b-daa6-4bbc-8526-c0d2443b946e}}	High	Encryption	Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'	Documentation
Function App Not Using Latest TLS Encryption Version ^{_{45fc717a-bd86-415c-bdd8-677901be1aa6}}	High	Encryption	Ensure Function App is using the latest version of TLS encryption	Documentation
MySQL SSL Connection Disabled ^{_{73e42469-3a86-4f39-ad78-098f325b4e9f}}	High	Encryption	Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled	Documentation
Storage Account Not Forcing HTTPS ^{_{12944ec4-1fa0-47be-8b17-42a034f937c2}}	High	Encryption	See that Storage Accounts forces the use of HTTPS	Documentation
Trusted Microsoft Services Not Enabled ^{_{5400f379-a347-4bdd-a032-446465fdcc6f}}	High	Insecure Configurations	Trusted MIcrosoft Services are not enabled for Storage Account access	Documentation
Function App FTPS Enforce Disabled ^{_{9dab0179-433d-4dff-af8f-0091025691df}}	High	Insecure Configurations	Azure Function App should only enforce FTPS when 'ftps_state' is enabled	Documentation
Azure Container Registry With No Locks ^{_{a187ac47-8163-42ce-8a63-c115236be6fb}}	High	Insecure Configurations	Azurerm Container Registry Must Contain Associated Locks	Documentation
AD Admin Not Configured For SQL Server ^{_{a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b}}	High	Insecure Configurations	The Active Directory Administrator is not configured for a SQL server	Documentation
Redis Not Updated Regularly ^{_{b947809d-dd2f-4de9-b724-04d101c515aa}}	High	Insecure Configurations	Redis Cache is not configured to be updated regularly with security and operational updates	Documentation
Web App Accepting Traffic Other Than HTTPS ^{_{11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe}}	High	Insecure Configurations	Web app should only accept HTTPS traffic in Azure Web App Service.	Documentation
VM Not Attached To Network ^{_{bbf6b3df-4b65-4f87-82cc-da9f30f8c033}}	High	Insecure Configurations	No Network Security Group is attached to the Virtual Machine	Documentation
App Service FTPS Enforce Disabled ^{_{85da374f-b00f-4832-9d44-84a1ca1e89f8}}	High	Insecure Configurations	Azure App Service should only enforce FTPS when 'ftps_state' is enabled	Documentation
Network Watcher Flow Disabled ^{_{b90842e5-6779-44d4-9760-972f4c03ba1c}}	High	Insecure Configurations	Check if enable field in the resource azurerm_network_watcher_flow_log is false.	Documentation
CosmosDB Account IP Range Filter Not Set ^{_{c2a3efb6-8a58-481c-82f2-bfddf34bb4b7}}	High	Networking and Firewall	The Ip Range Must Contain Ips	Documentation
SSH Is Exposed To The Internet ^{_{3e3c175e-aadf-4e2b-a464-3fdac5748d24}}	High	Networking and Firewall	Port 22 (SSH) is exposed to the internet	Documentation
Redis Publicly Accessible ^{_{5089d055-53ff-421b-9482-a5267bdce629}}	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from other Azure sources	Documentation
RDP Is Exposed To The Internet ^{_{efbf6449-5ec5-4cfe-8f15-acc51e0d787c}}	High	Networking and Firewall	Port 3389 (Remote Desktop) is exposed to the internet	Documentation
SQLServer Ingress From Any IP ^{_{25c0ea09-f1c5-4380-b055-3b83863f2bb8}}	High	Networking and Firewall	Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.	Documentation
Redis Entirely Accessible ^{_{fd8da341-6760-4450-b26c-9f6d8850575e}}	High	Networking and Firewall	Firewall rule allowing unrestricted access to Redis from the Internet	Documentation
MySQL Server Public Access Enabled ^{_{f118890b-2468-42b1-9ce9-af35146b425b}}	High	Networking and Firewall	MySQL Server public access should be disabled	Documentation
Azure App Service Client Certificate Disabled ^{_{a81573f9-3691-4d83-88a0-7d4af63e17a3}}	High	Networking and Firewall	Azure App Service client certificate should be enabled	Documentation
MSSQL Server Public Network Access Enabled ^{_{ade36cf4-329f-4830-a83d-9db72c800507}}	High	Networking and Firewall	MSSQL Server public network access should be disabled	Documentation
Sensitive Port Is Exposed To Entire Network ^{_{594c198b-4d79-41b8-9b36-fde13348b619}}	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol	Documentation
Vault Auditing Disabled ^{_{38c71c00-c177-4cd7-8d36-cd1007cdb190}}	High	Observability	Ensure that logging for Azure KeyVault is 'Enabled'	Documentation
PostgreSQL Server Threat Detection Policy Disabled ^{_{c407c3cf-c409-4b29-b590-db5f4138d332}}	High	Resource Management	PostgreSQL Server Threat Detection Policy should be enabled	Documentation
SQL Database Audit Disabled ^{_{83a229ba-483e-47c6-8db7-dc96969bce5a}}	High	Resource Management	Ensure that 'Threat Detection' is enabled for Azure SQL Database	Documentation
App Service Managed Identity Disabled ^{_{b61cce4b-0cc4-472b-8096-15617a6d769b}}	High	Resource Management	Azure App Service should have managed identity enabled	Documentation
Secret Expiration Not Set ^{_{dfa20ffa-f476-428f-a490-424b41e91c7f}}	High	Secret Management	Make sure that for all secrets the expiration date is set	Documentation
Key Expiration Not Set ^{_{4d080822-5ee2-49a4-8984-68f3d4c890fc}}	High	Secret Management	Make sure that for all keys the expiration date is set	Documentation
Storage Share File Allows All ACL Permissions ^{_{48bbe0fd-57e4-4678-a4a1-119e79c90fc3}}	Medium	Access Control	Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).	Documentation
Storage Table Allows All ACL Permissions ^{_{3ac3e75c-6374-4a32-8ba0-6ed69bda404e}}	Medium	Access Control	Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).	Documentation
Role Definition Allows Custom Role Creation ^{_{3fa5900f-9aac-4982-96b2-a6143d9c99fb}}	Medium	Access Control	Role Definition should not allow custom role creation	Documentation
AKS RBAC Disabled ^{_{86f92117-eed8-4614-9c6c-b26da20ff37f}}	Medium	Access Control	Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled	Documentation
Virtual Network with DDoS Protection Plan disabled ^{_{b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a}}	Medium	Availability	Virtual Network should have DDoS Protection Plan enabled	Documentation
SQL Server Predictable Admin Account Name ^{_{2ab6de9a-0136-415c-be92-79d2e4fd750f}}	Medium	Best Practices	Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict	Documentation
Security Contact Email ^{_{34664094-59e0-4524-b69f-deaa1a68cce3}}	Medium	Best Practices	Security Contact Email should be defined	Documentation
SQL Server Predictable Active Directory Account Name ^{_{bcd3fc01-5902-4f2a-b05a-227f9bbf5450}}	Medium	Best Practices	Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict	Documentation
Unrestricted SQL Server Access ^{_{d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28}}	Medium	Best Practices	Azure SQL Server Accessibility must be set to a minimal address range, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be lesser than 256. Additionally, both ips must be different from '0.0.0.0'	Documentation
Cosmos DB Account Without Tags ^{_{56dad03e-e94f-4dd6-93a4-c253a03ff7a0}}	Medium	Build Process	Cosmos DB Account must have a mapping of tags.	Documentation
Storage Account Not Using Latest TLS Encryption Version ^{_{8263f146-5e03-43e0-9cfe-db960d56d1e7}}	Medium	Encryption	Ensure Storage Account is using the latest version of TLS encryption	Documentation
AKS Disk Encryption Set ID Undefined ^{_{b17d8bb8-4c08-4785-867e-cb9e62a622aa}}	Medium	Encryption	Azure Container Service (AKS) should use Disk Encryption Set ID	Documentation
Redis Cache Allows Non SSL Connections ^{_{e29a75e6-aba3-4896-b42d-b87818c16b58}}	Medium	Encryption	Check if any Redis Cache resource allows non-SSL connections.	Documentation
Encryption On Managed Disk Disabled ^{_{a99130ab-4c0e-43aa-97f8-78d4fcb30024}}	Medium	Encryption	Ensure that the encryption is active on the disk	Documentation
Security Center Pricing Tier Is Not Standard ^{_{819d50fd-1cdf-45c3-9936-be408aaad93e}}	Medium	Insecure Configurations	Make sure that the 'Standard' pricing tiers were selected.	Documentation
Function App Managed Identity Disabled ^{_{c87749b3-ff10-41f5-9df2-c421e8151759}}	Medium	Insecure Configurations	Azure Function App should have managed identity enabled	Documentation
Function App Client Certificates Unrequired ^{_{9bb3c639-5edf-458c-8ee5-30c17c7d671d}}	Medium	Insecure Configurations	Azure Function App should have 'client_cert_mode' set to required	Documentation
AKS Network Policy Misconfigured ^{_{f5342045-b935-402d-adf1-8dbbd09c0eef}}	Medium	Insecure Configurations	Check if the Azure Kubernetes Service doesn't have the proper network policy configuration.	Documentation
Security Group is Not Configured ^{_{5c822443-e1ea-46b8-84eb-758ec602e844}}	Medium	Insecure Configurations	Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty	Documentation
Small Flow Logs Retention Period ^{_{7750fcca-dd03-4d38-b663-4b70289bcfd4}}	Medium	Insecure Configurations	Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches	Documentation
Default Network Access is Allowed ^{_{9be09caf-2ba4-4fa9-9787-a670dc32c639}}	Medium	Insecure Defaults	Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'	Documentation
Default Azure Storage Account Network Access Is Too Permissive ^{_{a5613650-32ec-4975-a305-31af783153ea}}	Medium	Insecure Defaults	Default Azure Storage Account network access should be set to Deny	Documentation
Sensitive Port Is Exposed To Small Public Network ^{_{e9dee01f-2505-4df2-b9bf-7804d1fd9082}}	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol	Documentation
WAF Is Disabled For Azure Application Gateway ^{_{2e48d91c-50e4-45c8-9312-27b625868a72}}	Medium	Networking and Firewall	Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.	Documentation
Azure Cognitive Search Public Network Access Enabled ^{_{4a9e0f00-0765-4f72-a0d4-d31110b78279}}	Medium	Networking and Firewall	Public Network Access should be disabled for Azure Cognitive Search	Documentation
MariaDB Server Public Network Access Enabled ^{_{7f0a8696-7159-4337-ad0d-8a3ab4a78195}}	Medium	Networking and Firewall	MariaDB Server Public Network Access should be disabled	Documentation
Network Interfaces With Public IP ^{_{c1573577-e494-4417-8854-7e119368dc8b}}	Medium	Networking and Firewall	Network Interfaces must not be exposed with a public IP address	Documentation
Sensitive Port Is Exposed To Wide Private Network ^{_{c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e}}	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol	Documentation
Firewall Rule Allows Too Many Hosts To Access Redis Cache ^{_{a829b715-cf75-4e92-b645-54c9b739edfb}}	Medium	Networking and Firewall	Check if any firewall rule allows too many hosts to access Redis Cache	Documentation
PostgreSQL Server Without Connection Throttling ^{_{2b3c671f-1b76-4741-8789-ed1fe0785dc4}}	Medium	Observability	Ensure that Connection Throttling is set for the PostgreSQL server	Documentation
PostgreSQL Log Checkpoints Disabled ^{_{3790d386-be81-4dcf-9850-eaa7df6c10d9}}	Medium	Observability	Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'	Documentation
Email Alerts Disabled ^{_{9db38e87-f6aa-4b5e-a1ec-7266df259409}}	Medium	Observability	Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact	Documentation
Small MSSQL Audit Retention Period ^{_{9c301481-e6ec-44f7-8a49-8ec63e2969ea}}	Medium	Observability	Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days	Documentation
Small PostgreSQL DB Server Log Retention Period ^{_{261a83f8-dd72-4e8c-b5e1-ebf06e8fe606}}	Medium	Observability	Check if PostgreSQL Database Server retains logs for less than 3 Days	Documentation
Small Activity Log Retention Period ^{_{2b856bf9-8e8c-4005-875f-303a8cba3918}}	Medium	Observability	Ensure that Activity Log Retention is set 365 days or greater	Documentation
Small MSSQL Server Audit Retention ^{_{59acb56b-2b10-4c2c-ba38-f2223c3f5cfc}}	Medium	Observability	Make sure for SQL Servers that Auditing Retention is greater than 90 days	Documentation
PostgreSQL Log Connections Not Set ^{_{c640d783-10c5-4071-b6c1-23507300d333}}	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'	Documentation
PostgreSQL Log Disconnections Not Set ^{_{07f7134f-9f37-476e-8664-670c218e4702}}	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'	Documentation
Log Retention Is Not Set ^{_{ffb02aca-0d12-475e-b77c-a726f7aeff4b}}	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'	Documentation
SQL Server Auditing Disabled ^{_{f7e296b0-6660-4bc5-8f87-22ac4a815edf}}	Medium	Observability	Make sure that for SQL Servers, 'Auditing' is set to 'On'	Documentation
PostgreSQL Log Duration Not Set ^{_{16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f}}	Medium	Observability	Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'	Documentation
MSSQL Server Auditing Disabled ^{_{609839ae-bd81-4375-9910-5bce72ae7b92}}	Medium	Observability	Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'	Documentation
Azure Active Directory Authentication ^{_{a21c8da9-41bf-40cf-941d-330cf0d11fc7}}	Low	Access Control	Azure Active Directory must be used for authentication for Service Fabric	Documentation
MariaDB Server Geo-redundant Backup Disabled ^{_{0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1}}	Low	Backup	MariaDB Server Geo-redundant Backup should be enabled	Documentation
AKS Uses Azure Policies Add-On Disabled ^{_{43789711-161b-4708-b5bb-9d1c626f7492}}	Low	Best Practices	Azure Container Service (AKS) should use Azure Policies Add-On	Documentation
Key Vault Secrets Content Type Undefined ^{_{f8e08a38-fc6e-4915-abbe-a7aadf1d59ef}}	Low	Best Practices	Key Vault Secrets should have set Content Type	Documentation
PostgreSQL Server Infrastructure Encryption Disabled ^{_{6425c98b-ca4e-41fe-896a-c78772c131f8}}	Low	Encryption	PostgreSQL Server Infrastructure Encryption should be enabled	Documentation
Function App HTTP2 Disabled ^{_{ace823d1-4432-4dee-945b-cdf11a5a6bd0}}	Low	Insecure Configurations	Function App should have 'http2_enabled' enabled	Documentation
Dashboard Is Enabled ^{_{61c3cb8b-0715-47e4-b788-86dde40dd2db}}	Low	Insecure Configurations	Check if the Kubernetes Dashboard is enabled.	Documentation
App Service HTTP2 Disabled ^{_{525b53be-62ed-4244-b4df-41aecfcb4071}}	Low	Insecure Configurations	App Service should have 'http2_enabled' enabled	Documentation
Azure Front Door WAF Disabled ^{_{835a4f2f-df43-437d-9943-545ccfc55961}}	Low	Networking and Firewall	Azure Front Door WAF should be enabled	Documentation
AKS Private Cluster Disabled ^{_{599318f2-6653-4569-9e21-041d06c63a89}}	Low	Networking and Firewall	Azure Kubernetes Service (AKS) API should not be exposed to the internet	Documentation
Network Interfaces IP Forwarding Enabled ^{_{4216ebac-d74c-4423-b437-35025cb88af5}}	Low	Networking and Firewall	Network Interfaces IP Forwarding should be disabled	Documentation
App Service Authentication Disabled ^{_{c7fc1481-2899-4490-bbd8-544a3a61a2f3}}	Info	Access Control	Azure App Service authentication settings should be enabled	Documentation
SQL Server Alert Email Disabled ^{_{55975007-f6e7-4134-83c3-298f1fe4b519}}	Info	Best Practices	SQL Server alert email should be enabled	Documentation
### AWS
Bellow are listed queries related with Terraform AWS:

Query	Severity	Category	Description	Help
S3 Bucket ACL Allows Read to Any Authenticated User ^{_{57b9893d-33b1-4419-bcea-a717ea87e139}}	High	Access Control	Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion	Documentation
SQS Queue Exposed ^{_{abb06e5f-ef9a-4a99-98c6-376d396bfcdf}}	High	Access Control	Checks if the SQS Queue is exposed	Documentation
S3 Bucket Allows All Actions From All Principals ^{_{51cf6f14-6a52-4642-97fb-10db078382d3}}	High	Access Control	S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.	Documentation
S3 Bucket Allows Delete Action From All Principals ^{_{ffdf4b37-7703-4dfe-a682-9d2e99bc6c09}}	High	Access Control	S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.	Documentation
S3 Bucket Allows List Action From All Principals ^{_{66c6f96f-2d9e-417e-a998-9058aeeecd44}}	High	Access Control	S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.	Documentation
S3 Bucket ACL Allows Read Or Write to All Users ^{_{38c5ee0d-7f22-4260-ab72-5073048df100}}	High	Access Control	S3 bucket with public READ/WRITE access	Documentation
ECS Service Admin Role is Present ^{_{3206240f-2e87-4e58-8d24-3e19e7c83d7c}}	High	Access Control	ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role	Documentation
S3 Bucket Allows Public Policy ^{_{1a4bc881-9f69-4d44-8c9a-d37d08f54c50}}	High	Access Control	S3 bucket allows public policy	Documentation
S3 Bucket Access to Any Principal ^{_{7af43613-6bb9-4a0e-8c4d-1314b799425e}}	High	Access Control	S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals	Documentation
S3 Bucket Allows Put Action From All Principals ^{_{d24c0755-c028-44b1-b503-8e719c898832}}	High	Access Control	S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.	Documentation
IAM Policies With Full Privileges ^{_{2f37c4a3-58b9-4afe-8a87-d7f1d2286f84}}	High	Access Control	IAM policies that allow full administrative privileges (for all resources)	Documentation
S3 Bucket Allows Get Action From All Principals ^{_{1df37f4b-7197-45ce-83f8-9994d2fcf885}}	High	Access Control	S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.	Documentation
EFS With Vulnerable Policy ^{_{fae52418-bb8b-4ac2-b287-0b9082d6a3fd}}	High	Access Control	EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.	Documentation
IAM Role With Full Privileges ^{_{b1ffa705-19a3-4b73-b9d0-0c97d0663842}}	High	Access Control	IAM role policy that allow full administrative privileges (for all resources)	Documentation
S3 Bucket With All Permissions ^{_{a4966c4f-9141-48b8-a564-ffe9959945bc}}	High	Access Control	S3 Buckets must not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion	Documentation
Neptune Cluster Instance is Publicly Accessible ^{_{9ba198e0-fef4-464a-8a4d-75ea55300de7}}	High	Access Control	Neptune Cluster Instance should not be publicly accessible	Documentation
S3 Bucket Allows WriteACP Action From All Principals ^{_{64a222aa-7793-4e40-915f-4b302c76e4d4}}	High	Access Control	S3 Buckets must not allow Write_ACP Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Write_ACP, for all Principals.	Documentation
Kinesis Not Encrypted With KMS ^{_{862fe4bf-3eec-4767-a517-40f378886b88}}	High	Encryption	AWS Kinesis Streams and metadata should be protected with KMS	Documentation
User Data Shell Script Is Encoded ^{_{9cf718ce-46f9-430e-89ec-c456f8b469ee}}	High	Encryption	Base64 Shell Script must be encoded	Documentation
Sagemaker Endpoint Configuration Encryption Disabled ^{_{58b35504-0287-4154-bf69-02c0573deab8}}	High	Encryption	Sagemaker endpoint configuration should encrypt data	Documentation
EBS Volume Snapshot Not Encrypted ^{_{e6b4b943-6883-47a9-9739-7ada9568f8ca}}	High	Encryption	The value on AWS EBS Volume Snapshot Encryptation must be true	Documentation
EKS Cluster Encryption Disabled ^{_{63ebcb19-2739-4d3f-aa5c-e8bbb9b85281}}	High	Encryption	EKS Cluster should be encrypted	Documentation
Glue Security Configuration Encryption Disabled ^{_{ad5b4e97-2850-4adf-be17-1d293e0b85ee}}	High	Encryption	Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled	Documentation
CA certificate Identifier is outdated ^{_{9f40c07e-699e-4410-8856-3ba0f2e3a2dd}}	High	Encryption	The CA certificate Identifier must be 'rds-ca-2019'.	Documentation
User Data Contains Encoded Private Key ^{_{443488f5-c734-460b-a36d-5b3f330174dc}}	High	Encryption	User Data Base64 contains an encoded RSA Private Key	Documentation
ECS Task Definition Container With Plaintext Password ^{_{d40210ea-64b9-4cce-a4fb-e8604f3c062c}}	High	Encryption	It's not recommended to use plaintext environment variables for sensitive information, such as credential data.	Documentation
EFS Without KMS ^{_{25d251f3-f348-4f95-845c-1090e41a615c}}	High	Encryption	Elastic File System (EFS) must have KMS Key ID	Documentation
Secure Ciphers Disabled ^{_{5c0003fb-9aa0-42c1-9da3-eb0e332bef21}}	High	Encryption	Check if secure ciphers aren't used in CloudFront	Documentation
ELB Using Weak Ciphers ^{_{4a800e14-c94a-442d-9067-5a2e9f6c0a4c}}	High	Encryption	ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.	Documentation
RDS Database Cluster not Encrypted ^{_{656880aa-1388-488f-a6d4-8f73c23149b2}}	High	Encryption	RDS Database Cluster Encryption should be enabled	Documentation
ECS Task Definition Volume Not Encrypted ^{_{4d46ff3b-7160-41d1-a310-71d6d370b08f}}	High	Encryption	AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted	Documentation
Automatic Minor Upgrades Disabled ^{_{3b6d777b-76e3-4133-80a3-0d6f667ade7f}}	High	Encryption	RDS Instance Auto Minor Version Upgrade feature in Aws Db Instance must be true	Documentation
Kinesis SSE Not Configured ^{_{5c6dd5e7-1fe0-4cae-8f81-4c122717cef3}}	High	Encryption	AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled	Documentation
DB Instance Storage Not Encrypted ^{_{08bd0760-8752-44e1-9779-7bb369b2b4e4}}	High	Encryption	The parameter storage_encrypted in aws_db_instance must be set to 'true' (the default is 'false').	Documentation
Sagemaker Notebook Instance Without KMS ^{_{f3674e0c-f6be-43fa-b71c-bf346d1aed99}}	High	Encryption	AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS	Documentation
DOCDB Cluster Not Encrypted ^{_{bc1f9009-84a0-490f-ae09-3e0ea6d74ad6}}	High	Encryption	AWS DOCDB Cluster storage should be encrypted	Documentation
Workspaces Workspace Volume Not Encrypted ^{_{b9033580-6886-401a-8631-5f19f5bb24c7}}	High	Encryption	AWS Workspaces Workspace data stored in volumes should be encrypted	Documentation
EBS Default Encryption Disabled ^{_{3d3f6270-546b-443c-adb4-bb6fb2187ca6}}	High	Encryption	EBS Encryption should be enabled	Documentation
Glue Data Catalog Encryption Disabled ^{_{01d50b14-e933-4c99-b314-6d08cd37ad35}}	High	Encryption	Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled	Documentation
S3 Bucket Object Not Encrypted ^{_{5fb49a69-8d46-4495-a2f8-9c8c622b2b6e}}	High	Encryption	S3 Bucket Object should have server-side encryption enabled	Documentation
Launch Configuration Is Not Encrypted ^{_{4de9de27-254e-424f-bd70-4c1e95790838}}	High	Encryption	Data stored in the Launch configuration EBS is not securely encrypted	Documentation
DAX Cluster Not Encrypted ^{_{f11aec39-858f-4b6f-b946-0a1bf46c0c87}}	High	Encryption	AWS DAX Cluster should have server-side encryption at rest	Documentation
Redis Not Compliant ^{_{254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4}}	High	Encryption	Check if the redis version is compliant with the necessary AWS PCI DSS requirements	Documentation
AMI Not Encrypted ^{_{8bbb242f-6e38-4127-86d4-d8f0b2687ae2}}	High	Encryption	AWS AMI Encryption is not enabled	Documentation
DOCDB Cluster Without KMS ^{_{4766d3ea-241c-4ee6-93ff-c380c996bd1a}}	High	Encryption	AWS DOCDB Cluster should be encrypted with a KMS encryption key	Documentation
Redshift Not Encrypted ^{_{cfdcabb0-fc06-427c-865b-c59f13e898ce}}	High	Encryption	Check if 'encrypted' field is false or undefined (default is false)	Documentation
IAM Database Auth Not Enabled ^{_{88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6}}	High	Encryption	IAM Database Auth Enabled must be configured to true	Documentation
S3 Bucket SSE Disabled ^{_{6726dcc0-5ff5-459d-b473-a780bef7665c}}	High	Encryption	If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required	Documentation
Athena Database Not Encrypted ^{_{b2315cae-b110-4426-81e0-80bb8640cdd3}}	High	Encryption	AWS Athena Database data in S3 should be encrypted	Documentation
API Gateway Method Settings Cache Not Encrypted ^{_{b7c9a40c-23e4-4a2d-8d39-a3352f10f288}}	High	Encryption	API Gateway Method Settings Cache should be encrypted	Documentation
EFS Not Encrypted ^{_{48207659-729f-4b5c-9402-f884257d794f}}	High	Encryption	Elastic File System (EFS) must be encrypted	Documentation
Athena Workgroup Not Encrypted ^{_{d364984a-a222-4b5f-a8b0-e23ab19ebff3}}	High	Encryption	Athena Workgroup query results should be encrypted, for all queries that run in the workgroup	Documentation
Viewer Protocol Policy Allows HTTP ^{_{55af1353-2f62-4fa0-a8e1-a210ca2708f5}}	High	Encryption	Checks if the connection between the CloudFront and the origin server is encrypted	Documentation
MSK Cluster Encryption Disabled ^{_{6db52fa6-d4da-4608-908a-89f0c59e743e}}	High	Encryption	Ensure MSK Cluster encryption in rest and transit is enabled	Documentation
Memcached Disabled ^{_{4bd15dd9-8d5e-4008-8532-27eb0c3706d3}}	High	Encryption	Check if the Memcached is disabled on the ElastiCache	Documentation
CloudWatch Log Group Not Encrypted ^{_{0afbcfe9-d341-4b92-a64c-7e6de0543879}}	High	Encryption	AWS CloudWatch Log groups should be encrypted using KMS	Documentation
CodeBuild Project Encrypted With AWS Managed Key ^{_{3deec14b-03d2-4d27-9670-7d79322e3340}}	High	Encryption	CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
RDS Storage Not Encrypted ^{_{3199c26c-7871-4cb3-99c2-10a59244ce7f}}	High	Encryption	Check if RDS Cluster Storage isn't encrypted. Happens when 'storage_encrypted' is not set to 'true'	Documentation
ELB Using Insecure Protocols ^{_{126c1788-23c2-4a10-906c-ef179f4f96ec}}	High	Encryption	ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.	Documentation
S3 Bucket Without Restriction Of Public Bucket ^{_{1ec253ab-c220-4d63-b2de-5b40e0af9293}}	High	Insecure Configurations	S3 bucket without restriction of public bucket	Documentation
Root Account Has Active Access Keys ^{_{970d224d-b42a-416b-81f9-8f4dfe70c4bc}}	High	Insecure Configurations	The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.	Documentation
IAM User Policy Without MFA ^{_{b5681959-6c09-4f55-b42b-c40fa12d03ec}}	High	Insecure Configurations	Check if the root user is authenticated with MFA	Documentation
ECS Task Definition Network Mode Not Recommended ^{_{9f4a9409-9c60-4671-be96-9716dbf63db1}}	High	Insecure Configurations	Network_Mode should be 'awsvpc' in ecs_task_defenition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations	Documentation
CloudFront Without Minimum Protocol TLS 1.2 ^{_{00e5e55e-c2ff-46b3-a757-a7a1cd802456}}	High	Insecure Configurations	CloudFront Minimum Protocol version should be at least TLS 1.2	Documentation
Batch Job Definition With Privileged Container Properties ^{_{66cd88ac-9ddf-424a-b77e-e55e17630bee}}	High	Insecure Configurations	Batch Job Definition should not have Privileged Container Properties	Documentation
S3 Bucket Without Enabled MFA Delete ^{_{c5b31ab9-0f26-4a49-b8aa-4cc064392f4d}}	High	Insecure Configurations	S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations	Documentation
API Gateway Without Security Policy ^{_{4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b}}	High	Insecure Configurations	API Gateway should have a Security Policy defined and use TLS 1.2.	Documentation
S3 Static Website Host Enabled ^{_{42bb6b7f-6d54-4428-b707-666f669d94fb}}	High	Insecure Configurations	Checks if any static websties are hosted on buckets	Documentation
DB Instance Publicly Accessible ^{_{35113e6f-2c6b-414d-beec-7a9482d3b2d1}}	High	Insecure Configurations	The field 'publicly_accessible' should not be set to 'true' (default is 'false').	Documentation
Authentication Without MFA ^{_{3ddfa124-6407-4845-a501-179f90c65097}}	High	Insecure Configurations	Users should authenticate with MFA (Multi-factor Authentication)	Documentation
DB Security Group Has Public Interface ^{_{f0d8781f-99bf-4958-9917-d39283b168a0}}	High	Insecure Configurations	The CIDR IP should not be a public interface	Documentation
SQS With SSE Disabled ^{_{6e8849c1-3aa7-40e3-9063-b85ee300f29f}}	High	Insecure Configurations	Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)	Documentation
S3 Bucket with Unsecured CORS Rule ^{_{98a8f708-121b-455b-ae2f-da3fb59d17e1}}	High	Insecure Configurations	If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure	Documentation
KMS Key With Vulnerable Policy ^{_{7ebc9038-0bde-479a-acc4-6ed7b6758899}}	High	Insecure Configurations	Checks if the policy is vulnerable and needs updating.	Documentation
Redshift Publicly Accessible ^{_{af173fde-95ea-4584-b904-bb3923ac4bda}}	High	Insecure Configurations	Check if 'publicly_accessible' field is true or undefined (default is true)	Documentation
No Password Policy Enabled ^{_{b592ffd4-0577-44b6-bd35-8c5ee81b5918}}	High	Insecure Configurations	IAM password policies should be set through the password minimum length and reset password attributes	Documentation
Vulnerable Default SSL Certificate ^{_{3a1e94df-6847-4c0e-a3b6-6c6af4e128ef}}	High	Insecure Defaults	CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.	Documentation
Route53 Record Undefined ^{_{25db74bf-fa3b-44da-934e-8c3e005c0453}}	High	Networking and Firewall	Check if Record is set	Documentation
EKS Cluster Has Public Access CIDRs ^{_{61cf9883-1752-4768-b18c-0d57f2737709}}	High	Networking and Firewall	Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"	Documentation
EC2 Instance Has Public IP ^{_{5a2486aa-facf-477d-a5c1-b010789459ce}}	High	Networking and Firewall	EC2 Instance should not have a public IP address.	Documentation
VPC Peering Route Table with Unrestricted CIDR ^{_{b3a41501-f712-4c4f-81e5-db9a7dc0e34e}}	High	Networking and Firewall	VPC Peering Route Table should restrict CIDR	Documentation
Security Group With Unrestricted Access To SSH ^{_{65905cec-d691-4320-b320-2000436cb696}}	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Security Group	Documentation
Unrestricted Security Group Ingress ^{_{4728cd65-a20c-49da-8b31-9c08b423e4db}}	High	Networking and Firewall	Security groups allow ingress from 0.0.0.0:0	Documentation
Network ACL With Unrestricted Access To RDP ^{_{a20be318-cac7-457b-911d-04cc6e812c25}}	High	Networking and Firewall	'RDP' (TCP:3389) should not be public in AWS Network ACL	Documentation
EKS node group remote access disabled ^{_{ba40ace1-a047-483c-8a8d-bc2d3a67a82d}}	High	Networking and Firewall	EKS node group remote access is disabled when 'SourceSecurityGroups' is missing	Documentation
Unknown Port Exposed To Internet ^{_{590d878b-abdc-428f-895a-e2b68a0e1998}}	High	Networking and Firewall	AWS Security Group should not have an unknown port exposed to the entire Internet	Documentation
Default Security Groups With Unrestricted Traffic ^{_{46883ce1-dc3e-4b17-9195-c6a601624c73}}	High	Networking and Firewall	Check if default security group does not restrict all inbound and outbound traffic.	Documentation
Remote Desktop Port Open ^{_{151187cb-0efc-481c-babd-ad24e3c9bc22}}	High	Networking and Firewall	The Remote Desktop port is open in a Security Group	Documentation
DB Security Group Open To Large Scope ^{_{4f615f3e-fb9c-4fad-8b70-2e9f781806ce}}	High	Networking and Firewall	The IP address in a DB Security Group must not have more than 256 hosts.	Documentation
DB Security Group With Public Scope ^{_{1e0ef61b-ad85-4518-a3d3-85eaad164885}}	High	Networking and Firewall	The IP address in a DB Security Group must not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6).	Documentation
ALB Listening on HTTP ^{_{de7f5e83-da88-4046-871f-ea18504b1d43}}	High	Networking and Firewall	AWS Application Load Balancer (alb) should not listen on HTTP	Documentation
VPC Default Security Group Accepts All Traffic ^{_{9a4ef195-74b9-4c58-b8ed-2b2fe4353a75}}	High	Networking and Firewall	Default Security Group attached to every VPC should restrict all traffic	Documentation
HTTP Port Open ^{_{ffac8a12-322e-42c1-b9b9-81ff85c39ef7}}	High	Networking and Firewall	The HTTP port is open in a Security Group	Documentation
Sensitive Port Is Exposed To Entire Network ^{_{381c3f2a-ef6f-4eff-99f7-b169cda3422c}}	High	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol	Documentation
Network ACL With Unrestricted Access To SSH ^{_{3af7f2fd-06e6-4dab-b996-2912bea19ba4}}	High	Networking and Firewall	'SSH' (TCP:22) should not be public in AWS Network ACL	Documentation
CMK Rotation Disabled ^{_{22fbfeac-7b5a-421a-8a27-7a2178bb910b}}	High	Observability	Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.	Documentation
CloudWatch Root Account Use Missing ^{_{8b1b1e67-6248-4dca-bbad-93486bb181c0}}	High	Observability	Ensure a log metric filter and alarm exist for root acount usage	Documentation
CloudWatch Console Sign-in Without MFA Alarm Missing ^{_{44ceb4fa-0897-4fd2-b676-30e7a58f2933}}	High	Observability	Ensure a log metric filter and alarm exist for management console sign-in without MFA	Documentation
CloudWatch Unauthorized Access Alarm Missing ^{_{4c18a45b-4ab1-4790-9f83-399ac695f1e5}}	High	Observability	Ensure a log metric filter and alarm exist for unauthorized API calls	Documentation
KMS Key With No Deletion Window ^{_{0b530315-0ea4-497f-b34c-4ff86268f59d}}	High	Observability	AWS KMS Key should have a valid deletion window	Documentation
CloudWatch IAM Policy Changes Alarm Missing ^{_{eaaba502-2f94-411a-a3c2-83d63cc1776d}}	High	Observability	Ensure a log metric filter and alarm exist for IAM policy changes	Documentation
CloudTrail Log Files S3 Bucket is Publicly Accessible ^{_{bd0088a5-c133-4b20-b129-ec9968b16ef3}}	High	Observability	CloudTrail Log Files S3 Bucket should not be publicly accessible	Documentation
Configuration Aggregator to All Regions Disabled ^{_{ac5a0bc0-a54c-45aa-90c3-15f7703b9132}}	High	Observability	AWS Config Configuration Aggregator All Regions must be set to True	Documentation
CloudTrail Log Files Not Encrypted ^{_{5d9e3164-9265-470c-9a10-57ae454ac0c7}}	High	Observability	Logs delivered by CloudTrail should be encrypted using KMS	Documentation
CloudTrail Logging Disabled ^{_{4bb76f17-3d63-4529-bdca-2b454529d774}}	High	Observability	Checks if logging is enabled for CloudTrail.	Documentation
CloudTrail Log Files S3 Bucket with Logging Disabled ^{_{ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4}}	High	Observability	CloudTrail Log Files S3 Bucket should have 'logging' enabled	Documentation
ECR Repository Is Publicly Accessible ^{_{e86e26fc-489e-44f0-9bcd-97305e4ba69a}}	Medium	Access Control	Amazon ECR image repositories shouldn't have public access	Documentation
Glue With Vulnerable Policy ^{_{d25edb51-07fb-4a73-97d4-41cecdc53a22}}	Medium	Access Control	Glue policy should avoid wildcard in 'principals' and 'actions'	Documentation
IAM Role Policy passRole Allows All ^{_{e39bee8c-fe54-4a3f-824d-e5e2d1cca40a}}	Medium	Access Control	Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources	Documentation
Lambda With Vulnerable Policy ^{_{ad9dabc7-7839-4bae-a957-aa9120013f39}}	Medium	Access Control	The attribute 'action' should not have wildcard	Documentation
API Gateway Method Does Not Contains An API Key ^{_{671211c5-5d2a-4e97-8867-30fc28b02216}}	Medium	Access Control	An API Key should be required on a method request.	Documentation
Lambda Permission Principal Is Wildcard ^{_{e08ed7eb-f3ef-494d-9d22-2e3db756a347}}	Medium	Access Control	Lambda Permission Principal should not contain a wildcard.	Documentation
SES Policy With Allowed IAM Actions ^{_{34b921bd-90a0-402e-a0a5-dc73371fd963}}	Medium	Access Control	SES policy should not allow IAM actions to all principals	Documentation
Elasticsearch Domain With Vulnerable Policy ^{_{16c4216a-50d3-4785-bfb2-4adb5144a8ba}}	Medium	Access Control	Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.	Documentation
SQS Policy With Public Access ^{_{730675f9-52ed-49b6-8ead-0acb5dd7df7f}}	Medium	Access Control	SQS policy with public access	Documentation
IAM User With Access To Console ^{_{9ec311bf-dfd9-421f-8498-0b063c8bc552}}	Medium	Access Control	AWS IAM Users should not have access to console	Documentation
Policy Without Principal ^{_{bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54}}	Medium	Access Control	All policies, except IAM identity-based policies, should have the 'Principal' element defined	Documentation
Secrets Manager With Vulnerable Policy ^{_{fa00ce45-386d-4718-8392-fb485e1f3c5b}}	Medium	Access Control	Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'	Documentation
SNS Topic Publicity Has Allow and NotAction Simultaneously ^{_{5ea624e4-c8b1-4bb3-87a4-4235a776adcc}}	Medium	Access Control	SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.	Documentation
SNS Topic is Publicly Accessible For Subscription ^{_{b26d2b7e-60f6-413d-a3a1-a57db24aa2b3}}	Medium	Access Control	This query checks if SNS Topic is Accessible For Subscription	Documentation
Cross-Account IAM Assume Role Policy Without ExternalId or MFA ^{_{09c35abf-5852-4622-ac7a-b987b331232e}}	Medium	Access Control	Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access	Documentation
Certificate Has Expired ^{_{c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6}}	Medium	Access Control	Expired SSL/TLS certificates should be removed	Documentation
Elasticsearch Without IAM Authentication ^{_{e7530c3c-b7cf-4149-8db9-d037a0b5268e}}	Medium	Access Control	AWS Elasticsearch should ensure IAM Authentication	Documentation
Public and Private EC2 Share Role ^{_{c53c7a89-f9d7-4c7b-8b66-8a555be99593}}	Medium	Access Control	Public and private EC2 istances should not share the same role.	Documentation
Neptune Cluster With IAM Database Authentication Disabled ^{_{c91d7ea0-d4d1-403b-8fe1-c9961ac082c5}}	Medium	Access Control	Neptune Cluster should have IAM Database Authentication enabled	Documentation
S3 Bucket Allows Public ACL ^{_{d0cc8694-fcad-43ff-ac86-32331d7e867f}}	Medium	Access Control	S3 bucket allows public ACL	Documentation
CloudWatch Logs Destination With Vulnerable Policy ^{_{db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8}}	Medium	Access Control	CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'	Documentation
IAM Access Key Is Exposed ^{_{7081f85c-b94d-40fd-8b45-a4f1cac75e46}}	Medium	Access Control	Check if IAM Access Key is active for some user besides 'root'	Documentation
SQS Policy Allows All Actions ^{_{816ea8cf-d589-442d-a917-2dd0ce0e45e3}}	Medium	Access Control	SQS policy allows ALL (*) actions	Documentation
IAM Access Analyzer Undefined ^{_{e592a0c5-5bdb-414c-9066-5dba7cdea370}}	Medium	Access Control	IAM Access Analyzer should be defined to identify unintentional access	Documentation
AMI Shared With Multiple Accounts ^{_{ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698}}	Medium	Access Control	Limits access to AWS AMIs by checking if more than one account is using the same image	Documentation
IAM Policy Grants Full Permissions ^{_{575a2155-6af1-4026-b1af-d5bc8fe2a904}}	Medium	Access Control	IAM policies allow all ('*') in a statement action	Documentation
REST API With Vulnerable Policy ^{_{b161c11b-a59b-4431-9a29-4e19f63e6b27}}	Medium	Access Control	REST API policy should avoid wildcard in 'Action' and 'Principal'	Documentation
ElastiCache Nodes Not Created Across Multi AZ ^{_{6db03a91-f933-4f13-ab38-a8b87a7de54d}}	Medium	Availability	Check if ElastiCache nodes are not being created across multi AZ	Documentation
Auto Scaling Group With No Associated ELB ^{_{8e94dced-9bcc-4203-8eb7-7e41202b2505}}	Medium	Availability	AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.	Documentation
CMK Is Unusable ^{_{7350fa23-dcf7-4938-916d-6a60b0c73b50}}	Medium	Availability	AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true	Documentation
ECS Service Without Running Tasks ^{_{91f16d09-689e-4926-aca7-155157f634ed}}	Medium	Availability	ECS Service should have at least 1 task running	Documentation
RDS With Backup Disabled ^{_{1dc73fb4-5b51-430c-8c5f-25dcf9090b02}}	Medium	Backup	RDS configured without backup	Documentation
Stack Retention Disabled ^{_{6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97}}	Medium	Backup	Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction	Documentation
ElastiCache Redis Cluster Without Backup ^{_{8fdb08a0-a868-4fdf-9c27-ccab0237f1ab}}	Medium	Backup	ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0	Documentation
Password Without Reuse Prevention ^{_{89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a}}	Medium	Best Practices	Check if IAM account password has the reuse password configured with 24	Documentation
Cognito UserPool Without MFA ^{_{ec28bf61-a474-4dbe-b414-6dd3a067d6f0}}	Medium	Best Practices	AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users	Documentation
RDS Cluster With Backup Disabled ^{_{e542bd46-58c4-4e0f-a52a-1fb4f9548e02}}	Medium	Best Practices	RDS Cluster backup retention period should be specifically defined	Documentation
ALB Not Dropping Invalid Headers ^{_{6e3fd2ed-5c83-4c68-9679-7700d224d379}}	Medium	Best Practices	It's considered a best practice when using Application Load Balancers to drop invalid header fields	Documentation
IAM Password Without Symbol ^{_{7a70eed6-de3a-4da2-94da-a2bbc8fe2a48}}	Medium	Best Practices	Check if IAM account password has the required symbols	Documentation
Misconfigured Password Policy Expiration ^{_{ce60d060-efb8-4bfd-9cf7-ff8945d00d90}}	Medium	Best Practices	No password expiration policy	Documentation
IAM Password Without Minimum Length ^{_{1bc1c685-e593-450e-88fb-19db4c82aa1d}}	Medium	Best Practices	Check if IAM account password has the required minimum length	Documentation
Stack Without Template ^{_{91bea7b8-0c31-4863-adc9-93f6177266c4}}	Medium	Build Process	AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body	Documentation
SNS Topic Encrypted With AWS Managed Key ^{_{b1a72f66-2236-4f3b-87ba-0da1b366956f}}	Medium	Encryption	SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
AmazonMQ Broker Encryption Disabled ^{_{3db3f534-e3a3-487f-88c7-0a9fbf64b702}}	Medium	Encryption	AmazonMQ Broker should have Encryption Options defined	Documentation
ElastiCache Replication Group Not Encrypted At Rest ^{_{76976de7-c7b1-4f64-a94f-90c1345914c2}}	Medium	Encryption	ElastiCache Replication Group encryption should be enabled at Rest	Documentation
ElasticSearch Not Encrypted At Rest ^{_{24e16922-4330-4e9d-be8a-caa90299466a}}	Medium	Encryption	Check if ElasticSearch encryption is disabled at Rest	Documentation
Neptune Database Cluster Encryption Disabled ^{_{98d59056-f745-4ef5-8613-32bca8d40b7e}}	Medium	Encryption	Check if Neptune Cluster Storage is securely encrypted	Documentation
Unscanned ECR Image ^{_{9630336b-3fed-4096-8173-b9afdfe346a7}}	Medium	Encryption	Checks if the ECR Image has been scanned	Documentation
SNS Topic Not Encrypted ^{_{28545147-2fc6-42d5-a1f9-cf226658e591}}	Medium	Encryption	SNS (Simple Notification Service) Topic should be encrypted	Documentation
Elasticsearch Domain Not Encrypted Node To Node ^{_{967eb3e6-26fc-497d-8895-6428beb6e8e2}}	Medium	Encryption	Elasticsearch Domain encryption should be enabled node to node	Documentation
SSM Session Transit Encryption Disabled ^{_{ce60cc6b-6831-4bd7-84a2-cc7f8ee71433}}	Medium	Encryption	SSM Session should be encrypted in transit	Documentation
Config Rule For Encrypted Volumes Disabled ^{_{abdb29d4-5ca1-4e91-800b-b3569bbd788c}}	Medium	Encryption	Check if AWS config rules do not identify Encrypted Volumes as a source.	Documentation
DOCDB Cluster Encrypted With AWS Managed Key ^{_{2134641d-30a4-4b16-8ffc-2cd4c4ffd15d}}	Medium	Encryption	DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
Secretsmanager Secret Without KMS ^{_{a2f548f2-188c-4fff-b172-e9a6acb216bd}}	Medium	Encryption	AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret	Documentation
Secretsmanager Secret Encrypted With AWS Managed Key ^{_{b0d3ef3f-845d-4b1b-83d6-63a5a380375f}}	Medium	Encryption	Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys	Documentation
DynamoDB Table Not Encrypted ^{_{ce089fd4-1406-47bd-8aad-c259772bb294}}	Medium	Encryption	AWS DynamoDB Tables should have server-side encryption	Documentation
ElasticSearch Encryption With KMS Disabled ^{_{7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2}}	Medium	Encryption	Check if any ElasticSearch domain isn't encrypted with KMS	Documentation
S3 Bucket Policy Accepts HTTP Requests ^{_{4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9}}	Medium	Encryption	S3 Bucket policy should not accept HTTP Requests	Documentation
API Gateway Without Content Encoding ^{_{ed35928e-195c-4405-a252-98ccb664ab7b}}	Medium	Encryption	Enable Content Encoding through the attribute 'minimum_compression_size'. This value should be greater than -1 and smaller than 10485760	Documentation
ElastiCache Replication Group Not Encrypted At Transit ^{_{1afbb3fa-cf6c-4a3d-b730-95e9f4df343e}}	Medium	Encryption	ElastiCache Replication Group encryption should be enabled at Transit	Documentation
EBS Volume Encryption Disabled ^{_{cc997676-481b-4e93-aa81-d19f8c5e9b12}}	Medium	Encryption	The value on AWS EBS Volume Cluster Encryption must be true	Documentation
ECR Repository Not Encrypted ^{_{0e32d561-4b5a-4664-a6e3-a3fa85649157}}	Medium	Encryption	ECR (Elastic Container Registry) Repository encryption should be set	Documentation
ECR Image Tag Not Immutable ^{_{d1846b12-20c5-4d45-8798-fc35b79268eb}}	Medium	Insecure Configurations	ECR should have an image tag be immutable	Documentation
Certificate RSA Key Bytes Lower Than 256 ^{_{874d68a3-bfbe-4a4b-aaa0-9e74d7da634b}}	Medium	Insecure Configurations	The certificate should use a RSA key with a length equal to or higher than 256 bytes	Documentation
IAM Password Without Lowercase Letter ^{_{bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9}}	Medium	Insecure Configurations	Check if IAM account password has at least one lowercase letter	Documentation
Public Lambda via API Gateway ^{_{3ef8696c-e4ae-4872-92c7-520bb44dfe77}}	Medium	Insecure Configurations	Allowing to run lambda function using public API Gateway	Documentation
MQ Broker Is Publicly Accessible ^{_{4eb5f791-c861-4afd-9f94-f2a6a3fe49cb}}	Medium	Insecure Configurations	Check if any MQ Broker is not publicly accessible	Documentation
API Gateway Without SSL Certificate ^{_{0b4869fc-a842-4597-aa00-1294df425440}}	Medium	Insecure Configurations	SSL Client Certificate should be enabled in aws_api_gateway_stage resource	Documentation
Instance With No VPC ^{_{a31a5a29-718a-4ff4-8001-a69e5e4d029e}}	Medium	Insecure Configurations	Instance should be configured in VPC (Virtual Private Cloud)	Documentation
Lambda Function Without Tags ^{_{875b86b1-7fd4-4728-9a18-de63d87ad82f}}	Medium	Insecure Configurations	AWS Lambda Functions must have associated tags.	Documentation
IAM Password Without Uppercase Letter ^{_{c5ff7bc9-d8ea-46dd-81cb-8286f3222249}}	Medium	Insecure Configurations	Check if IAM account password has at least one uppercase letter	Documentation
Service Control Policies Disabled ^{_{5ba6229c-8057-433e-91d0-21cf13569ca9}}	Medium	Insecure Configurations	Check if the Amazon Organizations' policies ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).	Documentation
AWS Password Policy With Unchangeable Passwords ^{_{9ef7d25d-9764-4224-9968-fa321c56ef76}}	Medium	Insecure Configurations	Unchangeable passwords in AWS password policy	Documentation
IAM User Has Too Many Access Keys ^{_{3561130e-9c5f-485b-9e16-2764c82763e5}}	Medium	Insecure Configurations	Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials	Documentation
Redshift Cluster Without VPC ^{_{0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3}}	Medium	Insecure Configurations	Redshift Cluster should be configured in VPC (Virtual Private Cloud)	Documentation
EKS Cluster Has Public Access ^{_{42f4b905-3736-4213-bfe9-c0660518cda8}}	Medium	Insecure Configurations	Amazon EKS public endpoint shoud be set to false	Documentation
API Gateway With Open Access ^{_{15ccec05-5476-4890-ad19-53991eba1db8}}	Medium	Insecure Configurations	API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.	Documentation
Sensitive Port Is Exposed To Small Public Network ^{_{e35c16a2-d54e-419d-8546-a804d8e024d0}}	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol	Documentation
VPC Without Network Firewall ^{_{fd632aaf-b8a1-424d-a4d1-0de22fd3247a}}	Medium	Networking and Firewall	VPC should have a Network Firewall associated	Documentation
Dynamodb VPC Endpoint Without Route Table Association ^{_{0bc534c5-13d1-4353-a7fe-b8665d5c1d7d}}	Medium	Networking and Firewall	Dynamodb VPC Endpoint should be associated with Route Table Association	Documentation
VPC Subnet Assigns Public IP ^{_{52f04a44-6bfa-4c41-b1d3-4ae99a2de05c}}	Medium	Networking and Firewall	VPC Subnet should not assign public IP	Documentation
Sensitive Port Is Exposed To Wide Private Network ^{_{92fe237e-074c-4262-81a4-2077acb928c1}}	Medium	Networking and Firewall	A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol	Documentation
ALB Is Not Integrated With WAF ^{_{0afa6ab8-a047-48cf-be07-93a2f8c34cf7}}	Medium	Networking and Firewall	All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service	Documentation
API Gateway without WAF ^{_{a186e82c-1078-4a7b-85d8-579561fde884}}	Medium	Networking and Firewall	API Gateway should have WAF (Web Application Firewall) enabled	Documentation
SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible ^{_{54c417bf-c762-48b9-9d31-b3d87047e3f0}}	Medium	Networking and Firewall	Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.	Documentation
SQS VPC Endpoint Without DNS Resolution ^{_{e9b7acf9-9ba0-4837-a744-31e7df1e434d}}	Medium	Networking and Firewall	SQS VPC Endpoint should have DNS resolution enabled	Documentation
API Gateway Endpoint Config is Not Private ^{_{6b2739db-9c49-4db7-b980-7816e0c248c1}}	Medium	Networking and Firewall	The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet	Documentation
CloudWatch Metrics Disabled ^{_{081069cb-588b-4ce1-884c-2a1ce3029fe5}}	Medium	Observability	Checks if CloudWatch Metrics is Enabled	Documentation
VPC FlowLogs Disabled ^{_{f83121ea-03da-434f-9277-9cd247ab3047}}	Medium	Observability	VPC hasn't got any FlowLog associated	Documentation
CloudWatch S3 policy Change Alarm Missing ^{_{27c6a499-895a-4dc7-9617-5c485218db13}}	Medium	Observability	Ensure a log metric filter and alarm exist for S3 bucket policy changes	Documentation
CloudWatch AWS Organizations Changes Missing Alarm ^{_{38b85c45-e772-4de8-a247-69619ca137b3}}	Medium	Observability	Ensure a log metric filter and alarm exist for AWS organizations changes	Documentation
Cloudwatch Cloudtrail Configuration Changes Alarm Missing ^{_{0f6cbf69-41bb-47dc-93f3-3844640bf480}}	Medium	Observability	Ensure a log metric filter and alarm exist for CloudTrail configuration changes	Documentation
Elasticsearch Without Slow Logs ^{_{e979fcbc-df6c-422d-9458-c33d65e71c45}}	Medium	Observability	Ensure that AWS Elasticsearch enables support for slow logs	Documentation
CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing ^{_{56a585f5-555c-48b2-8395-e64e4740a9cf}}	Medium	Observability	Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK	Documentation
Redshift Cluster Logging Disabled ^{_{15ffbacc-fa42-4f6f-a57d-2feac7365caa}}	Medium	Observability	Make sure Logging is enabled for Redshift Cluster	Documentation
Api Gateway Access Logging Disabled ^{_{1b6799eb-4a7a-4b04-9001-8cceb9999326}}	Medium	Observability	RDS does not have any kind of logger	Documentation
CloudTrail SNS Topic Name Undefined ^{_{482b7d26-0bdb-4b5f-bf6f-545826c0a3dd}}	Medium	Observability	Check if SNS topic name is set for CloudTrail	Documentation
API Gateway With CloudWatch Logging Disabled ^{_{982aa526-6970-4c59-8b9b-2ce7e019fe36}}	Medium	Observability	AWS CloudWatch Logs for APIs is not enabled	Documentation
Cloudfront Logging Disabled ^{_{94690d79-b3b0-43de-b656-84ebef5753e5}}	Medium	Observability	AWS Cloudfront distributions must be have logging enabled, which means the attribute 'logging_config' must be defined	Documentation
S3 Bucket Without Versioning ^{_{568a4d22-3517-44a6-a7ad-6a7eed88722c}}	Medium	Observability	S3 bucket without versioning	Documentation
CloudTrail Not Integrated With CloudWatch ^{_{17b30f8f-8dfb-4597-adf6-57600b6cf25e}}	Medium	Observability	CloudTrail should be integrated with CloudWatch	Documentation
Cloudwatch Security Group Changes Alarm Missing ^{_{4beaf898-9f8b-4237-89e2-5ffdc7ee6006}}	Medium	Observability	Ensure a log metric filter and alarm exist for security group changes	Documentation
MSK Cluster Logging Disabled ^{_{2f56b7ab-7fba-4e93-82f0-247e5ddeb239}}	Medium	Observability	Ensure MSK Cluster Logging is enabled	Documentation
Elasticsearch Log is disabled ^{_{acb6b4e2-a086-4f35-aefd-4db6ea51ada2}}	Medium	Observability	AWS Elasticsearch should have logs enabled	Documentation
CloudWatch Without Retention Period Specified ^{_{ef0b316a-211e-42f1-888e-64efe172b755}}	Medium	Observability	AWS CloudWatch Log groups should have retention days specified	Documentation
MQ Broker Logging Disabled ^{_{31245f98-a6a9-4182-9fc1-45482b9d030a}}	Medium	Observability	Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).	Documentation
CloudTrail Multi Region Disabled ^{_{8173d5eb-96b5-4aa6-a71b-ecfa153c123d}}	Medium	Observability	CloudTrail should have 'is_multi_region_trail' and 'include_global_service_events' enabled	Documentation
S3 Bucket Object Level CloudTrail Logging Disabled ^{_{a8fc2180-b3ac-4c93-bd0d-a55b974e4b07}}	Medium	Observability	S3 Bucket object-level CloudTrail logging should be enabled for read and write events	Documentation
API Gateway Deployment Without Access Log Setting ^{_{625abc0e-f980-4ac9-a775-f7519ee34296}}	Medium	Observability	API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.	Documentation
CloudWatch Management Console Auth Failed Alarm Missing ^{_{5864d189-ee9a-4009-ac0c-8a582e6b7919}}	Medium	Observability	Ensure a log metric filter and alarm exist for AWS Management Console authentication failures	Documentation
API Gateway X-Ray Disabled ^{_{5813ef56-fa94-406a-b35d-977d4a56ff2b}}	Medium	Observability	X-ray Tracing is not enabled	Documentation
Stack Notifications Disabled ^{_{b72d0026-f649-4c91-a9ea-15d8f681ac09}}	Medium	Observability	Enable AWS CloudFormation Stack Notifications	Documentation
GuardDuty Detector Disabled ^{_{704dadd3-54fc-48ac-b6a0-02f170011473}}	Medium	Observability	Make sure that Amazon GuardDuty is Enabled	Documentation
Default VPC Exists ^{_{96ed3526-0179-4c73-b1b2-372fde2e0d13}}	Medium	Observability	It isn't recommended to use resources in default VPC	Documentation
CloudWatch Logging Disabled ^{_{7dbba512-e244-42dc-98bb-422339827967}}	Medium	Observability	Check if CloudWatch logging is disabled for Route53 hosted zones	Documentation
No Stack Policy ^{_{2f01fb2d-828a-499d-b98e-b83747305052}}	Medium	Resource Management	AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions	Documentation
Hardcoded AWS Access Key In Lambda ^{_{1402afd8-a95c-4e84-8b0b-6fb43758e6ce}}	Medium	Secret Management	Lambda hardcoded AWS access/secret keys	Documentation
S3 Bucket Public ACL Overridden By Public Access Block ^{_{bf878b1a-7418-4de3-b13c-3a86cf894920}}	Low	Access Control	S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'	Documentation
EC2 Instance Using API Keys ^{_{0b93729a-d882-4803-bdc3-ac429a21f158}}	Low	Access Control	EC2 instances should use roles to be granted access to other AWS services	Documentation
IAM Policy Grants 'AssumeRole' Permission Across All Services ^{_{bcdcbdc6-a350-4855-ae7c-d1e6436f7c97}}	Low	Access Control	IAM role allows All services or principals to assume it	Documentation
IAM Role Allows All Principals To Assume ^{_{12b7e704-37f0-4d1e-911a-44bf60c48c21}}	Low	Access Control	IAM role allows all services or principals to assume it	Documentation
IAM Group Without Users ^{_{fc101ca7-c9dd-4198-a1eb-0fbe92e80044}}	Low	Access Control	IAM Group should have at least one user associated	Documentation
EC2 Instance Using Default Security Group ^{_{f1adc521-f79a-4d71-b55b-a68294687432}}	Low	Access Control	EC2 instances should not use default security group(s)	Documentation
Autoscaling Groups Supply Tags ^{_{ba48df05-eaa1-4d64-905e-4a4b051e7587}}	Low	Availability	Autoscaling groups should supply tags to configurate	Documentation
ECR Repository Without Policy ^{_{69e7c320-b65d-41bb-be02-d63ecc0bcc9d}}	Low	Best Practices	ECR Repository should have Policies attached to it	Documentation
Lambda Permission Misconfigured ^{_{75ec6890-83af-4bf1-9f16-e83726df0bd0}}	Low	Best Practices	Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'	Documentation
IAM Policies Attached To User ^{_{b4378389-a9aa-44ee-91e7-ef183f11079e}}	Low	Best Practices	IAM policies should be attached only to groups or roles	Documentation
CDN Configuration Is Missing ^{_{1bc367f6-901d-4870-ad0c-71d79762ef52}}	Low	Best Practices	Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.	Documentation
Open Access To Resources Through API ^{_{108aa260-6dab-4a75-ae3f-de917d634840}}	Low	Insecure Configurations	Open access to back-end resources through API	Documentation
ALB Deletion Protection Disabled ^{_{afecd1f1-6378-4f7e-bb3b-60c35801fdd4}}	Low	Insecure Configurations	Application Load Balancer should have deletion protection enabled	Documentation
S3 Bucket Without Ignore Public ACL ^{_{4fa66806-0dd9-4f8d-9480-3174d39c7c91}}	Low	Insecure Configurations	S3 bucket without ignore public ACL	Documentation
Shield Advanced Not In Use ^{_{084c6686-2a70-4710-91b1-000393e54c12}}	Low	Networking and Firewall	AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks	Documentation
EMR Without VPC ^{_{2b3c8a6d-9856-43e6-ab1d-d651094f03b4}}	Low	Networking and Firewall	Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)	Documentation
Cloudfront Without WAF ^{_{1419b4c6-6d5c-4534-9cf6-6a5266085333}}	Low	Networking and Firewall	All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service	Documentation
RDS Using Default Port ^{_{bca7cc4d-b3a4-4345-9461-eb69c68fcd26}}	Low	Networking and Firewall	RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433	Documentation
Redshift Using Default Port ^{_{41abc6cc-dde1-4217-83d3-fb5f0cc09d8f}}	Low	Networking and Firewall	Redshift should not use the default port (5439) because an attacker can easily guess the port	Documentation
ElastiCache Without VPC ^{_{8c849af7-a399-46f7-a34c-32d3dc96f1fc}}	Low	Networking and Firewall	ElastiCache should be launched in a Virtual Private Cloud (VPC)	Documentation
ElastiCache Using Default Port ^{_{5d89db57-8b51-4b38-bb76-b9bd42bd40f0}}	Low	Networking and Firewall	ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211	Documentation
CloudWatch VPC Changes Alarm Missing ^{_{9d0d4512-1959-43a2-a17f-72360ff06d1b}}	Low	Observability	Ensure a log metric filter and alarm exist for VPC changes	Documentation
EKS cluster logging is not enabled ^{_{37304d3f-f852-40b8-ae3f-725e87a7cedf}}	Low	Observability	Amazon EKS control plane logging is not enabled	Documentation
Lambda Functions Without X-Ray Tracing ^{_{8152e0cf-d2f0-47ad-96d5-d003a76eabd1}}	Low	Observability	AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'	Documentation
DocDB Logging Is Disabled ^{_{56f6a008-1b14-4af4-b9b2-ab7cf7e27641}}	Low	Observability	DocDB logging should be enabled	Documentation
CloudWatch Network Gateways Changes Alarm Missing ^{_{6b6874fe-4c2f-4eea-8b90-7cceaa4a125e}}	Low	Observability	Ensure a log metric filter and alarm exist for network gateways changes	Documentation
ECS Cluster with Container Insights Disabled ^{_{97cb0688-369a-4d26-b1f7-86c4c91231bc}}	Low	Observability	ECS Cluster should enable container insights	Documentation
CloudWatch AWS Config Configuration Changes Alarm Missing ^{_{5b8d7527-de8e-4114-b9dd-9d988f1f418f}}	Low	Observability	Ensure a log metric filter and alarm exist for AWS Config configuration changes	Documentation
CloudWatch Route Table Changes Alarm Missing ^{_{2285e608-ddbc-47f3-ba54-ce7121e31216}}	Low	Observability	Ensure a log metric filter and alarm exist for route table changes	Documentation
Global Accelerator Flow Logs Disabled ^{_{96e8183b-e985-457b-90cd-61c0503a3369}}	Low	Observability	Global Accelerator should have flow logs enabled	Documentation
Missing Cluster Log Types ^{_{66f130d9-b81d-4e8e-9b08-da74b9c891df}}	Low	Observability	Amazon EKS control plane logging don't enabled for all log types	Documentation
S3 Bucket Logging Disabled ^{_{f861041c-8c9f-4156-acfc-5e6e524f5884}}	Low	Observability	S3 bucket without logging	Documentation
CloudTrail Log File Validation Disabled ^{_{52ffcfa6-6c70-4ea6-8376-d828d3961669}}	Low	Observability	CloudTrail log file validation should be enabled	Documentation
API Gateway Deployment Without API Gateway UsagePlan Associated ^{_{b3a59b8e-94a3-403e-b6e2-527abaf12034}}	Low	Observability	API Gateway Deployment should have API Gateway UsagePlan defined and associated.	Documentation
CloudWatch Changes To NACL Alarm Missing ^{_{0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0}}	Low	Observability	Ensure a log metric filter and alarm exist for changes to NACL	Documentation
API Gateway Stage Without API Gateway UsagePlan Associated ^{_{c999cf62-0920-40f8-8dda-0caccd66ed7e}}	Low	Resource Management	API Gateway Stage should have API Gateway UsagePlan defined and associated.	Documentation
Hardcoded AWS Access Key ^{_{d7b9d850-3e06-4a75-852f-c46c2e92240b}}	Low	Secret Management	Hard-coded AWS access key / secret key exists in EC2 user data	Documentation
Security Group Not Used ^{_{4849211b-ac39-479e-ae78-5694d506cb24}}	Info	Access Control	Security group must be used or not declared	Documentation
Security Group Rules Without Description ^{_{68eb4bf3-f9bf-463d-b5cf-e029bb446d2e}}	Info	Best Practices	It's considered a best practice for all rules in AWS Security Group to have a description	Documentation
EC2 Not EBS Optimized ^{_{60224630-175a-472a-9e23-133827040766}}	Info	Best Practices	It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance	Documentation
Resource Not Using Tags ^{_{e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10}}	Info	Best Practices	AWS services resource tags are an essential part of managing components	Documentation
DynamoDB Table Point In Time Recovery Disabled ^{_{741f1291-47ac-4a85-a07b-3d32a9d6bd3e}}	Info	Best Practices	It's considered a best practice to have point in time recovery enabled for DynamoDB Table	Documentation
Security Group Without Description ^{_{cb3f5ed6-0d18-40de-a93d-b3538db31e8c}}	Info	Best Practices	It's considered a best practice for AWS Security Group to have a description	Documentation
ELB Access Logging Disabled ^{_{20018359-6fd7-4d05-ab26-d4dffccbdf79}}	Info	Observability	ELB should have logging enabled to help on error investigation	Documentation
Neptune Logging Is Disabled ^{_{45cff7b6-3b80-40c1-ba7b-2cf480678bb8}}	Info	Observability	Neptune logging should be enabled	Documentation
RDS Without Logging ^{_{8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56}}	Info	Observability	RDS does not have any kind of logger	Documentation
EC2 Instance Monitoring Disabled ^{_{23b70e32-032e-4fa6-ba5c-82f56b9980e6}}	Info	Observability	EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods	Documentation
### KUBERNETES
Bellow are listed queries related with Terraform KUBERNETES:

Query	Severity	Category	Description	Help
Privilege Escalation Allowed ^{_{c878abb4-cca5-4724-92b9-289be68bd47c}}	High	Insecure Configurations	Admission of privileged containers should be minimized	Documentation
Shared Host Network Namespace ^{_{ac1564a3-c324-4747-9fa1-9dfc234dace0}}	High	Insecure Configurations	Container should not share the host network namespace	Documentation
Tiller (Helm v2) Is Deployed ^{_{ca2fba76-c1a7-4afd-be67-5249f861cb0e}}	High	Insecure Configurations	Check if Tiller is deployed.	Documentation
PSP Allows Containers To Share The Host Network Namespace ^{_{4950837c-0ce5-4e42-9bee-a25eae73740b}}	High	Insecure Configurations	Check if Pod Security Policies allow containers to share the host network namespace.	Documentation
Shared Host IPC Namespace ^{_{e94d3121-c2d1-4e34-a295-139bfeb73ea3}}	High	Insecure Configurations	Container should not share the host IPC namespace	Documentation
Container Is Privileged ^{_{87065ef8-de9b-40d8-9753-f4a4303e27a4}}	High	Insecure Configurations	Do not allow container to be privileged.	Documentation
Host Aliases Undefined Or Empty ^{_{5d05ea11-ae3e-470e-9864-97e55fb2b2e0}}	High	Insecure Configurations	A Kubernetes Pod should have Host Aliases defined as to prevent the container from modifying the file after a pod's containers have already been started. This means the attribute 'spec.host_aliases' must be defined and not empty or null.	Documentation
Not Limited Capabilities For Pod Security Policy ^{_{2acb555f-f4ad-4b1b-b984-84e6588f4b05}}	High	Insecure Configurations	Limit capabilities for a Pod Security Policy	Documentation
NET_RAW Capabilities Not Being Dropped ^{_{e5587d53-a673-4a6b-b3f2-ba07ec274def}}	High	Insecure Configurations	Containers should drop 'NET_RAW' or 'ALL' capabilities	Documentation
Cluster Allows Unsafe Sysctls ^{_{a9174d31-d526-4ad9-ace4-ce7ddbf52e03}}	High	Insecure Configurations	A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.	Documentation
Role Binding To Default Service Account ^{_{3360c01e-c8c0-4812-96a2-a6329b9b7f9f}}	High	Insecure Defaults	No role nor cluster role should bind to a default service account	Documentation
RBAC Roles with Read Secrets Permissions ^{_{826abb30-3cd5-4e0b-a93b-67729b4f7e63}}	Medium	Access Control	Minimize access to secrets (RBAC)	Documentation
Non Kube System Pod With Host Mount ^{_{86a947ea-f577-4efb-a8b0-5fc00257d521}}	Medium	Access Control	A non kube-system workload should not have hostPath mounted	Documentation
Readiness Probe Is Not Configured ^{_{8657197e-3f87-4694-892b-8144701d83c1}}	Medium	Availability	Check if Readiness Probe is not configured.	Documentation
Liveness Probe Is Not Defined ^{_{5b6d53dd-3ba3-4269-b4d7-f82e880e43c3}}	Medium	Availability	Liveness Probe must be defined	Documentation
Root Containers Admitted ^{_{4c415497-7410-4559-90e8-f2c8ac64ee38}}	Medium	Best Practices	Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden	Documentation
Incorrect Volume Claim Access Mode ReadWriteOnce ^{_{26b047a9-0329-48fd-8fb7-05bbe5ba80ee}}	Medium	Build Process	Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'	Documentation
PSP Allows Sharing Host IPC ^{_{51bed0ac-a8ae-407a-895e-90c6cb0610ce}}	Medium	Insecure Configurations	Pod Security Policy allows containers to share the host IPC namespace	Documentation
Using Default Namespace ^{_{abcb818b-5af7-4d72-aba9-6dd84956b451}}	Medium	Insecure Configurations	The default namespace should not be used	Documentation
Ingress Controller Exposes Workload ^{_{e2c83c1f-84d7-4467-966c-ed41fd015bb9}}	Medium	Insecure Configurations	Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks	Documentation
Container Host Pid Is True ^{_{587d5d82-70cf-449b-9817-f60f9bccb88c}}	Medium	Insecure Configurations	Minimize the admission of containers wishing to share the host process ID namespace	Documentation
Containers With Sys Admin Capabilities ^{_{3f55386d-75cd-4e9a-ac47-167b26c04724}}	Medium	Insecure Configurations	Containers should not have CAP_SYS_ADMIN Linux capability	Documentation
Default Service Account In Use ^{_{737a0dd9-0aaa-4145-8118-f01778262b8a}}	Medium	Insecure Configurations	Default service accounts should not be actively used	Documentation
Container Resources Limits Undefined ^{_{60af03ff-a421-45c8-b214-6741035476fa}}	Medium	Insecure Configurations	Kubernetes container should have resource limitations defined such as CPU and memory	Documentation
PSP Allows Privilege Escalation ^{_{2bff9906-4e9b-4f71-9346-8ebedfdf43ef}}	Medium	Insecure Configurations	PodSecurityPolicy should not allow privilege escalation	Documentation
Workload Mounting With Sensitive OS Directory ^{_{a737be28-37d8-4bff-aa6d-1be8aa0a0015}}	Medium	Insecure Configurations	Workload is mounting a volume with sensitive OS Directory	Documentation
Seccomp Profile Is Not Configured ^{_{455f2e0c-686d-4fcb-8b5f-3f953f12c43c}}	Medium	Insecure Configurations	Check if any resource does not configure Seccomp default profile properly	Documentation
Container Runs Unmasked ^{_{0ad60203-c050-4115-83b6-b94bde92541d}}	Medium	Insecure Configurations	Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.	Documentation
Containers With Added Capabilities ^{_{fe771ff7-ba15-4f8f-ad7a-8aa232b49a28}}	Medium	Insecure Configurations	Kubernetes Pod should not have extra capabilities allowed	Documentation
NET_RAW Capabilities Disabled for PSP ^{_{9aa32890-ac1a-45ee-81ca-5164e2098556}}	Medium	Insecure Configurations	Containers need to have NET_RAW or All as drop capabilities	Documentation
PSP With Added Capabilities ^{_{48388bd2-7201-4dcc-b56d-e8a9efa58fad}}	Medium	Insecure Configurations	PodSecurityPolicy should not have added capabilities	Documentation
PSP Set To Privileged ^{_{a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9}}	Medium	Insecure Configurations	Do not allow pod to request execution as privileged	Documentation
Service Account Token Automount Not Disabled ^{_{a9a13d4f-f17a-491b-b074-f54bffffcb4a}}	Medium	Insecure Defaults	Service Account Tokens are automatically mounted even if not necessary	Documentation
Service Account Name Undefined Or Empty ^{_{24b132df-5cc7-4823-8029-f898e1c50b72}}	Medium	Insecure Defaults	A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.	Documentation
Service With External Load Balance ^{_{2a52567c-abb8-4651-a038-52fa27c77aed}}	Medium	Networking and Firewall	Service has an external load balancer, which may cause accessibility from other networks and the Internet	Documentation
Network Policy Is Not Targeting Any Pod ^{_{b80b14c6-aaa2-4876-b651-8a48b6c32fbf}}	Medium	Networking and Firewall	Check if any network policy is not targeting any pod.	Documentation
CPU Limits Not Set ^{_{5f4735ce-b9ba-4d95-a089-a37a767b716f}}	Medium	Resource Management	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests	Documentation
Volume Mount With OS Directory Write Permissions ^{_{a62a99d1-8196-432f-8f80-3c100b05d62a}}	Medium	Resource Management	Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.	Documentation
Memory Requests Not Defined ^{_{21719347-d02b-497d-bda4-04a03c8e5b61}}	Medium	Resource Management	Memory requests should be specified	Documentation
Memory Limits Not Defined ^{_{fd097ed0-7fe6-4f58-8b71-fef9f0820a21}}	Medium	Resource Management	Memory limits should be specified	Documentation
CPU Requests Not Set ^{_{577ac19c-6a77-46d7-9f14-e049cdd15ec2}}	Medium	Resource Management	CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node	Documentation
Shared Service Account ^{_{f74b9c43-161a-4799-bc95-0b0ec81801b9}}	Medium	Secret Management	A Service Account token is shared between workloads	Documentation
Service Account Allows Access Secrets ^{_{07fc3413-e572-42f7-9877-5c8fc6fccfb5}}	Medium	Secret Management	Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs	Documentation
Docker Daemon Socket is Exposed to Containers ^{_{4e203a65-c8d8-49a2-b749-b124d43c9dc1}}	Low	Access Control	Sees if Docker Daemon Socket is not exposed to Containers	Documentation
Missing App Armor Config ^{_{bd6bd46c-57db-4887-956d-d372f21291b6}}	Low	Access Control	Containers should be configured with AppArmor for any application to reduce its potential attack	Documentation
Permissive Access to Create Pods ^{_{522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba}}	Low	Access Control	The permission to create pods in a cluster should be restricted because it allows privilege escalation.	Documentation
Cluster Admin Rolebinding With Superuser Permissions ^{_{17172bc2-56fb-4f17-916f-a014147706cd}}	Low	Access Control	Ensure that the cluster-admin role is only used where required (RBAC)	Documentation
StatefulSet Without PodDisruptionBudget ^{_{7249e3b0-9231-4af3-bc5f-5daf4988ecbf}}	Low	Availability	StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability	Documentation
StatefulSet Without Service Name ^{_{420e6360-47bb-46f6-9072-b20ed22c842d}}	Low	Availability	Check if the StatefulSet have a headless 'serviceName'	Documentation
HPA Targets Invalid Object ^{_{17e52ca3-ddd0-4610-9d56-ce107442e110}}	Low	Availability	The Horizontal Pod Autoscale must target a valid object	Documentation
Deployment Without PodDisruptionBudget ^{_{a05331ee-1653-45cb-91e6-13637a76e4f0}}	Low	Availability	Deployments should be assigned with a PodDisruptionBudget to ensure high availability	Documentation
Metadata Label Is Invalid ^{_{bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e}}	Low	Best Practices	Check if any label in the metadata is invalid.	Documentation
No Drop Capabilities for Containers ^{_{21cef75f-289f-470e-8038-c7cee0664164}}	Low	Best Practices	Sees if Kubernetes Drop Capabilities exists to ensure containers security context	Documentation
Root Container Not Mounted As Read-only ^{_{d532566b-8d9d-4f3b-80bd-361fe802f9c2}}	Low	Build Process	Check if the root container filesystem is not being mounted as read-only.	Documentation
StatefulSet Requests Storage ^{_{fcc2612a-1dfe-46e4-8ce6-0320959f0040}}	Low	Build Process	A StatefulSet requests volume storage.	Documentation
Pod or Container Without Security Context ^{_{ad69e38a-d92e-4357-a8da-f2f29d545883}}	Low	Insecure Configurations	A security context defines privilege and access control settings for a Pod or Container	Documentation
Image Without Digest ^{_{228c4c19-feeb-4c18-848c-800ac70fdfb7}}	Low	Insecure Configurations	Sees if Kubernetes image has digest on	Documentation
Image Pull Policy Of The Container Is Not Set To Always ^{_{aa737abf-6b1d-4aba-95aa-5c160bd7f96e}}	Low	Insecure Configurations	Image Pull Policy of the container must be defined and set to Always	Documentation
Workload Host Port Not Specified ^{_{4e74cf4f-ff65-4c1a-885c-67ab608206ce}}	Low	Networking and Firewall	Verifies if Kubernetes workload's host port is specified	Documentation
Service Type is NodePort ^{_{5c281bf8-d9bb-47f2-b909-3f6bb11874ad}}	Low	Networking and Firewall	Service type should not be NodePort	Documentation
Deployment Has No PodAntiAffinity ^{_{461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3}}	Low	Resource Management	Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.	Documentation
CronJob Deadline Not Configured ^{_{58876b44-a690-4e9f-9214-7735fa0dd15d}}	Low	Resource Management	Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined	Documentation
Secrets As Environment Variables ^{_{6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8}}	Low	Secret Management	Container should not use secrets as environment variables	Documentation
Invalid Image ^{_{e76cca7c-c3f9-4fc9-884c-b2831168ebd8}}	Low	Supply-Chain	Image must be defined and not be empty or equal to latest.	Documentation